What Firefox can tell about you? - Firefox Forensics

1,484 views

Published on

RISC Meet - 14th September
RMIT Information Security Collective
RMIT University

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,484
On SlideShare
0
From Embeds
0
Number of Embeds
617
Actions
Shares
0
Downloads
23
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

What Firefox can tell about you? - Firefox Forensics

  1. 1. RISC MEET 1
  2. 2. HOW BROWSER WORKS? RISC MEET 2 Img Src: http://img.labnol.org/di/how-internet-works1.jpg
  3. 3. HOW BROWSER WORKS? CNTD. RISC MEET 3 Img Src: http://taligarsiel.com/Projects/layers.png
  4. 4. RENDERING ENGINE – WEBKIT, CHROME,SAFARI RISC MEET 4 Img Src: http://taligarsiel.com/Projects/webkitflow.png
  5. 5. DEFAULT LOCATIONSWin 7:C:Users[user]AppDataRoamingMozillaFirefoxProfilesXXXXXXXX.defaultC:Users[user]AppData]LocalMozillaFirefoxProfilesXXXXXXXX.defaultCacheLinux:~/.mozilla/firefox/XXXXXXXX.default/MAC OS X:~/Library/Application Support/Firefox/Profiles/XXXXXXXX.default/~/Library/Application Support/Mozilla/Extensions~/Library/Caches/Firefox/Profiles/XXXXXXXX.default/Cache/ RISC MEET 5
  6. 6. SQLITE TABLESAddonsChromeappstoreContent-prefsCookiesDownloadsExtensionsFormhistoryPermissionsPlacesSearchSignonsWebappstore RISC MEET 6
  7. 7. ADDONSAny browser addons - extra toolbars (sometimes users don’t even know they have them installed)What you will find:Name, Version, Description, and other data like which profile gets to use it in a multi-profile environment RISC MEET 7
  8. 8. CHROMEAPPSTOREThe Search Engine container in Firefox which is set to Google by default, though users can set any other search engine RISC MEET 8
  9. 9. CONTENT-PREFSBrowser Preferences and Content settings like text zoom, page style, character encoding on a site-specific basesUseful for showing intent and frequency of visits along with the browser history RISC MEET 9
  10. 10. COOKIESEvery cookie that is set by the systemThese may or may not be wiped clean when a user deletes all cookies or any other program to clear tracksA cookie being set does NOT mean the user visited the site RISC MEET 10
  11. 11. DOWNLOADSList of every file downloaded - Cleared when user clears the download queue in FirefoxYou can tell a lot about a person by what they download RISC MEET 11
  12. 12. EXTENSIONSAll ExtensionsThis file will normally pop-up as corrupted or unavailable when Firefox is running. RISC MEET 12
  13. 13. FORMHISTORYEvery form filled out by the user RISC MEET 13
  14. 14. PERMISSIONSPermissions various sites have like allowing pop-ups RISC MEET 14
  15. 15. PLACESPlaces visited, bookmarks and attributes to sites commonly visited by the userCross referencing this file with cookies, formhistory and permissions provides a robust view of the user and how they use FirefoxCross referencing is also useful to prove that the visit was intentional versus a drive by cookie session RISC MEET 15
  16. 16. SEARCHAll available search engines RISC MEET 16
  17. 17. SIGNONSStored Passwords RISC MEET 17
  18. 18. WEBAPPSTOREAll XAuth Tokens RISC MEET 18
  19. 19. RISC MEET 19
  20. 20. RISC MEET 20
  21. 21. CACHEFiles you will find in the Cache Folder:_CACHE_MAP_CACHE_001, _CACHE_002, _CACHE_003Cache Map is the main file needed to reconstruct the cache files RISC MEET 21
  22. 22. MOZILLACACHEVIEW BY NIRSOFT RISC MEET 22
  23. 23. RISC MEET 23
  24. 24. RISC MEET 24

×