Unravel the Database of Sqlite in Mozilla Firefox For Forensic Investigation

In the last blog we talked about Sqlite Database In Google Chrome, know we will move towards another browser that is Mozilla. Mozilla Firefox is an open source web browser developed by Mozilla foundation and Mozilla Corporation. It is well compatible with Windows, Linux and with Android Operating System. Mozilla employs a comprehensive storage of data which is facilitated with Sqlite database. This database is also known as embedded database as it gets embedded into the application it serves and it requires zero configurations.

On Windows 7, users can locate the Sqlite database on the following path

C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite

Inside the profile directory, one can find several files. But the most substantial files over here are the Sqlite database files because of their ability to furnish useful information related to investigation procedures. Among them, there are this three databases which have much of significance.

1. cookies.sqlite
2. places.sqlite
3. formhistory.sqlite

Places.sqlite

In order to enumerate the history of Mozilla Firefox browser, you can make reference to the places.sqlite database. The moz_places table provides important information about the website address which the user has visited. The lists of table it contains are mentioned below.

This database consists of the entries which are given by the user into the Form submission fields. On analyzing this database, one can get clues to the addresses and the subject titles of web-based email messages and various search keywords that are submitted to the search engine.

It must be known that the id field of the moz_places table correlates with the places_id of the moz_historyvisits table. This will help the investigators who are examining the user’s computer to find a probative evidence by building up a SQL query which will yield a relevant output for finding out the user’s browsing history details.

The id attribute of the moz_places corresponds to that of the places_id of the moz_historyvisits table.

Cookies.sqlite

The Firefox web browser stores the cookies in the database known as cookies.sqlite. This database can be examined by a forensic expert and all the cookies can be extracted which can provide valuable information regarding passwords and username to sign on to the web resources which requires user’s authenticity. The entries of the moz_cookies table indicates the information about the cookie which the website has requested when the user had last visited the web page. Further , it would furnish significant information related to the fact that the user was registerd for that specific website or not.

The fields of the moz_cookies table are shown below

Further, on analyzing the table with a database viewer, experts can unravel the following data. Each cookie entry contains data which will act as suitable evidence while conducting forensic investigation.

formhistory.sqlite

This database contains only two tables known as moz_formhistory and moz_deleted_formhistory.

moz_formhistory

Here, experts can figure out information regarding the data filled out by the user while online. Data like username, phone numbers, can be retrieved from this table. The attributes like “firstUsed” and “lastUsed” keep a tab on the date and the timestamp value associated with specific information.

moz_deleted_formhistory

Here, you can get information related to deleted formhistory and the time when it was deleted.

Conclusion: – Wrapping it all together we can say that the Sqlite database can be very helpful from forensic point of view and can bring out appropriate evidence to produce it in the court of law. We can use Free Sqlite viewer for initial and brief understanding of Sqlite Firefox database and to carve evidence for forensic investigation we have to go for a Sqlite forensic Utility.