Version 0.41 of log2timeline published
I’ve just published version 0.41 of log2timeline, for a full list of the changes read the changelog. This upgrade is a recommended upgrade since it contains several bug fixes as well as enhancements to the tool. I’ve added new input modules for: Google’s Chrome History, Opera History, Firefox Bookmarks, and Windows Event Logs (EVTX). I’ve also added a new output module, CEF, for the Common Event Format as designed by ArcSight as well as improving few other input modules (more on that later).
In my last post I talked about Opera history files as well as the bookmark feature of older versions of Firefox. Since I’ve added support for the bookmarks features in older versions of Firefox (the ones that still store their bookmark information in the bookmarks.html file) I decided to include those information in the newer versions of the browser as well. As of version 3+ of Firefox it no longer stores bookmark information inside the bookmarks.html file. Instead it stores them in the places.sqlite database, the same one that contains the browser history. Therefore I upgraded the firefox3 input module to include information about bookmarks, which are stored inside the moz_bookmarks table as well as in inside the moz_places table. The SQL command used to pull out information from the bookmarks is the following:
SELECT moz_bookmarks.type,moz_bookmarks.title,moz_bookmarks.dateAdded, moz_bookmarks.lastModified,moz_places.url,moz_places.title, moz_places.rev_host,moz_places.visit_count FROM moz_places, moz_bookmarks WHERE moz_bookmarks.fk = moz_places.id AND moz_bookmarks.type <> 3
There is one field in the moz_bookmarks table that is of special interest, that is the “type” field. There are three different bookmark types:
- 1 = A bookmark (URL)
- 2 = A bookmark folder
- 3 = Separator
The above SQL command returns all values from the moz_bookmarks table (except separators) that have any corresponding fields inside the moz_places table. This means that the SQL command in fact only returns bookmarked URL’s, not folders. So another query is made to get the necessary information about bookmark folders:
SELECT moz_bookmarks.title,moz_bookmarks.dateAdded,moz_bookmarks.lastModified FROM moz_bookmarks WHERE moz_bookmarks.type = 2
This SQL command extracts all the dates associated with the bookmark folders. But there are other tables within the places.sqlite database that might contain date objects, that is the table moz_items_annos. This table contains additional information about bookmarks, that is annotations that are made to bookmarks. The table stores the time when an annotation was added to a bookmark as well as when it was last modified. The SQL command used to extract this information from the places.sqlite database is:
SELECT moz_items_annos.content, moz_items_annos.dateAdded ,moz_items_annos.lastModified,moz_bookmarks.title, moz_places.url,moz_places.rev_host FROM moz_items_annos,moz_bookmarks,moz_places WHERE moz_items_annos.item_id = moz_bookmarks.id AND moz_bookmarks.fk = moz_places.id
An example output of the newly upgraded firefox3 input module is the following:
log2timeline -f firefox3 -z local places.sqlite | grep Bookmark
... 0|[Firefox3] User: smith Bookmark Annotation: [milw0rm exploits and 0day exploits database] to bookmark [milw0rm] (http://www.milw0rm.com/)|0|0|0|0| 0|1195573631|1195573631|1195573631|1195573631 ... 0|[Firefox3] User: smith Bookmark Folder [Bookmarks Menu]|0|0|0|0|0| 1218738203|1218738203|1195573631|1195573631 ... 0|[Firefox3] User: smith Bookmark URL SANS London 2008 (http://www.sans.org/london08) [london08] count 0|0|0|0|0|0|1218784170|1218784170|1218784170|1218784170
I’ve also upgraded the flash cookie or Local Shared Object (sol) input module considerably. The older version was not built to support many of the common flash cookies out there so the new version should implement a parser for every known type of objects there are. Although I’ve seen some flash cookies that the input module is not capable of parsing that have considerably different binary structure. These files might be an older version of the standard and the current version of the sol input module is unable to parse them (and so are every other SOL editors/parsers that I’ve seen). I will not include any information about the structure of flash cookies in this post, it will be reserved for a later post.
I’ve also decided not to create all my blog posts on this site and then re-post some of them on the SANS forensics blog. Instead I will post some of the blog posts solely on the SANS blog while others will only be here. On that spirit I wrote a post about Google’s Chrome browser which can be read here. My blog post about flash cookies will also be posted on the SANS forensics blog site.