Browser Forensics
Extracting forensic information from browsers in Unix and Windows based systems.
Welcome back Hackers !!
Digital forensics is a very interesting field to dive in. Forensic investigators put a lot of efforts and make use of specific tools to extract juicy information from the systems they come across while investigating. In this article, I am going to tell you about a tool for extracting forensic information from browsers based on Firefox.So, Lets jump into it.
Dumpzilla is an open source python3 script developed to extract artifacts from Firefox, Iceweasel , Seamonkey browsers profiles, useful during a forensic analysis.It works in command line under Unix and Windows x86/64 bit systems.
It comes pre-installed with Kali Linux. For windows , you need to download and install windows binaries.In this article, I will make use of Kali Linux.
Supported Artifacts :
- Browser Addons
- Cookies
- Directories
- Search Engines
- Extensions
- Forms
- History
- Public Key Pinning
- offline Cache Information
- Sessions
- Total thumbnail images
- Saved Passwords
- User preferences ( Proxy Settings , Domain Permissions)
- SSL certificates added as exceptions
How to Use it?
In the Kali Linux terminal,type dumpzilla and you will be presented with the basic help. I would recommend updating dumpzilla or upgrading your distribution to the latest . I am using the latest version of Kali Linux.
The command for extracting the information from the browser is :
#dumpzilla [profile directory] [options]
The options are nothing but the artifacts that we will use for extracting the information. The profile directory is present in different places depending upon the OS with .default extension. I am attaching a screenshot for your reference also that comes with the “dumpzilla — help “ option.
To start using the tool, I need to go to my home directory and pass the profile directory as an argument to dumpzilla. In my case , It is nb43n2zx.default .
Now before going deep, lets have a overview of the data present inside the profile directory by passing the option “Summary” ( Case-Sensitive). With this option passed, no data will be extracted and only the summary will be presented.
So , In my profile I got the above information saved in my browser profile which includes Addons,Bookmarks,Passwords,thumb images, search engines , cookies etc. Very quick and accurate.
Now I want to see the history saved inside the profile . For that we need to pass the following command : “dumpzilla nb43n2zx.default— history” which gives the below results. I got a total of 1458 number of history saved in my browser profile. With that I got the frequency, URL and last visited time. Very informative for forensic investigation.
Now If you want to see the cookies information , you can get that with the cookies option. You can find the hostname,cookie values, path, expiration time , Last access time in no time with hashed value.
If you want to pull all the information with one go , pass the command without any options. You can export the data with export option. With export option passed, data will be saved in json format. Naming will be in “profilename.default.epochtime”. You can analyze the json files manually.
If you want the data to be exported in a plain text format , use this command instead:
#dumpzilla nb43n2zx.default|tee /root/Documents/Mozilla.txt
You can make use of other options like Verbosity as per your need.
Note: You need to have python3 installed to use this tool without any issues. Also, you need to have latest version of the tool installed to make use of all features. Windows and Unix commands may vary a little.
Thanks
