Mozilla Firefox Forensics – Carve Hidden Artifacts

Details of the platform on which the complete R & D for Mozilla Firefox Forensics was carried out: –

• Operating System: Windows 7 Ultimate, Service Pack 1, 32-bit
• Processor: Intel(R) Core(TM) i3 CPU
• RAM: 00 GB
• Version of Mozilla Firefox: Firefox 38.0

A detailed R & D on Mozilla Firefox cache forensics was carried out to bring in light all the available artifacts inside the Firefox browser. Investigators can refer the mentioned postulates as per their needs in investigations.

Installation Details of Mozilla Firefox

The default installation location of Mozilla Firefox is: –

C:\Program Files\mozilla firefox

 

Under the Mozilla Firefox folder, the installation log file can be located. This log file is a simple text file and can be read using any text editor like notepad.

The installation log file of Mozilla Firefox holds the following details: –

• Time at which Firefox installation started: –

Mozilla Firefox Installation Started: 2014-09-10 10:13:35

• Installation Details

——————————————————————————-

  Install Dir: C:\Program Files\Mozilla Firefox

  Locale: en-US

  App Version: 24.0

  GRE Version: 24.0

  OS Name: Windows 7

  Target CPU: x86

In installation details, information about the location, App Version, GRE (Gecko Runtime Environment) Version, OS and CPU can be obtained.

• The installation log file also keeps information about DLL Registration, Registry Entries, whether the browser was set as the default browser and the timestamp details when the Mozilla Firefox Installation Finished.

Registry Entry and Version Details

Some of the necessary artifacts that can be tracked down during Mozilla Firefox forensics exist in the registry of the machine.

The registry details can be viewed by following the below-mentioned steps: –

1. Click Window Icon Button + R to open the Run panel and type regedit followed by hitting enter.
2. Inside the Registry Editor, move to HKEY_LOCAL_MACHINE folder where inside the Software section, you can locate the Mozilla.

Inside the Mozilla folder, you can find all the necessary registry details such as the installed version of Firefox.

Switch to the User Profiles during Mozilla Firefox Forensics

The user profiles created under Firefox need to be investigated as they can provide information about some illicit access. To check out the user profiles;

1. Firstly, we are required to exit Firefox browser. Click on the menu button in Firefox and select the exit button.
2. Now, in the Run panel, type exe –p and click OK.

All the available profiles can be viewed now: –

Firefox creates individual folders for each user profile. These folders can be accessed by following the below mentioned steps: –

• In the Run panel, type the following command and press OK: –

%APPDATA%\Mozilla\Firefox

In the profile folder, all the user account details can be found now.

Mozilla Firefox Cache Forensics

The cache details of the Mozilla Firefox browser can be obtained under the cache folder available inside the profile folder. The cache information provides details about the users browsing patterns, bookmarks, and other relevant data.

The places.sqlite file is used by Firefox to store all the detailed history of the visited sites by a particular user profile. The places.sqlite file is a SQLite database file and can be viewed using SQLite database forensics tool.

 

 

The Mozilla Firefox Forensics has also shown that cache folder holds three types of cache files: –

• Cache Map File
• Cache Block File
• Cache Data File

These files hold the header information, block info and filename info respectively.

There is a lot more hidden cream information in the private browsing of Mozilla Firefox. In the upcoming section, we will be sharing some insights about the private browsing of Mozilla Firefox forensics.