dfirhub

Firefox

Browsersv1.2

Author: Eric Zimmerman and Andrew Rathbun

description

Firefox

paths

35 paths
CommunicationsAddons
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*
CommunicationsBookmarks
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\bookmarks.sqlite*
CommunicationsBookmarks
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\bookmarkbackups
CommunicationsCookies
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*
CommunicationsCookies
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\firefox_cookies.sqlite*
CommunicationsDownloads
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*
CommunicationsExtensions
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\extensions.json
CommunicationsFavicons
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*
CommunicationsForm history
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*
CommunicationsPermissions
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\permissions.sqlite*
CommunicationsPlaces
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*
CommunicationsProtections
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\protections.sqlite*
CommunicationsSearch
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*
CommunicationsSignons
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*
CommunicationsStorage Sync
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage-sync.sqlite*
CommunicationsWebappstore
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*
CommunicationsPassword
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\key*.db
CommunicationsPassword
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\signon*.*
CommunicationsPassword
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\logins.json
CommunicationsPreferences
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\prefs.js
CommunicationsSessionstore
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore*
CommunicationsSessionstore Folder
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups
CommunicationsPlaces XP
C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\places.sqlite*
CommunicationsDownloads XP
C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\downloads.sqlite*
CommunicationsForm history XP
C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\formhistory.sqlite*
CommunicationsCookies XP
C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\cookies.sqlite*
CommunicationsSignons XP
C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\signons.sqlite*
CommunicationsWebappstore XP
C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\webappstore.sqlite*
CommunicationsFavicons XP
C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\favicons.sqlite*
CommunicationsAddons XP
C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\addons.sqlite*
CommunicationsSearch XP
C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\search.sqlite*
CommunicationsPassword XP
C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\key*.db
CommunicationsPassword XP
C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\signon*.*
CommunicationsPassword XP
C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\logins.json
CommunicationsSessionstore XP
C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\sessionstore*
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: Firefox
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. Addons
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\addons.sqlite*" -FolderName "Addons"

# 2. Bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\"
Collect-Artifact -SourcePath "$UserPath\bookmarks.sqlite*" -FolderName "Bookmarks"

# 3. Bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\bookmarkbackups"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Bookmarks"

# 4. Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\cookies.sqlite*" -FolderName "Cookies"

# 5. Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\firefox_cookies.sqlite*" -FolderName "Cookies"

# 6. Downloads
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\downloads.sqlite*" -FolderName "Downloads"

# 7. Extensions
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\extensions.json" -FolderName "Extensions"

# 8. Favicons
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\favicons.sqlite*" -FolderName "Favicons"

# 9. Form history
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\formhistory.sqlite*" -FolderName "Form_history"

# 10. Permissions
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\permissions.sqlite*" -FolderName "Permissions"

# 11. Places
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\places.sqlite*" -FolderName "Places"

# 12. Protections
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\protections.sqlite*" -FolderName "Protections"

# 13. Search
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\search.sqlite*" -FolderName "Search"

# 14. Signons
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\signons.sqlite*" -FolderName "Signons"

# 15. Storage Sync
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\storage-sync.sqlite*" -FolderName "Storage_Sync"

# 16. Webappstore
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\webappstore.sqlite*" -FolderName "Webappstore"

# 17. Password
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\key*.db" -FolderName "Password"

# 18. Password
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\signon*.*" -FolderName "Password"

# 19. Password
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\logins.json" -FolderName "Password"

# 20. Preferences
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\prefs.js" -FolderName "Preferences"

# 21. Sessionstore
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\sessionstore*" -FolderName "Sessionstore"

# 22. Sessionstore Folder
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Sessionstore_Folder"

# 23. Places XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\places.sqlite*" -FolderName "Places_XP"

# 24. Downloads XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\downloads.sqlite*" -FolderName "Downloads_XP"

# 25. Form history XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\formhistory.sqlite*" -FolderName "Form_history_XP"

# 26. Cookies XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\cookies.sqlite*" -FolderName "Cookies_XP"

# 27. Signons XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\signons.sqlite*" -FolderName "Signons_XP"

# 28. Webappstore XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\webappstore.sqlite*" -FolderName "Webappstore_XP"

# 29. Favicons XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\favicons.sqlite*" -FolderName "Favicons_XP"

# 30. Addons XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\addons.sqlite*" -FolderName "Addons_XP"

# 31. Search XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\search.sqlite*" -FolderName "Search_XP"

# 32. Password XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\key*.db" -FolderName "Password_XP"

# 33. Password XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\signon*.*" -FolderName "Password_XP"

# 34. Password XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\logins.json" -FolderName "Password_XP"

# 35. Sessionstore XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\sessionstore*" -FolderName "Sessionstore_XP"

Write-Host "Collection complete!" -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

references

included in collections

SANS_Triage KapeTriage WebBrowsers