Module 0x6 | Forensic Kung Fu
Firefox Investigation
You can find Firefox profile databases in
- Linux1/home/$USER/.mozilla/firefox/[PROFILE]Copied!
- Windows1C:\Users\%USERNAME%\[PROFILE]Copied!
In above directories, there are many SQLite database files, so let's to import these databases and see what we get
1
require 'sqlite3'
2
​
3
# Browser history
4
db = SQLite3::Database.new "places.sqlite"
5
​
6
# List all tables
7
db.execute "SELECT * FROM sqlite_master where type='table'"
8
​
9
# List all visited URLs (History)
10
db.execute "SELECT url FROM moz_places"
11
# List all bookmarks
12
db.execute "SELECT title FROM moz_bookmarks"
13
​
14
# List all Cookies
15
db = SQLite3::Database.new "cookies.sqlite"
16
db.execute "SELECT baseDomain, name, host, path, value FROM moz_cookies"
17
​
18
# List all form history
19
db = SQLite3::Database.new "formhistory.sqlite"
20
db.execute "SELECT fieldname, value FROM moz_formhistory"
Copied!
Google Chrome Investigation
- Linux1/home/$USER/.config/google-chrome/DefaultCopied!
- Windows1C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Copied!
1
require 'sqlite3'
2
​
3
# List all Cookies
4
db = SQLite3::Database.new "Cookies"
5
db.execute "SELECT host_key, path, name, value FROM cookies"
Copied!
Last modified 4yr ago
Copy link