lowmanio.co.uk title image

How Firefox stores web history

Wed, 09 Jun 2010 06:05PM

Category: Digital Forensics & Malware

Written by Sarah | No comments

Firefox version 3 (first released in 2008) employs a different system of storing browser history than its predecessor Firefox 2. Since only 2.75% of Firefox users still use version 2 or smaller, only Firefox version 3 will be explored here and will hence just been known as Firefox.

Firefox uses SQLite database files to store browser history, bookmarks, cookies, downloads, form field entries and web site logins. Assuming the computer is running Windows XP, the Firefox default path to the databases is:

C:\Documents and Settings\<user>\Application Data\Mozilla\Firefox\Profiles\<profile folder>\

For Windows Vista and Windows 7, the default path is:

C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile folder>\

The Firefox databases are stored in several different .sqlite files, which can be viewed using a SQLite viewer such as SQLite Database Browser. Several of these files hold important forensic data, the most useful being places.sqlite and formhistory.sqlite. Firefox stores history for a default of 90 days, whereas Internet Explorer for only 20 days and Firefox version 2 for only 9 days.

PLACES.SQLITE

places.sqlite is the main web history database and stores URLs accessed and user bookmarks. The database contains 11 tables, two important ones are moz_places and moz_historyvisits. The fields in moz_places can be found in the table below.

Field Meaning
id The table’s primary key. This is used in a lot of other tables to reference this table.
url Stores a unique visited URL.
title Stores the URLs page title.
rev_host Stores the reverse host name.
visit_count Stores the total visit count for this URL.
hidden Indicates if the URL will be displayed by the autocomplete function. A value of 1 will keep it hidden.
typed Indicates if the URL was typed into the address bar or not. A value of 1 means it was manually entered.
favicon_id A foreign key to the favicon table which stores the favicon for each URL.
frecency Amalgamation of the words frequency and recency. Frecency is "a score given to each unique URI in Places, encompassing bookmarks, history and tags. This score is determined by the amount of revisitation, the type of those visits, how recent they were, and whether the URI was bookmarked or tagged", Mozilla Developer Center. This value is used by Firefox’s autocomplete. URLs start with a value of -1, and the higher the frecency the higher in the autocomplete the URL will appear. Values of 0 are ignored (and have a value of 1 for hidden).
last_visit_date Stores the last time the URL was visited. This is a 64bit integer storing number of microseconds since 1st January 1970 UTC called PRTime.

Another important table in places.sqlite is moz_historyvisits which stores all accessed URLs. The fields can be found in the table below.

Field Meaning
id The table’s primary key.
from_visit Stores the id from where the URL came from originally. If the URL does not have a referring URL this value is 0.
place_id Stores a foreign key to the moz_places table.
visit_date Stores the time the URL was visited in PRTime.
visit_type Shows how the URL has been accessed. This is one of seven possible values, the most common being: 1 – the user followed a link and got a new top-level window; 2 – the user typed in the URL or selected it from autocomplete results; or 3 – the user clicked on one of their bookmarks to get to the page.
session Stores the session ID that the URL belongs to.

Using from_visit and place_id it is possible to retrace a user’s steps and see how they got to a particular page. Using the two images below, it can be shown that an example user accessed three additional pages on the website http://last.fm after they accessed it for the first time. In between these visits, the user also searched on Google for lyrics and followed a link – this can happen because they were using tabbed browsing or had two instances of Firefox open to access multiple websites at the same time. This is confirmed by the session being different for both sets of URLs. moz_places only stores the unique URLs accessed, but combined with moz_historyvisits a full account of the user’s online history can be made. Every URL impression is stored in moz_historyvisits, so the number of entries will be considerably more if the user visits a URL more than once.

screenshot 1
Figure 1- Part of moz_historyvisits table showing the user clicking on links

screenshot 2
Figure 2 - Part of moz_places table showing the corresponding URLs in Figure 1

FORMHISTORY.SQLITE

Form history can provide useful information such as usernames, email addresses, postal addresses and search engine queries. Firefox stores this data in formhistory.sqlite which has a singular table called moz_formhistory. The fields can be found in the table below.

Field Meaning
id The table’s primary key.
fieldname Stores the name of the field on the form
value Stores the value the user entered on the form
timeused Stores the number of times this value was submitted.
firstused Stores the time the value was submitted for the first time in PRTime.
lastused Stores the time the value was submitted for the last time in PRTime.

Google queries appear in here with the fieldname as “q”. Other possible searches will have fieldnames such as “query”, “search” and “search_terms”. Some web mail use forms to send email, so email subjects and email address recipients will be available too. Usernames and passwords to websites can be found in signons.sqlite, but the username and password fields are both stored encrypted.

References

Tagged with: Firefox, Sqlite, web history

Comments

No comments.

Add a comment

captcha