I left a post the other day on Firefox forensics, linking to Harlan's great page.
However, I wanted to dig a little further. I went to the Firefox 3 Forensics site and downloaded the Firefox 3 Extractor. It took a few minutes to get it right, but when I got it running, it was awesome; and a little eye opening.
First, I copied f3e.exe and sqlite3.dll into my firefox profile directory. I launched f3e, but couldn't get any results. Remembering my old sql developer days, it dawned on me that the files were locked as I had Firefox open. So, I closed Firefox and reran. Bingo. The internet history report came out. I tried to run another report, and the program failed with an error message.
So, this time, I followed the directions and copied the Firfox sqlite files to a seperate directory, and dumped f3e.exe and sqlite3.dll in there. Now, I could run any report, as many times as I like.
A couple of things I like:
The program asks for a case reference (maybe the profile of the subject)
The program asks for a cast name.
The program asks for the investigator.
With the internet history report option, you are asked if you want to use the favicons.
I chose the Internet History Usage report, which was D on my menu. After answering the questions, the html file is named "case refernce" - "case investigator" - Internet Usage.html so it is easy to find if you are running many reports.
Besides giving you the reference, name, and investigator, the report shows:
the top 20 most visited sites, with their counts, and,
A table with rows showing: favicon (if used), visit date, url, title, and if the url was typed.
I found it interesting going through the table that Yahoo mail uses the subject of the email as the title of the page. This could be useful if having to trace through web email.
I ran the other reports and have only skimmed the .csv files that have been produced. A quick look shows a detailed cookie analysis, a forms history file, a detailed bookmarks analysis, favorite icon analysis, and a couple of others that were blank (I might not be recording that information.)
There is a mini-FAQ, that lists where the various profile directories are stored.
Running the tool got me to consider the difference between "Private Browsing" and "Clearing Private Data". Normally, I clear my private data at the end of each session. But, I'm thinking of moving to Private Browsing, as it appears private browsing does not write the information to the hard drive.
So far, this is a great tool, that I plan to use in the future.