Saturday, October 06, 2007

Three Fantastic Free Firefox Auditing Tools! (and IE too...)

I can't believe it!

It's an amazing Firefox auditing trifecta!

Stunning on the order of the triptychs of Hieronymous Bosch.

My heart's desire realized.

Three free (and USB portable) utilities to quickly and easily review Firefox usage on a Windows system.

Why do I care?

From time to time my anti-virus program finds something on my pc that it shouldn't. In most cases they are false positive events, but occasionally it turns out to be a malicious code package that didn't get executed due to Firefox and the multiple security extensions I run on my systems. I've had several tools and techniques for addressing this issue at work on our Internet Explorer browsers (see three at the bottom of this post), but Mozilla/Firefox had always been a bit more tricky and labor-intensive.

I like to try to go back to identify just what it was and how it got there so I can understand if I need to take any responsive measures like notifying SANS or other security websites.

Firefox does allow you to do view the history, cookies, and cache if you know how.

And as those posts show, there are a number of tools (free/$) that are available to assist you with that process and they all have their own strengths and weaknesses.

What I really wanted was a series of utilities that would allow me to view the critical information about each of those subject categories as well as export them into a spreadsheet-compatible format. Portability would be nice as well.

Nir Sofer Answered!

Cookies!

MozillaCookiesView - (freeware) - Nirsoft's first utility to address this need.

MozillaCookiesView is an alternative to the standard 'Cookie Manager' provided by Netscape and Mozilla browsers. It displays the details of all cookies stored inside the cookies file (cookies.txt) in one table, and allows you to save the cookies list into text, HTML or XML file, delete unwanted cookies, and backup/restore the cookies file.

All data-columns can be sorted (ascending/descending). The utility attempts to find and identify the default profile folder/cookie-contents, and allows you to manually select other profile folder/cookie-contents as well. You can delete specific cookies one at a time or multiple cookies at once. You can copy one or multiple cookie's data to the clipboard. Advanced command-line options are supported. And, information is exportable in a text, HTML, or XML file format. It also allows you to backup and restore a cookies file.

While you can just open the native cookies.txt file for Firefox in notepad or a spreadsheet program, this tool provides a wealth of options and information that the file itself just doesn't easily provide.

Works on all versions of Windows and able to handle all versions of the Mozilla/Firefox browser, including the alpha 3.x version releases (Gran Paradiso/Minefield).

History!

MozillaHistoryView - (freeware) - Next came Nirsoft's utility to document the history.

MozillaHistoryView is a small utility that reads the history data file (history.dat) of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web pages in the last days. For each visited Web page, the following information is displayed: URL, First visit date, Last visit date, Visit counter, Referrer, Title, and Host name.
You can also easily export the history data to text/HTML/Xml file.

All data-columns can be sorted (ascending/descending). The utility attempts to find and identify the default profile folder and its history.dat file. It will assist you in manually finding and picking another profile's history.dat. You cannot use this utility to delete specific history file records. You can copy one or multiple complete history records or just the URL(s). Advanced command-line options are supported. And, information is exportable in a text, HTML, or XML file format. (Tip: Select all records, then choose "File," "Save Selected Items," and then pick the format in the "Save as type" drop-down.)

Because you cannot just open the native history.dat file for Firefox in notepad or a spreadsheet program, this tool really is incredibly helpful in cracking open that tough-nut and getting into the meat within.

Works on all versions of Windows and able to handle all versions of the Mozilla/Firefox browser, including the alpha 3.x version releases (Gran Paradiso/Minefield).

Care to Play Cache?

MozillaCacheView - (freeware) - Nirsoft's latest tool, just released in the past week.

MozillaCacheView is a small utility that reads the cache folder of Firefox/Mozilla/Netscape Web browsers, and displays the list of all files currently stored in the cache. For each cache file, the following information is displayed: URL, Content type, File size, Last modified time, Last fetched time, Expiration time, Fetch count, Server name, and more. You can easily select one or more items from the cache list, and then extract the files to another folder, or copy the URLs list to the clipboard.

After becoming enamored with the first two utilities just mentioned, I sent Nirsoft an email asking if he had plans to create this utility. I never heard back so I can't say that he didn't already have this one in the coding-gate, ready for release on the track or that my suggestion meant anything. I am delighted to see that it is out and available for the masses.

It is blazingly fast on my machine. It took just a few seconds to sort though and then display over 5300 cache file records in my default Firefox profile. That is incredible.

Like the other utilities, all data-columns can be sorted (ascending/descending). The utility attempts to find and identify the default profile cache folder. It will assist you in manually finding and picking another profile's cache folder as well. While you cannot use this utility to delete specific cache folder files, you can easily copy one or multiple cache files to a location of your choosing....this alone is tremendously useful. Advanced command-line options are supported. And, information is exportable in a text, HTML, or XML file format.

For logging, you can select one or more cache files from the list, and export the list selection into text, HTML, or XML format (Tip: Select all records, then choose "File," "Save Selected Items," and then pick the format in the "Save as type" drop-down), you can copy the URL list to the clipboard, and even copy the complete table of cache files, and then paste into your preferred spreadsheet application. How handy is that?

Works natively on all versions of Windows and able to handle all "release" versions of the Mozilla/Firefox browser (1.x/2.x).

Tip: At first it seemed that the utility did not support the alpha 3.x version releases (Gran Paradiso/Minefield) in my testing. The utility did seem to find my "Minefield 3.0a9pre" profile folder as well as the cache folder it uses.

C:\Documents and Settings\Claus\Application Data\Mozilla\Firefox\Profiles\67zvs1yi.Claus\cache

However, when I attempted to open it using the offered selection, I was met with an empty content window.

I launched Minefield and entered "about:cache" in the address bar to display my local cache file information.

I noticed that the cache file was actually not located where the program said, but in a sub-folder called "Cache" under the cache folder. Hmmm.

C:\Documents and Settings\Claus\Application Data\Mozilla\Firefox\Profiles\67zvs1yi.Claus\cache\Cache

So I just manually browsed deeper to the second Cache folder location in the utility's location browsing window and tried again.

Voilla! Pay dirt. It pulled up just fine and displayed the contents.

I don't know if all 3.x versions put the Cache folder under anther cache folder by default. All the 3.x profiles (pre/alpha versions) on my system have that structure and I don't recall setting it up that way in a custom configuration. I'm going to drop Nir Sofer a line to ask him about this.

Definitely not a "show-stopper" for the application but something to keep in mind if you find you have a 3.x Mozilla profile on a target system.

Final Tip

If you want, you can also collect (copy) the target files/folders of your target workstation(s) (cookies.txt, history.dat, cache folder), organize them somehow (each in their own folder with the target pc name/id perhaps) then review them at your leisure from the comfort of your own desk with these utilities.

Of course, all these utilities will only work if the target files have not been emptied/deleted by the user. If that has occurred, I suppose you could try to recover them but depending on overwrite, you would be facing a bit of a challenge.

Sure, as I have blogged in the past, there are other utilities that can accomplish these same tasks, but these manage to do it so quickly, helpfully, portably, and easily it is hard to imagine wanting to use any other tools.

A big "THANKS!" to Nir Sofer for providing these tools to us.

Cheers!

--Claus

P.S. If you are looking at Internet Explorer browser usage for cookies, history, and cache file contents and logging and feel a bit left-out in this discussion, please don't.

While there are a wealth of tools for IE available, Nirsoft has you pretty well covered also. Features are very similar to those previously described in the Firefox versions:

No comments:

Post a Comment