Hey guys! Absolutely no excuses for my disappearance, though I must say, I was never really gone, just lurkin’ in my purple lamborghini (yeah I know, I’ll see myself out).
Anyway, I’ll make it up to you guys by writing Tutorial/How-To/Guide/whatever, inspired by OTW’s recent article in his website:
Digital Forensics, Part 7: Browser Forensics
(I extremely advise you to read his article before reading this one).
For this tutorial, I’ll be focusing on Mozilla Firefox for the Windows system, since it’s the most commonly used OS.
(This article is a long read, so bare with me. Also it turned out a lot longer than I inicially thought so there will be 2 or more parts)
So if you read OTW’s post, you know that Firefox uses SQLite database to store most of a users information, and you also know that all the juicy stuff is in a file that is called ‘places.sqlite’.
In this post, I’ll show you how you can write a simple batch file to automatically copy said file and store it in a directory of your choosing. For this we will be using a Pen Drive.
**
In Windows XP & lower, this file can be found at:
"C:\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\<profile folder>\places.sqlite"
And in Windows Vista & above at:
"C:\Users\<users>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile folder>\places.sqlite"
Even though the path to the file is different between OS’s, you’ll see why it won’t make a difference to the batch file…
###The Batch File
The batch file contains only two lines (I know right?):
- one to create a directory named after the username
- one that actually copies the file to said directory
First we need to choose where the copied file will be stored.
The command to create a directory in Windows is the same as in Linux, mkdir, so we open any text editor and write:
mkdir ".\Firefox Profiles\%USERNAME%"
Since we are using a pen drive, Windows assigns a letter to the drive based on the letters already in use. This makes it difficult to guess what letter Windows assigns to the drive. That’s where the “.\” segment in the line comes in handy.
This tells the OS to create a folder in the location where the batch file was originally executed (our pen drive). This makes things a hell of a lot easier because now we don’t have to worry about what letter the system assigns to our drive.
In my case, the folder I chose to create is called ‘Firefox Profiles’ but it can be whatever you want.
The %username% (CAPS or no caps, it is the same) segment is called a Windows Environment Variable. This variable’s default value is… * drum rolls please * that’s right, the logged in user’s username!
(A helpful cheatsheet on Windows Environmet Variables)
So, in short, this line creates a subdirectory named after the logged in user, in a directory
called ‘Firefox Profiles’, which is located in our pen drive.
Directly below the first line, we write the command that actually copies the places.sqlite file to our created directory:
xcopy "%APPDATA%\Mozilla\Firefox\Profiles\*.sqlite" ".\Firefox Profiles\%username%" /s /h /y
xcopy is a built-in windows program to well, copy files. We simply specify the path to
file we want to copy ("%APPDATA%\Mozilla\Firefox\Profiles\*.sqlite") and then the path to where we want to store it (".\Firefox Profiles\%username%"). We also use the options:
/s - Copy folders and subfolders
/h - Copy hidden and system files and folders
/y - Suppress prompt to confirm overwriting a file.
/q - (if you wish) Do not display file names while copying.
ez right?
(A helpful xcopy cheatsheet - http://ss64.com/nt/xcopy.html)
%appdata% is another Windows Environment Variable whose default value in Win Vista & above is "C:\Users\{username}\AppData\Roaming" and in Win XP & below is "C:\Documents and Settings\<username>\Application Data\". This is why even though the places.sqlite file is in different paths between Win OS’s it doesn’t pose an issue.
In the picture above you’ll see that the name of the profile in the Profiles folder is a random combination of letters and numbers followed by a ‘.default’ that’s is different for every user, so there is no chance that we will guess that combination.
To solve this issue we simply use the wildcard * to tell the program to copy all files that
end with the extension .sqlite and the /s flag so we don’t need to know the actual
name of the profile to copy it’s content (as explained above, the /s flag let’s us copy folders & subfolders, so we simply copy all the folder & subfolders in the ‘Profiles’ folder).
The rest of the line is simply the path to where we want to save the file (the folder that we created earlier)
In summary, this line tells the program xcopy to search all folders & subfolders in the ‘Profiles’ folder for all the files that end with ‘.sqlite’ and copy them to a designated folder in our pen drive.
It’ll look like this:
Then we simply save the text file as <something>.bat. I found foxcatcher.bat a rather suspicious but fitting name. Anyway, it’s up to you!
Autorun problems
You’ll notice that I didn’t create an autorun file. That’s because since Win 7 & above, the
autorun feature is disabled by default, unless the user changes that value. So there is no point in creating that file. Of course, if you do so desire, you can create to use it in older systems…
So to run our batch file, we need to plug in the pen drive and run it manually. This will spawn
the command prompt but it should close automatically after about 15 secs and then you’re good to go.
A solution to this problem would be to use a Rubber Ducky and write our script to copy the specified file. Since it emulates a keyboard, there would appear no prompt or anything to warn the user (More on Rubber Ducky)
That’s brings us to the end of Part 1! Hope you’ve enjoyed it and if you have any questions, just post 'em in the comments
Part 2 - Navigating the ‘places.sqlite’ file using SQLite Browser