what firefox can tell about you? - firefox forensics

Download What Firefox can tell about you? - Firefox Forensics

Post on 01-Nov-2014




1 download

Embed Size (px)


RISC Meet - 14th September RMIT Information Security Collective RMIT University


  • 1. RISC MEET 1
  • 2. HOW BROWSER WORKS? RISC MEET 2 Img Src: http://img.labnol.org/di/how-internet-works1.jpg
  • 3. HOW BROWSER WORKS? CNTD. RISC MEET 3 Img Src: http://taligarsiel.com/Projects/layers.png
  • 4. RENDERING ENGINE WEBKIT, CHROME,SAFARI RISC MEET 4 Img Src: http://taligarsiel.com/Projects/webkitflow.png
  • 5. DEFAULT LOCATIONSWin 7:C:Users[user]AppDataRoamingMozillaFirefoxProfilesXXXXXXXX.defaultC:Users[user]AppData]LocalMozillaFirefoxProfilesXXXXXXXX.defaultCacheLinux:~/.mozilla/firefox/XXXXXXXX.default/MAC OS X:~/Library/Application Support/Firefox/Profiles/XXXXXXXX.default/~/Library/Application Support/Mozilla/Extensions~/Library/Caches/Firefox/Profiles/XXXXXXXX.default/Cache/ RISC MEET 5
  • 6. SQLITE TABLESAddonsChromeappstoreContent-prefsCookiesDownloadsExtensionsFormhistoryPermissionsPlacesSearchSignonsWebappstore RISC MEET 6
  • 7. ADDONSAny browser addons - extra toolbars (sometimes users dont even know they have them installed)What you will find:Name, Version, Description, and other data like which profile gets to use it in a multi-profile environment RISC MEET 7
  • 8. CHROMEAPPSTOREThe Search Engine container in Firefox which is set to Google by default, though users can set any other search engine RISC MEET 8
  • 9. CONTENT-PREFSBrowser Preferences and Content settings like text zoom, page style, character encoding on a site-specific basesUseful for showing intent and frequency of visits along with the browser history RISC MEET 9
  • 10. COOKIESEvery cookie that is set by the systemThese may or may not be wiped clean when a user deletes all cookies or any other program to clear tracksA cookie being set does NOT mean the user visited the site RISC MEET 10
  • 11. DOWNLOADSList of every file downloaded - Cleared when user clears the download queue in FirefoxYou can tell a lot about a person by what they download RISC MEET 11
  • 12. EXTENSIONSAll ExtensionsThis file will normally pop-up as corrupted or unavailable when Firefox is running. RISC MEET 12
  • 13. FORMHISTORYEvery form filled out by the user RISC MEET 13
  • 14. PERMISSIONSPermissions various sites have like allowing pop-ups RISC MEET 14
  • 15. PLACESPlaces visited, bookmarks and attributes to sites commonly visited by the userCross referencing this file with cookies, formhistory and permissions provides a robust view of the user and how they use FirefoxCross referencing is also useful to prove that the visit was intentional versus a drive by cookie session RISC MEET 15
  • 16. SEARCHAll available search engines RISC MEET 16
  • 17. SIGNONSStored Passwords RISC MEET 17
  • 18. WEBAPPSTOREAll XAuth Tokens RISC MEET 18
  • 19. RISC MEET 19
  • 20. RISC MEET 20
  • 21. CACHEFiles you will find in the Cache Folder:_CACHE_MAP_CACHE_001, _CACHE_002, _CACHE_003Cache Map is the main file needed to reconstruct the cache files RISC MEET 21
  • 23. RISC MEET 23
  • 24. RISC MEET 24