Blog

Mozilla Firefox Forensics – Carve Hidden Artifacts

Dexter Morgan | October 16th, 2017 | Updates

Details of the platform on which the complete R & D for Mozilla Firefox Forensics was carried out: –

  • Operating System: Windows 7 Ultimate, Service Pack 1, 32-bit
  • Processor: Intel(R) Core(TM) i3 CPU
  • RAM: 00 GB
  • Version of Mozilla Firefox: Firefox 38.0

A detailed R & D on Mozilla Firefox cache forensics was carried out to bring in light all the available artifacts inside the Firefox browser. Investigators can refer the mentioned postulates as per their needs in investigations.

Installation Details of Mozilla Firefox

The default installation location of Mozilla Firefox is: –

C:\Program Files\mozilla firefox

location

 

Under the Mozilla Firefox folder, the installation log file can be located. This log file is a simple text file and can be read using any text editor like notepad.

installation log file

mozilla firefox cache forensics

The installation log file of Mozilla Firefox holds the following details: –

  • Time at which Firefox installation started: –

Mozilla Firefox Installation Started: 2014-09-10 10:13:35

  • Installation Details

——————————————————————————-

  Install Dir: C:\Program Files\Mozilla Firefox

  Locale: en-US

  App Version: 24.0

  GRE Version: 24.0

  OS Name: Windows 7

  Target CPU: x86

In installation details, information about the location, App Version, GRE (Gecko Runtime Environment) Version, OS and CPU can be obtained.

  • The installation log file also keeps information about DLL Registration, Registry Entries, whether the browser was set as the default browser and the timestamp details when the Mozilla Firefox Installation Finished.

Registry Entry and Version Details

Some of the necessary artifacts that can be tracked down during Mozilla Firefox forensics exist in the registry of the machine.

The registry details can be viewed by following the below-mentioned steps: –

  1. Click Window Icon Button + R to open the Run panel and type regedit followed by hitting enter.
  2. Run PanelInside the Registry Editor, move to HKEY_LOCAL_MACHINE folder where inside the Software section, you can locate the Mozilla.

mozilla firefox forensics

Inside the Mozilla folder, you can find all the necessary registry details such as the installed version of Firefox.mozilla firefox cache forensics

Switch to the User Profiles during Mozilla Firefox Forensics

The user profiles created under Firefox need to be investigated as they can provide information about some illicit access. To check out the user profiles;

  1. Firstly, we are required to exit Firefox browser. Click on the menu button in Firefox and select the exit button.
  2. exit firefoxNow, in the Run panel, type exe –p and click OK.

firefox.exe -p

All the available profiles can be viewed now: –

Choose User Profile

Firefox creates individual folders for each user profile. These folders can be accessed by following the below mentioned steps: –

  • In the Run panel, type the following command and press OK: –

%APPDATA%\Mozilla\Firefox

User Profile

In the profile folder, all the user account details can be found now.

Mozilla Firefox Cache Forensics

The cache details of the Mozilla Firefox browser can be obtained under the cache folder available inside the profile folder. The cache information provides details about the users browsing patterns, bookmarks, and other relevant data.

The places.sqlite file is used by Firefox to store all the detailed history of the visited sites by a particular user profile. The places.sqlite file is a SQLite database file and can be viewed using SQLite database forensics tool.

 

Download SQLite Database Forensics Tool

 

The Mozilla Firefox Forensics has also shown that cache folder holds three types of cache files: –

  • Cache Map File
  • Cache Block File
  • Cache Data File

These files hold the header information, block info and filename info respectively.

There is a lot more hidden cream information in the private browsing of Mozilla Firefox. In the upcoming section, we will be sharing some insights about the private browsing of Mozilla Firefox forensics.