Firefox Cache Format and Extraction

by

In the forensic lab where I work, we frequently investigate malware-infected workstations. As our user population started shifting from Internet Explorer to Firefox, we observed that one of our favorite forensic tools, Kristinn Gudjonsson’s log2timeline, wasn’t able to provide as much data for Firefox as it was for IE. The missing component was cache data; log2timeline was capable of parsing IE cache but not Firefox. In order to fix this deficit and contribute to log2timeline, I decided to write a log2timeline module for the Firefox cache. During the course of writing that module (ff_cache.pm – available in log2timeline 0.62), I researched how the Firefox cache works, wrote a tool to extract data from it (ff_cache_find), and learned traits of Firefox that have implications for forensic acquisition and analysis…

Read more

Leave a Comment

Latest Articles

Forensic Focus Digest, May 16 2025
News

Forensic Focus Digest, May 16 2025

ByForensic FocusMay 16, 2025
Introducing XRY 11.0.1 From MSAB
News

Introducing XRY 11.0.1 From MSAB

ByMSABMay 15, 2025
“You Knew What You Were Signing Up For” – A Harmful Narrative In DFIR?
ArticlesWell-being

“You Knew What You Were Signing Up For” – A Harmful Narrative In DFIR?

ByForensic FocusMay 15, 2025
Amped Authenticate Update Empowers Investigators With Expanded Tools For Deepfake Detection And Video Integrity Analysis
News

Amped Authenticate Update Empowers Investigators With Expanded Tools For Deepfake Detection And Video Integrity Analysis

ByAmpedSoftwareMay 15, 2025
Digital Forensics Round-Up, May 14 2025
News

Digital Forensics Round-Up, May 14 2025

ByForensic FocusMay 14, 2025
Detego Global Announces Sponsorship Of British Police Rugby Team’s Centenary Tour Of South Africa
News

Detego Global Announces Sponsorship Of British Police Rugby Team’s Centenary Tour Of South Africa

ByDetego Digital ForensicsMay 14, 2025