Back in my recent post
Hunting Me up a Malware File, I was confronted with trying to find critical information on a malicious file that had appeared in my Firefox web-browser cache.
Knowing where the file came from (URL source) and the time/date of the download would provide me critical information as I attempted to assess the threat and allow me to compose a response to prevent future downloads.
This "forensics" type of information is valuable.
In Context
Before I continue let me put my post here briefly into a humble context. I am not, nor am claiming to be a skilled computer forensics technician. I wouldn't want to insult the work and credentials of anyone who is in this field, such as awesome blogger and author Harlan Carvey over at Windows Incident Response to name just one.
Where I work, we have an Inspector General's office where surly but professional men and women who carry guns and badges on their belts with pride work. Our support to them as an IT group is to pull drives upon request, perform write-back-blocked, disk-to-disk copies with a drive-duplicator for them and hand them off to the investigator. If we are lucky, we might one day get the drive back when they are done. I suppose they run EnCase or something similar in their drive content investigations, but we don't really talk much shop. Doesn't occur that much, anyway.
When I refer to any personal, non-certified and non-professional work in computer "forensics" I am meaning it in a more "incident response" context; specifically for desktop support.
See, when a virus/malware hammered workstation is reported to us by the end-user or it shows up on one of our report logs, our job is (generally) to respond to the workstation, attempt to remove the infection and get the user back going again, securely. If we cannot "sanitize" the workstation, we just wipe it, slap a new image on it, then restore their backed-up data. We really don't have the time or resources to do full "incident response" on each workstation in these scenarios.
Oh well.
But since I find this field so fascinating and these events almost as a personal challenge, I like to try to learn techniques in workstation incident response and forensics. It aids me in better focusing and applying my troubleshooting skills; and might alert me to a larger problem in our network rather than just a single "infected" workstation.
Also, I am clearly working on "live" systems and as such any utilities or techniques I run have the possibility (and probability) of impacting the integrity of the drive. But since I'm not doing a criminal (or like) investigation, and am just attempting to gather data on the files, processes, and other activity to help me understand, document, and clean the issue in question, I remain aware of this fact, but don't attempt to avoid it.
Were I doing an "official" investigation, I would ensure that all actions were carefully planned not to make any write-back actions to the drive and would be using different methods.
OK, now that we are on the same page...I continue.
Mozilla Tools - Part One
Because I was familiar with the basic cache structure of Mozilla/Firefox, I knew that if I entered "about:cache" in the address bar, it would list the cache contents of any files in there and their sources.
That worked nicely and provided me the following information on my suspect file:
Key: http:// <snipped> .com/jjebb.js
Data size: 21335 bytes
Fetch count: 1
Last modified: 2007-08-18 16:25:47
Expires: 1969-12-31 18:00:00
In my case, the cache hadn't been deleted so that information was there. If it had been deleted, then I would have been out of luck unless I wanted to try to recover the deleted files.
Because Firefox treats this page-display as a normal "web-page" you can then run a "Find" action on the page looking for a name, date, string, etc. and quickly narrow down what you are looking for.
Not too difficult and since this is built into Mozilla Firefox itself...no tools needed.
I also approached the issue of the file and browsing history. Again, Mozilla includes a History feature in its browser that lets you sort the history (if not cleared/deleted) by Date and Site, by Site, by Date, by Most Visited, and by Last Visited.
This is all great if you are trying to see the general browsing history of a user, but not detailed enough if you are trying to find specific time and date information of file access.
So I located the great little app called Dork 0.0 written by Keith Anderson.
It worked and quickly told me what I needed to know.
I used the information from these sources and was on track for my "investigation."
Later I began to wonder what other tools might exist and if any of them were "better" than what I was using...particularly when it came to documenting and exporting information from the cache itself.
Mozilla Tools - Part Two
The Cache - Revisited
After some work I came across a great application called Web Cache View.
It actually provides a review of Netscape, Firefox, Opera, and Internet Explorer web caches. Web Cache View is not free (just $25.00), but you can download and use it for free to evaluate it. With purchase of a registered version, the program "unlocks" additional features.
In the trial version, you must manually point the program to the location of your cache file folder. The registered version will auto-discover all the supported browsers on your system and display tree-view for selecting the files found in the cached locations.
I tried it out and it seemed to work fine on my XP systems. It is quite tiny and pretty darn fast.
It provides various views, but the "details" view provides the most information with the cached item's URL source link, the cache name, the file size, the file type description, the "last modified" date, the download date, and the expiry date.
Once the target cache file contents are loaded, you can examine the items individually or export the results to a CSV format file.
It has recently been updated to a new version and appears to be a very "actively" maintained product.
For another approach, you could install the Firefox Add-on CacheViewer.
It displays a window that lists the files in your cache in a GUI format along with file information, a search box and a preview pane. It is pretty fast and integrates well with Firefox 2.0. My only "complaint" is that it doesn't seem to support generation of the information in a "log" format of some kind. That additional feature would make it very nice and handy add-on.
I'm not aware of any other similar or freeware products at this time. If anyone knows of any please drop a tip in the comments!
The History - Revisited
Next up were attempts to find alternative means for looking at and logging the contents of the Mozilla Firefox History.dat file.
Dork 0.0 really is seems to be a great solution. It is fast and easily exports the files into a spreadsheet-supported format.
But it is always good to have alternatives.
Mozilla's current and prior versions use a format called MORK to structure the history data. It has been charmingly referred to by former Netscape engineer Jamie Zawinski as "...the single most braindamaged file format that I have ever seen in my nineteen year career."
Mozilla's 3.0 product will replace the MORK format for the history and utilize Places with it's mozStorage format which is based on SQLite and may end up being encrypted for security. So new tricks and utilities and scripts will need to be created to deal with it.
For a deeper exploration of the MORK and Places (mozStorage) formats here are some links.
Mark McKinnon wrote a great post earlier this year that breaks down the MORK history.dat file into it's elements. It is pretty readable and highlights the structure of the history.dat file.
Computer Forensics/E-Discovery Tips/Tricks and Information: No This Is Not Mork From Ork.
In that post, he mentioned a product from MANDIANT. You may remember MANDIANT from one of my previous posts Mandiant Red Curtain - Incident Review Software with their interesting software which assesses files for suspicious "maliciousness" levels.
This tool (freeware) is named Web Historian. It scans and reviews a system for website URL's that "...are stored in the history files of the most commonly used browsers including: Microsoft’s Internet Explorer, Mozilla, Firefox, Netscape, Opera and Safari."
Once installed it is surprising large; my installation shows 33.7 MB file size.
By contrast, their Red Curtain product is a svelte 1.55 MB in size.
Options include the ability to select a default saved file format: Excel, CSV, HTML, or tab-delimited.
You can turn the startup splash-screen on/off, set to automatically open the report once done with processing, and search for all supported browsers or just a particular type.
I first tried the application on my XP Pro system and it ran, albeit a bit slowly and did provide a nicely detailed Excel report on it's findings. (My Firefox history was left out of the report results.)
When I attempted to run it on my XP Home system (which seems pretty beefy to me), it seemed unresponsive. CPU usage for the process shot up to between 85-98%, even though my history.dat file wasn't very large. Reviews on other websites for the product seem to mirror my experience. It works, but can be very slow and demanding on some systems. I hope that MANDIANT is able to better optimize future versions down the road. I wonder if Firefox 2.0 history.dat structure is even supported? MANDIANT's download page doesn't state which browser (build) versions are supported.
For a Firefox integrated solution, consider the Add-on Enhanced History Manager.
This extension super-charges your history exploration from within Firefox.
You may open the view in the sidebar, a tab, or a window and the view includes fields for page title, location, and last visited date/time.
It allows for a standard or "Advanced" search of the contents, as well as sorting by title, location, last visited, first visited, hostname, visit count, referrer, and a-z or z-a sorts. You may also group the history entries by day, site, and day-site.
Again, the weakness is in not being able to export the results to a log-file. But that said, it really does provide Firefox users a more detailed view and sorting format for their browsing history.
The last suggestion might be to consider using the Firefox Add-on Slogger.
Developer Ken Schutte's site has considerably more detail on the extension than the above Mozilla page: Ken Schutte.com: Slogger.
Slogger is an Extension for Mozilla Firefox web browser. It is a very flexible tool for creating a complete log of your browsing history (thus the name: Slogger <=> "browse logger"). It can save pages you visit to your hard drive, and create custom-format history logs about pages visited (included are templates for plain text, HTML RDF, and XML). You can use style sheets (CSS-HTML, XSLT-XML, XUL-RDF) to view logs, or use external programs to parse the data for your needs.
Almost everything in slogger is customizable, so it's best to try and see how you can change it. Settings are stored in different "profiles", making it easy to switch between different uses. Several profiles will come installed with Slogger to provide some examples of how it can be used.
His webpage contains information about getting started, the settings, working with profiles and a general FAQ.
So Slogger can provide great, customizable log files (independent of Mozilla) of browsing history, with the only caveat is that you need to install and configure it prior to realizing you need to capture that data in the first place. So if you think it could be handy, check it out.
Miscellany
I'm not dealing with Firefox cookies at this time, but while working on this post I did come across a great application (freeware) from NirSoft: MozillaCookiesView: Cookies Manager For Mozilla/Firefox/Netscape Browsers.
This little app not only displays the current Mozilla cookies in a profile and important property information (domain, path, name, value, exp. date, secure, etc.), but it also allows you to export the list into text, HTML or XML files, as well as deleting individual cookies and backing them up.
One other closely related product to history and cache file examination was a "professional-grade" forensics program NetAnalysis from British developer Digital Detective. The program requires purchase, but may be downloaded and installed for evaluation purposes. It has all the features of the registered version, but you cannot save your work, export the data, view the cached files, every 5th record is not displayed, and the deleted history extractor feature is disabled.
If you need a comprehensive product, this might be worth considering.
Whitepaper Reading
Finally, if you really want to learn even more about performing forensic examinations (pro/semi-pro/incident response) on web-browsers in general, there are two excellent posts on the subject over at Security Focus:
These posts cover Internet Explorer and Mozilla and are presented in a "case-investigation" format that is fun to read. Many IE specific tools are mentioned and illustrated in the first part.
The second part turns the investigation's attention to the Firefox browser and a really great technical look at the Cache Map file itself.
Again, some of this might change significantly with the advent of Firefox 3.0 and Places structure.
--Claus