Browser

Chrome

hindsight

Web browser forensics tool for Google Chrome/Chromium-based browsers.

  • Installation

sudo apt update
sudo apt install -y sqlitebrowser
git clone https://github.com/obsidianforensics/hindsight.git
cd hindsight
python3 -m venv venv && source venv/bin/activate
pip3 install -r requirements.txt
python3 setup.py install
deactivate
npm install sqlite-browser
npm install sqlite3

  • Usage

source venv/bin/activate && python3 hindsight_gui.py

Firefox

  • Profile locations

# Ubuntu 22.04
/home/<USER>/snap/firefox/common/.mozilla/firefox/<Profile>.default

# Linux
/home/<USER>/.mozilla/firefox/<Profile>.default-esr

# Windows
C:\Documents and Settings\<USER>\Application Data\Mozilla\Firefox\Profiles\<Profile>.default

dumpzilla

Web browser forensics tool for Firefox.

  • Installation

Download the Python script from the official website https://www.dumpzilla.org/ for Unix/Windows Or directly via the command line:

wget https://www.dumpzilla.org/dumpzilla.py

  • Usage

python3 dumpzilla.py browser_profile_directory [Options]

The option --All can extract everything the tool can extract.

The most interesting options are:

  • --Downloads: it shows what links were used for downloads and where they stored on the host.

  • --Forms: it shows what auto-fill forms the user have and what they searched/typed directly on the browser's search bar (not in a search engine).

  • --History: it shows the user's internet browsing history.

  • --Bookmarks: it shows the user's bookmarks.

  • --Passwords: this will work on older versions of firefox (< 58), the script will try to decrypt the encrypted passwords stored in signons.sqlite with the master decryption key stored in key3.db, but this was used in previous versions of Firefox and since version 58 logins are now stored in key4.db (SQLite) while encrypted logins are stored in logins.json. (source)

Firefox Decrypt

Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox™, Waterfox™, Thunderbird®, SeaMonkey®) profiles.

git clone https://github.com/unode/firefox_decrypt
cd firefox_decrypt

Usage

python3 firefox_decrypt <Profile> -f human
PreviousMemoryNextThreat Intelligence

Last updated