Firefox
Browsersv1.2
Author: Eric Zimmerman and Andrew Rathbun
description
Firefox
paths
35 paths
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: Firefox
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle artifact collection with robocopy
function Collect-Artifact {
param (
[string]$SourceDir,
[string]$FolderName,
[string]$FileMask = "*"
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}
# 1. Addons
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "addons.sqlite*" -FolderName "Addons"
# 2. Bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "bookmarks.sqlite*" -FolderName "Bookmarks"
# 3. Bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\bookmarkbackups"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Bookmarks"
# 4. Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "cookies.sqlite*" -FolderName "Cookies"
# 5. Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "firefox_cookies.sqlite*" -FolderName "Cookies"
# 6. Downloads
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "downloads.sqlite*" -FolderName "Downloads"
# 7. Extensions
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "extensions.json" -FolderName "Extensions"
# 8. Favicons
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "favicons.sqlite*" -FolderName "Favicons"
# 9. Form history
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "formhistory.sqlite*" -FolderName "Form_history"
# 10. Permissions
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "permissions.sqlite*" -FolderName "Permissions"
# 11. Places
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "places.sqlite*" -FolderName "Places"
# 12. Protections
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "protections.sqlite*" -FolderName "Protections"
# 13. Search
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "search.sqlite*" -FolderName "Search"
# 14. Signons
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "signons.sqlite*" -FolderName "Signons"
# 15. Storage Sync
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "storage-sync.sqlite*" -FolderName "Storage_Sync"
# 16. Webappstore
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "webappstore.sqlite*" -FolderName "Webappstore"
# 17. Password
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "key*.db" -FolderName "Password"
# 18. Password
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "signon*.*" -FolderName "Password"
# 19. Password
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "logins.json" -FolderName "Password"
# 20. Preferences
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "prefs.js" -FolderName "Preferences"
# 21. Sessionstore
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "sessionstore*" -FolderName "Sessionstore"
# 22. Sessionstore Folder
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Sessionstore_Folder"
# 23. Places XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "places.sqlite*" -FolderName "Places_XP"
# 24. Downloads XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "downloads.sqlite*" -FolderName "Downloads_XP"
# 25. Form history XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "formhistory.sqlite*" -FolderName "Form_history_XP"
# 26. Cookies XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "cookies.sqlite*" -FolderName "Cookies_XP"
# 27. Signons XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "signons.sqlite*" -FolderName "Signons_XP"
# 28. Webappstore XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "webappstore.sqlite*" -FolderName "Webappstore_XP"
# 29. Favicons XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "favicons.sqlite*" -FolderName "Favicons_XP"
# 30. Addons XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "addons.sqlite*" -FolderName "Addons_XP"
# 31. Search XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "search.sqlite*" -FolderName "Search_XP"
# 32. Password XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "key*.db" -FolderName "Password_XP"
# 33. Password XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "signon*.*" -FolderName "Password_XP"
# 34. Password XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "logins.json" -FolderName "Password_XP"
# 35. Sessionstore XP
$UserPath = Join-Path $env:USERPROFILE "Application Data\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "sessionstore*" -FolderName "Sessionstore_XP"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes
Open in CyberChef to decode values extracted from this artifact.