Welcome back! So in my previous post we talked about extracting the
places.sqlite file from our target’s computer and there were a couple of things I forgot to mention.
First, what actually is a profile? Below is how Mozilla defines a User Profile:
###Mozilla’s Support Page -
All of the changes you make in Firefox, like your home page, what toolbars you use, extensions you have installed, saved passwords and your bookmarks, are all stored in a special folder, called a profile. Your profile folder is stored in a separate place from the Firefox program so that, if something ever goes wrong with Firefox, your information will still be there. It also means you can uninstall Firefox without losing your settings and you don’t have to reinstall Firefox to clear your information or troubleshoot a problem.
^ This also means that if someone with malicious intent or not (like us) gets his hands on this file, he could gather all sorts of data about a user ^
Second, a user can have more than one profile. In my previous article, I told you that the name of our profile is a random combination of letters and numbers followed by a ‘
.default’. This ‘
.default’ is the actual name of our profile, so if you create a profile named ‘
0x00sec_test’, your profile folder will be ‘
xxxxxxxxx.0x00sec_test’ (I’ll showcase below).
The good thing about our script is that it will copy all the profiles present in the Profile Folder!
With that being said, lets focus on today’s subject - Datamining the ‘
###What is Data Mining?
Simply put, Data Mining is sorting through data to identify patterns and establish relationships.
This could be:
- Looking for patterns where one event is connected to another event
- Looking for patterns where one event leads to another later event
- Looking for new patterns
- Finding and visually documenting groups of facts not previously known
- Discovering patterns in data that can lead to reasonable predictions about the future (predictive analytics)
(useful link to further understand data mining - http://www.anderson.ucla.edu/faculty/jason.frand/teacher/technologies/palace/datamining.htm)
What we will be doing here is point number 4 - finding and visually documenting groups of facts not previously known - that is, gather information on a target’s browsing habits/prefrences/interests…
First thing we’ll need is a DB Browser for SQLite, which you can find here.
For this project. I went ahead and created another user profile named ‘foxcatcher_test’ and just searched some random stuff for demonstration purposes (btw, forgive me for the lack of creativeness on my searches…)
Once we have our Browser installed, we have to open our ‘places.sqlite’ file with said Browser.
(fyi, I’m totally not an expert on SQL and Databases, so if you have any suggestion/improvements/corrections, feel free to let me know).
This is the first window you’ll see:
I think that the most insteresting tables for us are:
moz_bookmarks- User boookmarks
moz_favicons- Favicons stored in cache
moz_inputhistory- Search history
moz_places- Websites visited
I’ll be analysing the
Let’s start with
To search the database, you need to know some basic SQL Syntax. To query the DB, go to the last tab on the right side that reads ‘Execute SQL’. On the right lower corner, you see the
moz_bookmarks table and it’s keys (the most important one is the ‘
title’ key, which is the name of the bookmarked website, so this is the key we want). To query the DB to search this key for data, we type:
SELECT title FROM moz_bookmarks
And press on the ‘play’ button on top.
On the lower left corner, we can see the results from this query.
Right off the bat, we see that the most common term is ‘manchester’, so maybe our target is living there or thinking to move there. We will have to dig further.
Let’s go into the
moz_places table now to see if we can find something to better understand our target.
As you can see, the
moz_places table has a lot of keys. I believe the one of most interest to us are the ‘url’, ‘title’ and ‘visit_count’. So let’s query the DB for those keys!
SELECT title, url, visit_count FROM moz_places order by visit_count desc
This query will give us the website’s title, it’s url and how many times it has been visited by the user (in the order that we specify, in this case title -> url -> visit_count), all in descending order (from the most visited, to the less).
Pretty neat, huh?
Now let’s see what our target is actually searching for…
Huh. We now know that our target is searching for elementary/primary schools in Manchester. This could mean that he/she may have an infant who is starting school soon. Also, we know that the only schools he/she was interested in was Roman Catholic ones, so we can say with some accuracy that that’s his/hers religion.
Oh, what’s this? Apparently, our target was searching for flights from NY to Manchester. Maybe he/she lives in New York and thinking of moving to Manchester. That would explain why our subject is searching for schools in the UK.
Ok, with the data above, we can be pretty sure that he/she is moving to Manchester, since their searches focus more on jobs and schools. Also, we see that the subject was searching for Hairdressers in the area, maybe this could point to a gender. We know that hairdressers are usually attended by females, so let’s assume the gender ir female (hope I don’t trigger anyone, heh heh)(also, I’m tired of writing ‘he/she’).
From the screenshots above, we can also assume that she is looking to adopt a dog from a kennel and is mostly interested in small port dogs, like the jack russel annd jack terrier!
So, from what we gathered, we can build a (very) loose profile of our Target:
AGE: Late 20’s/30’s??
CHILDREN: At least one
RELIGION: Roman Catholic
ADDRESS: Somewhere in NY, looking to move to Manchester
INTERESTS: Dogs; Particularly Jack Russels/Terrier (Small port dogs)
And that brings us to the end of my post!
Hope this gave you some idea of how data mining could work to gather info on a target and how you can build a profile on said target.
As always, thanks for reading!
Part 3 - How to prevent data theft