±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 9
New Yesterday: 3
Overall: 27150
Visitors: 56

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Firefox 3 Forensics

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Firefox 3 Forensics

Post Posted: Tue Feb 05, 2013 12:45 pm

Does anybody know a good site or book that has file signatures for Firefox SQLite files. I'm trying to identify file signatures and offsets for places.sqlite. Any help would be much appreciated.

Thanks,
Jay  

jay_unistudent
Newbie
 
 
  

Re: Firefox 3 Forensics

Post Posted: Tue Feb 05, 2013 1:32 pm

How about just opening some of the files in a hex editor, to start?  

keydet89
Senior Member
 
 
  

Re: Firefox 3 Forensics

Post Posted: Wed Feb 06, 2013 5:44 am

As far as I know, all sqlite database files start with the signature "SQLite" (0x53514C697465). If you're looking to identify places.sqlite in particular, bearing in mind that all SQLite files contain the statements to construct the databases, how about looking for some of those SQL statements specific to that database? For example, my places.sqlite contains the following string:

Code:
CREATE TABLE moz_places (   id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER , guid TEXT)

Perhaps you could search for this, and if you find it then work backwards to try and carve the rest of the file? Smile

Also, check out what the tremendously clever Richard Drinkwater has to say about carving them in general. Here references the following offical documents from sqlite.org ([1] [2]) which deal specifically with the file format.

In terms of analysing your own places.sqlite, don't forget that there are many good, free hex editors you can use (such as HxD).

Good luck!  

Chris_Ed
Senior Member
 
 
  

Re: Firefox 3 Forensics

Post Posted: Wed Feb 06, 2013 10:24 am

Chris_Ed, thanks for your help Very Happy

I'm using HxD to view places.sqlite and as you said I've managed to identify the database header. I've also identified the B-tree page header and the cell pointer arrays which point to the tables and fields you outlined. However, I am unable to find any pointers that identifies why the records which store the URL's start where they do?

I've created several virtual machines and created some test browsing activity to compare the places.sqlite files from these machines and all the records start in the same place. Does anybody know where in the places.sqlite file identifies why the records start here?

Thanks again Smile  

jay_unistudent
Newbie
 
 
  

Re: Firefox 3 Forensics

Post Posted: Wed Feb 06, 2013 12:53 pm

The cell pointers give the offset of each record from the start of the current page, the cells themselves will consist of:

- a VarInt giving the payload size (the length in bytes of the record)
- a VarInt give the cell's rowid (unique numeric value assigned to each row in a table)
- the record (which in turn is made up of...)
--- the record header (made up of...)
------ a VarInt giving the length of the record header in bytes (including this value)
------ one or more VarInts which are serial type codes give the type (and implicitly the length) of the data in the record
--- the record data (formatted according to the record header)

So to find the url you'd jump to the start of the cell by following the cell pointer, read (and for your purposes*, ignore) the payload and rowid values. That would bring you to the start of the record header, which you can then read, derive, based upon the table schema, where the URL will start relative to the end of the record header (assuming Chris's schema, this will be directly after the header) and the length of the url string (by decoding the serial type code in the record header).

EDIT: if you're interested in deleted records, this won't be the best approach necessarily as you're at best going to target referenced records on freepages and at worst, well, live records.

Of course you could use an application like Epilog to do this for you, but I'm assuming from your user name that your interests are academic rather than practical?

Let me know if I can clarify any of that.

* actually, if the payload is big enough the record will overflow in which case you need to pay attention to the payload value in order to deal with this. But barring very long urls or page titles I doubt this table is likely to have overflowing records.  

Last edited by AlexC on Wed Feb 06, 2013 1:06 pm; edited 1 time in total

AlexC
Senior Member
 
 
  

Re: Firefox 3 Forensics

Post Posted: Wed Feb 06, 2013 1:04 pm

If you're asking how you know which pages contain data related to the "moz_places" table then you need to read (or just query) the "sqlite_master" table along the lines of:

SELECT rootpage FROM sqlite_master WHERE "type"='table' AND tbl_name='moz_places';

The returned value (and there should only be 1) will give you the root page of the b-tree for that table. You'll then have to follow the tree to the leaf pages which contain the records for that table (I will get RSI typing out how to do that and sqlite.org/fileformat2.html Sections 1.5 and 2.0 describe it better than I will).

Of course, if you're interested in deleted records, it's probably best not to go about it like this, because they might not actually reside on the current leaf pages.  

AlexC
Senior Member
 
 
  

Re: Firefox 3 Forensics

Post Posted: Fri Feb 08, 2013 7:51 am

Thanks AlexC Very Happy

I've not had a chance to try it out yet but I will try it this weekend and let you know how I get on.

Thanks again Smile  

jay_unistudent
Newbie
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1