This is important, keep note of this for later. The entire places.sqlite file was viewed and no abnormal entries were located. When viewing the places.sqlite file in FTK Imager, the four entries were also seen. SQLite Manager showed the exact same information as expected. Now I opened SQLite Manager and reviewed that information: The entries in my history match exactly what I navigated to. In an attempt to replicate the initial problem of having URLs visible in the places.sqlite file but not within Firefox, SQLite Manager, or FTK’s parsed viewer, the following steps were taken: For example, if the places.sqlite file is open within FTK Imager and then Firefox is opened, Firefox will act normal, however no data is actually recorded in the places.sqlite file since FTK Imager has locked it. This is important to note during testing because it will alter the normal operation of Firefox. Note – the places.sqlite file is locked by the first application that accesses it. After reviewing the entire file, no other entries were located. Notice the same information is seen below as what we have seen in the SQLite Manager. This file will now have to be saved as an Excel workbook since this file is no longer compatible the CSV format.īelow is a view of the places.sqlite file while viewing it in FTK. Also, consider hiding any columns or rows that are not applicable to your investigation:īy using filtering (indicated by the dropdown arrow to the right of each heading in the top row), it is possible to quickly sort by the relevant information within each column. This includes highlighting the top row, center and bold the font on the first row, insert gridlines, and then freeze the top row and add filtering to the top row. When working with a large amount of data, there are a few tricks you can use to make data management easier. Navigate to your newly created CSV file and open it with Excel:Ībove is the standard Excel view of a CSV file. Once you have selected the appropriate settings, click “OK” and you should receive a dialog box stating that your records have been exported.
Once you click the “Export Wizard” tab, make sure to check the box “First row contains column names” and then select how you want to export the data. To better search and review information, export the data to a CSV file. Although you can directly query the SQLite tables this way, unless you are familiar with SQL searches, I recommend exporting the data and using Excel.
To search records, click on the “Browse & Search” tab. SQLite Manager shows the above bookmarks within the places.sqlite file:Īs an overview, SQLite Manager is a great tool for viewing these database files. By default Firefox installs five bookmarks, which can be seen below: SQLite Manager was launched to view the default entries in places.sqlite.
To obtain a baseline, Firefox was launched and the places.sqlite database was rebuilt. Once it was installed it was launched by going to Tools>SQLite Manager: The Firefox add-on SQLite Manager was downloaded and installed. The places.sqlite created upon installation of Firefox was deleted, which forces Firefox to create a new database upon the next time the program is run.
#Places sqlite windows
Within a virtual machine running Windows XP SP3 a clean installation of Mozilla Firefox 15.0.1 was installed. Path for Mozilla information (Windows XP): C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\%uniquevalue%.default\ The URLs seen in hex view are relevant to the investigation. URLs visible within the places.sqlite database file when viewing the file in hex view that are not visible when viewing the file in SQLite Manager or FTK’s viewer.
By Josh Moulin Digital Forensics NovemIssue:
0 kommentar(er)
