IR and forensic talk

Update 1:

Update 2:

One thing I noticed is that most of the tools that, at least the ones that I found, don’t seem to read Firefox 3 web history and display it in a human readable format (well there is one that I found, on firefoxforensics.com, but that is a Windows tool.  So I decided to write a small bash script (will most likely rewrite it in Perl later) that reads the places.sqlite file and displays it in a browser (w3m or lynx) in an easy to read format.

Firefox 3 stores all of it’s history in a file called places.sqlite which is a SQlite3 database.  The schema for the database is

• id INTEGER PRIMARY KEY, an integer that indicates the primary key for the database, of no real interest
• url LONGVARCHAR, the URL that has been visited and the protocol used, something that one likes to examine.
• title LONGVARCHAR, the title of the page as it appears in the browser
• rev_host LONGVARCHAR, the reverse of the host name that was visited. used to ease searching and querying into hosts visited in history file.
• visit_count INTEGER DEFAULT 0, as the variable implies a counter for the site
• hidden INTEGER DEFAULT 0 NOT NULL,either 0 or 1. if the URL is hidden then the user did not navigate directly to it, usually indicates an embedded page using something like an iframe
• typed INTEGER DEFAULT 0 NOT NULL,indicates whether the user typed the URL directly into the location bar
• favicon_id INTEGER,relationship to another table containing favicon
• frecency INTEGER DEFAULT -1 NOT NULL, combination of frequency and recency, used to calculate which sites appear at the top of the suggestion list when URL’s are typed in the address bar.

The script can be downloaded here and is very simple in use. Best to put somewhere in your PATH and run it like this

read_firefox_history DATABASE

Where DATABASE is exchanged for the file name of the sqlite database containing the web history, eg. places.sqlite.

The small script then reads the places.sqlite file and parses it to display it in a easy to read format.