-
Notifications
You must be signed in to change notification settings - Fork 71
/
Copy pathfirefox_scanner.py
180 lines (160 loc) · 8.95 KB
/
firefox_scanner.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
#!/usr/bin/env python
import sys, re, optparse
try:
from common_methods import *
except ImportError:
sys.exit("Could not find common_methods.py... download the full toolkit from https://github.com/MonroCoury/Forensic_Tools")
def read_moz_cookies(cookies_db):
'''Read mozilla firefox cookies. Takes one argument: the full path of the cookies sqlite database file'''
command = "SELECT host, name, value FROM moz_cookies"
res = pull_from_db(cookies_db, command)
data = init_data("firefox_scanner Cookies", len(res)) + init_table_header("./templates/init_cookies_html.html")
for row in res:
host = str(row[0])
name = str(row[1])
value = str(row[2])
line = "<tr><td>%s</td><td>%s</td><td>%s</td></tr>" % (host, name, value)
data += line
data += close_table_html()
file_name = getFileName(cookies_db)
tgt = file_name + ".html"
saveResult(tgt, data)
def read_moz_history(history_db, tm_min=0, tm_max=10000000000000, google=False, android=False):
'''Read mozilla firefox history. Takes 4 argument:
history_db: the full path of the places sqlite database file
tm_min: the minimum visit timestamp, default value is 0
tm_max: the maximum visit timestamp, default value is 10000000000000
google: Look for google searches only? default value is False'''
command = "SELECT url, datetime(visit_date/1000000, 'unixepoch'), title FROM moz_places, moz_historyvisits " \
+ "WHERE (visit_count > 0) AND (moz_places.id == moz_historyvisits.place_id) AND (visit_date/1000000 > %s AND visit_date/1000000 < %s);" % (tm_min, tm_max)
if android:
command = "SELECT url, datetime(date/1000, 'unixepoch'), title FROM history WHERE (visits > 0)" \
+ " AND (date/1000 > %s AND date/1000 < %s);" % (tm_min, tm_max)
if google:
command = "SELECT query, datetime(date/1000, 'unixepoch') FROM searchhistory WHERE (visits > 0)" \
+ " AND (date/1000 > %s AND date/1000 < %s);" % (tm_min, tm_max)
res = pull_from_db(history_db, command)
data = init_data("firefox_scanner History", len(res)) + init_table_header("./templates/init_history_html.html")
for row in res:
if google:
if android:
search = str(row[0])
date = str(row[1])
title = "Search"
else:
url = str(row[0])
date = str(row[1])
title = str(row[2])
if "google" in url.lower():
r = re.findall(r'q=.*\&', url)
if r:
search = r[0].split('&')[0]
search = search.replace('q=', '').replace('+', ' ')
if not search == "":
line = "<tr><td>%s</td><td>%s</td><td>%s</td></tr>" % (date, title, search)
data += line
else:
url = str(row[0])
date = str(row[1])
title = str(row[2])
if len(title) == 0:
title = url
line = "<tr><td>%s</td><td>%s</td><td>%s</td></tr>" % (date, title, url)
data += line
data += close_table_html()
file_name = getFileName(history_db)
tgt = file_name + ".html"
saveResult(tgt, data)
def read_moz_forms(forms_db, tm_min=0, tm_max=10000000000000):
'''Read mozilla firefox forms history. Takes 3 argument:
forms_db: the full path of the form_history sqlite database file
tm_min: the minimum form use timestamp, default value is 0
tm_max: the maximum form use timestamp, default value is 10000000000000'''
command = "SELECT fieldname, value, timesUsed, datetime(firstUsed/1000000, 'unixepoch'), " \
+ "datetime(lastUsed/1000000, 'unixepoch') FROM moz_formhistory WHERE (firstUsed/1000000 > %s AND firstUsed/1000000 < %s);" % (tm_min, tm_max)
res = pull_from_db(forms_db, command)
data = init_data("firefox_scanner Forms History", len(res)) + init_table_header("./templates/init_formhistory_html.html")
for row in res:
line = "<tr><td>%s</td><td>%s</td><td>%s</td><td>%s</td><td>%s</td></tr>" % (str(row[0]), str(row[1]),
str(row[2]), str(row[3]),
str(row[4]))
data += line
data += close_table_html()
file_name = getFileName(forms_db)
tgt = file_name + ".html"
saveResult(tgt, data)
def read_moz_downloads(downloads_db, tm_min=0, tm_max=10000000000000):
'''Read mozilla firefox downloads. Takes 3 argument:
forms_db: the full path of the downloads sqlite database file
tm_min: the minimum download timestamp, default value is 0
tm_max: the maximum download timestamp, default value is 10000000000000'''
command = "SELECT name, source, datetime(endTime/1000000, 'unixepoch') FROM moz_downloads WHERE (endtime/1000000 > %s AND endtime/1000000 < %s);" % (tm_min, tm_max)
res = pull_from_db(downloads_db, command)
data = init_data("firefox_scanner Downloads", len(res)) + init_table_header("./templates/init_downloads_html.html")
for row in res:
line = "<tr><td>%s</td><td>%s</td><td>%s</td></tr>" % (row[0], row[1], row[2])
data += line
data += close_table_html()
file_name = getFileName(downloads_db)
tgt = file_name + ".html"
saveResult(tgt, data)
if __name__ == "__main__":
print('\n\n ##############A Python script to read firefox browser data ############')
print(' # Coded by monrocoury #')
print(' # can read forms data, cookies, Google searches #')
print(' # and history to name a few #')
print(' #######################################################################\n\n')
parser = optparse.OptionParser("Usage: python %prog -t <target> -b <(optional) database path> --min_time <(optional) minimum entry time>" \
+ " --max_time <(optional) maximum entry time> --android <(optional) Target is a firefox android database?>" \
+ " or python firefox_scanner.py -h for help")
target_help = "can take one of 5 values: cookies, history, google_searches, forms_history, or downloads"
parser.add_option("-t", dest="target", type="string", help=target_help)
db_help = "The full path of the database file to parse. By default, if you're on linux go to" \
+ " /home/<username>/.mozilla/firefox/ choose the directory that ends with '.default'. once inside the folder" \
+ " copy the full path from the address bar and paste it as the -b argument. enclose the path in quotes if " \
+ "it contains spaces. The script will attempt to find the default database for the target function specified and the active user"
parser.add_option("-b", dest="db", type="string", help=db_help)
min_help = "enter if target isn't 'cookies' to read items after a given date and time, must be a string separated by _ YYYY_MM_DD_HH_MM_SS"
parser.add_option("--min_time", dest="min", type="string", help=min_help)
max_help = "enter if target isn't 'cookies' to read items before a given date and time, must be a string separated by _ YYYY_MM_DD_HH_MM_SS"
parser.add_option("--max_time", dest="max", type="string", help=max_help)
android_help = "True if target database is a firefox android database. default False"
parser.add_option("--android", dest="droid", type="string", help=android_help)
(options, args) = parser.parse_args()
if not options.target:
sys.exit("please enter a target:\n\n%s" % parser.usage)
if options.target not in ("cookies", "history", "google_searches", "forms_history", "downloads"):
sys.exit("Unrecognized target function!")
db = options.db
if options.min:
min_time = time_to_epoch(options.min)
else:
min_time = 0
if options.max:
max_time = time_to_epoch(options.min)
else:
max_time = 10000000000000
try:
android = eval(options.droid)
except Exception:
android = False
if options.target.lower() == "cookies":
if not db:
db = get_firefox_db("cookies.sqlite")
read_moz_cookies(db)
elif options.target.lower() == "history":
if not db:
db = get_firefox_db("places.sqlite")
read_moz_history(db, min_time, max_time, android=android, google=False)
elif options.target.lower() == "google_searches":
if not db:
db = get_firefox_db("places.sqlite")
read_moz_history(db, min_time, max_time, android=android, google=True)
elif options.target.lower() == "forms_history":
if not db:
db = get_firefox_db("formhistory.sqlite")
read_moz_forms(db, min_time, max_time)
elif options.target.lower() == "downloads":
if not db:
db = get_firefox_db("downloads.sqlite")
read_moz_downloads(db, min_time, max_time)