firefox-cache-forensics : Tools for forensic analysis of Firefox Cache

The goal of this project is to publish tools and discussion about forensic recovery of the firefox cache in order to contribute to the forensic community.

Although there are free tools to browse and recover Firefox cache out there, they (almost) all seem to be Windows-based GUI tools. Nothing against GUIs, but I needed source code in order to write a forensic timeline module for Kristinn Gudjonsson’s log2timeline utility (http://log2timeline.net/). I found there to be few sources of reliable information about the Firefox cache (other than the source code – but I was hoping for a cheat sheet). So I dug around and found a few sources, plus read Firefox code, until I understood how things work and could code against them.

I plan to publish tools and papers in this space to bring the Firefox cache structure into better public understanding and make tools available for re-use.
Documentation

Pages I’ve written to describe the Firefox cache and forensics issues to do with it.

Reading and Extracting the Firefox Cache – A general description of how to read and extract data from the Firefox Cache.

Firefox Cache Format – Detailed description of the Firefox cache format and structure.

Forensic Findings – Research results and forensic implications for the way Firefox handles its cache.
Tools

Currently this list is short:

ff_cache_find.pl – started as a proof-of-concept tool and morphed into something functional. Searches, displays and extracts Firefox cache entries and metadata from the command line.

ff_cache.pm – log2timeline module to integrate Firefox cache dates into the “super timeline” forensic tool.

Download right here : http://code.google.com/p/firefox-cache-forensics/downloads/list

Advertisements