Rubyfu
TwitterGithubNEW! Black Hat RubyBuy Me a Coffee
Search…
Primary version
Module 0x0 | Introduction
Contribution
Beginners
Required Gems
Module 0x1 | Basic Ruby Kung Fu
Module 0x2 | System Kung Fu
Module 0x3 | Network Kung Fu
Module 0x4 | Web Kung Fu
Module 0x5 | Exploitation Kung Fu
Module 0x6 | Forensic Kung Fu
Windows Forensic
Android Forensic
Memory Forensic
Network Traffic Analysis
Parsing Log Files
Module 0x7 | OSINT Kung Fu
References
FAQs
Contributors
Powered By GitBook
Module 0x6 | Forensic Kung Fu

Firefox Investigation

You can find Firefox profile databases in
  • Linux
    /home/$USER/.mozilla/firefox/[PROFILE]
  • Windows
    C:\Users\%USERNAME%\[PROFILE]
In above directories, there are many SQLite database files, so let's to import these databases and see what we get
require 'sqlite3'
​
# Browser history
db = SQLite3::Database.new "places.sqlite"
​
# List all tables
db.execute "SELECT * FROM sqlite_master where type='table'"
​
# List all visited URLs (History)
db.execute "SELECT url FROM moz_places"
# List all bookmarks
db.execute "SELECT title FROM moz_bookmarks"
​
# List all Cookies
db = SQLite3::Database.new "cookies.sqlite"
db.execute "SELECT baseDomain, name, host, path, value FROM moz_cookies"
​
# List all form history
db = SQLite3::Database.new "formhistory.sqlite"
db.execute "SELECT fieldname, value FROM moz_formhistory"
More about Firefox forensic​

Google Chrome Investigation

  • Linux
    /home/$USER/.config/google-chrome/Default
  • Windows
    C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\
require 'sqlite3'
​
# List all Cookies
db = SQLite3::Database.new "Cookies"
db.execute "SELECT host_key, path, name, value FROM cookies"
More about Chrome forensic​
Previous
metasm
Next
Windows Forensic
Last modified 4yr ago
Copy link
Outline
Firefox Investigation
Google Chrome Investigation