Changelog ^^^^^^^^^ f3e 0.8.9.1 - 06/12/08 - UTC offset text changed from hours to minutes. Reset settings option added. f3e 0.8.9 - 14/10/08 - Minor code cleanup. Changed 10 most visited URLs to 20 most visited hosts. f3e 0.8.8 - 22/09/08 - Added favicon functionality to Firefox Internet Usage HTML report Added 10 most visisted URLs to Firefox Internet Usage HTML report f3e 0.8.7 - 16/09/08 - Decode PRtime function added. Compiled with no runtime dependencies f3e 0.8.6 HTML UTF-8 tag added. HTML LANG EN tag added. Help: CSV UTF-8 f3e 0.8.5 - 03/09/08 - Initial Release what is the Firefox 3 Extractor? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 'Firefox 3 Extractor' (f3e) is a simple Windows command line utility which is able to extract information from the SQLite databases used in Firefox 3 and Google Chrome. Within these SQLite databases are the Internet browsing history of the user, their saved bookmarks and other information which is of potential interest to a forensic examiner. what can f3e do? ^^^^^^^^^^^^^^^^ f3e presently has the following features: * Extract all data from Firefox 3 SQLite databases to CSV. * Extract all data from Firefox 3 SQLite databases to CSV and decode dates and times. * Create a CSV 'Internet History Usage Report' from 'places.sqlite'. * Create a HTML 'Internet History Usage Report' from 'places.sqlite'. * Decode Mozilla PRtimes. * Extract all data from Chrome SQLite databases to CSV. * Extract all data from Chrome SQLite databases to CSV and decode dates and times. how do i use it? ^^^^^^^^^^^^^^^^ Simply place the SQLite files that you wish to extract the information from into the same directory as the f3e program and run it. Where do i find the SQLite files? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Firefox - GNU/Linux /home//.mozilla/firefox// Firefox - Windows XP C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\\ Firefox - Windows Vista C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\\ Where takes the form of ????????.default, i.e. pd9xzn5p.default. Chrome - Windows XP C:\Documents and Settings\\Local Settings\Application Data\Google\Chrome\User Data\Default\ decode dates and times? ^^^^^^^^^^^^^^^^^^^^^^^ Firefox 3 uses a date/time format called PRTime which is a 64-bit integer representing the number of microseconds since midnight Coordinated Universal Time (UTC) on the 1 January 1970. From examining the source code I was able to determine that Google Chrome uses two seperate date and time formats. These are standard Unix time which is the number of seconds since midnight UTC of 1 January 1970 and WEBKIT time which is the number of microseconds since midnight UTC of 1 January 1601. If you were to view the contents of the SQLite databases with other tools, for example the Firefox extension SQLite Manager then these date and times stamps would be in a non-human readable form. f3e has the ability to convert PRTime, Unix time and WEBKIT time into human readable date/time stamps. These date/time stamps can be adjusted for UTC offset and use either English or American date formats. Please note that presently f3e does not adjust for DST. what else? ^^^^^^^^^^ To combat data-duplication and to speed up querying of its internal tables, Firefox stores the information required to construct the Internet usage history into two separate tables within the SQLite database places.sqlite. f3e is able to combine the information from these two tables and present the resulting information to the investigator as either a CSV spreadsheet or an HTML report. This feature is yet to be added for Chrome. who wrote it? ^^^^^^^^^^^^^ The author is a Hi-Tech Crime Investigator who has worked within a Hi-Tech Crime Unit for a major UK police force for 5 years. He has worked on cases as diverse as murder, drugs, theft, deception, harassment, terrorism, sexual assault, attempted kidnap and indecent images of children; for both the criminal and civil courts. The author is currently studying for a Master of Science degree (MSc) in Forensic Computing at Cranfield University, UK. is it free? ^^^^^^^^^^^ Yes. This is my gift to the forensic community, anyone is very welcome to use and distribute this program, with the following restrictions: * If you distribute f3e then please ensure that all readme, licence and/or help documentation which came with it are also distributed along with it. * f3e is not to be sold on its own or along with other items without the authors explicit permission. * If you find f3e to be of use to yourself, your organisation or your company then you are asked to kindly write the author a very short email, stating who you are, where you are and how it worked out for you. This information will never be published - it is solely for the authors own personal interest. Send emails to: admin @ firefoxforensics . com This software is offered with no guarantees or warranties express or implied about the functionality of the works. Firefox, Chrome and SQLite are trademarks of their respective owners.