Dumpzilla: a forensic tool to extract information from browsers based on Firefox

Dumpzilla is a Python 3 script developed to extract artifacts from Firefox, Iceweasel and Seamonkey browsers, useful durgin a forensic analysis.

It works in command line under Unix and Windows 32/64 bits systems.


Supported artifacts

  • Cookies + DOM Storage (HTML 5).
  • User preferences (Domain permissions, Proxy settings…).
  • Downloads.
  • Web forms (Searches, emails, comments..).
  • Historial.
  • Bookmarks.
  • Cache HTML5 Visualization / Extraction (Offline cache).
  • Visited sites “thumbnails” Visualization / Extraction .
  • Addons / Extensions and used paths or urls.
  • Browser saved passwords.
  • SSL Certificates added as a exception.
  • Session data (Webs, reference URLs and text used in forms).
  • Visualize live user surfing, Url used in each tab / window and use of forms.


Installation

First, solve the dependencies:

Install Magic Module in Windows:
  1. Install Magic Module: https://github.com/ahupp/python-magic (python setup.py install)
  2. Get the GnuWin32 File utility (Binaries and Dependencies): http://gnuwin32.sourceforge.net/packages/file.htm
  3. Place magic1.dll from the Binaries package into your C:\windows\system32 directory.
  4. Put “magic” from the Binaries package into your C:\windows\system32 directory.
  5. Place zlib1.dll and regex2.dll from the Dependencies package into your system32 directory.
Install Magic Module in Unix
  1. Download Magic Module: https://github.com/ahupp/python-magic
  2. Install using setup.py:
    $ cd python-magic-master/
    # python setup.py install
    

Then, simply clone the git repository:

git clone https://github.com/Busindre/dumpzilla.git

Sample usage

Cookies with Wildcards and data range

These commands have the same output:

$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -create 02:35 -name GAPS
$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -create 02:35:1% -name _AP%
$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -create 2013-0_-04 %:35:1% -name %A__ -hostcookie www.google.com


Domain: google.com
Host: www.google.com
Name: GAPS
Value: 1:IvFZXoV-6ihRuP658dfr7FjLQcnrhw:0X5FWx6hkt0Fp77C
Path: /accounts
Expiry: 2015-03-04 02:35:14
Last acess: 2013-03-04 02:35:14
Creation Time: 2013-03-04 02:35:14
Secure: 0
HttpOnly: 1

This command print domains and their DOM data with accessed cookies between two given dates.

$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -domain google% -range_last "2013-03-04 01:28:09" "2013-03-04 01:28:51" -secure 0 -httponly 0 -showdom

Domain: google.de
Host: .google.de
Name: PREF
Value: ID=e59d6b724e975713:U=ed7938110e81ef61:FF=0:LD=en:TM=1361492092:LM=1361492092:S=XE3J6pRySWKjnNuT
Path: /
Expiry: 2015-02-22 01:14:52
Last acess: 2013-03-04 01:28:11
Creation Time: 2013-02-22 01:14:52
Secure: 0
HttpOnly: 0

Domain: secure.shared.live.com
DOM data: 1361915953829
Use of escape characters to filter

Not using escape characters:

$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -name "_ag%"

Domain: objectmix.com
Host: .objectmix.com
Name: _agads
Value: ID=9cd33476f2c9ad11:T=1361492099:S=ALNI_MaEx-Nl-AeR5nAgJq8o_Hz44yDfow
Path: /
Expiry: 2015-02-22 01:14:59
Last acess: 2013-03-04 14:44:13
Creation Time: 2013-03-04 14:44:13
Secure: 0
HttpOnly: 0


Domain: objectmix.com
Host: .objectmix.com
Name: Xagads
Value: 0
Path: /
Expiry: 2014-02-22 01:15:01
Last acess: 2013-03-04 14:44:55
Creation Time: 2013-03-04 14:44:55
Secure: 0
HttpOnly: 0

Using escape characters (two ways, same output)

$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -name "\_ag%"
$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -name \\_ag%

Domain: objectmix.com
Host: .objectmix.com
Name: _agads
Value: ID=9cd33476f2c9ad11:T=1361492099:S=ALNI_MaEx-Nl-AeR5nAgJq8o_Hz44yDfow
Path: /
Expiry: 2015-02-22 01:14:59
Last acess: 2013-03-04 14:44:13
Creation Time: 2013-03-04 14:44:13
Secure: 0
HttpOnly: 0
Audit real time surfing filtering Yahoo, hotmail and Gmail content

Remember that “-text” option of “–Watch” can use grep wildcards. This command prints all the windows / tabs that contain “-text”.

$ python3.2 dumpzilla.py .mozilla/firefox/yle8qt6e.default --Watch -text "yahoo\|live\|gmail"

Title: Redactar - [email protected] - Gmail
URL: https://mail.google.com/mail/?shva=1#drafts/13d4aa3d5e74265e


Title: (29 no leídos) - Karl Müller - Yahoo! Mail
URL: http://es-mg42.mail.yahoo.com/neo/launch?.rand=4vhbkln5s409p#mail


Title: Yahoo! - 404 Not Found
URL: http://es-mg42.mail.yahoo.com/app/minty/options/general
Form: {'s1p': 'Big Butt'}


Title: A password is not enough
URL: https://account.live.com/Proofs/Manage?ru=https://login.live.com/login.srf%3flc%3d3082%26sf%3d1%26id%36%26cbcxt%3dmai%2mspp_shared%3d1%26seclog%3d0%26wa%3dwsignin1.0%26wp%6ru%3dhttp://mail.live.com/default.aspx&mkt=ES-ES&uiflavor=web&id=6455&lqsp=ntprob%3d-1&mpcxt=AFP&oru=http://mail.live.com/default.aspx&lmif=100
Form: {'Question': {'selectedIndex': 0, 'value': '0'}, 'DisplayPhoneNumber': '650457892', 'EmailAddress': '[email protected]', 'DisplayPhoneCountryISO': {'selectedIndex': 60, 'value': 'ES'}}

 

Combining mutiple options
$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -access "16:32:18" --Permissions -host addons.cdn.mozilla.net --History -date "14:27:32"

Execution time: 2013-03-05 18:55:23.691384
Mozilla Profile: .mozilla/firefox/yle8qt6e.default

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Cookies [SHA256 hash: d05199c0ff5db35bedb47e536076d0aeda108940edb47e536076d0aeda108940]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Domain: filldisk.com
Host: .filldisk.com
Name: __utmz
Value: 30275752.1362488826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Path: /
Expiry: 2013-09-04 05:32:18
Last acess: 2013-03-05 16:32:18
Creation Time: 2013-03-05 14:07:05
Secure: 0
HttpOnly: 0

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DOM Storage [SHA256 hash: d2edb47e536076d0aeda1089408004d7a11e361a45c660dd507d2aed2b10061b]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Domain: secure.shared.live.com
Domain: 2.filldisk.com
Domain: 1.filldisk.com
Domain: secure.shared.live.com

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Permissions [SHA256 hash: 1448abfa05363d0b68bcaeb75bb1bbf2bf873edb47e536076d0aeda10894019c]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Host: addons.cdn.mozilla.net
Type: sts/subd
Permission: 2
ExpiteType: 0
ExpiteTime: 1970-01-01 01:00:00

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Preferences [SHA256 hash: eedb47e536076d0aeda108940371076d8be30ae13751ddd3e42e793cda78a4fd]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Browser cache disk capacity: 228352

Download directory: /home/jasmin/Descargas
Last Download directory: /home/jasmin/Escritorio

Browser Version: 19.0

URL proxy autoconfig: http://caca.com/

FTP backup proxy: 127.0.0.1
FTP backup proxy port: 4001
Socks backup proxy: 127.0.0.1
Socks backup proxy port: 4001
SSL backup proxy: 127.0.0.1
SSL backup proxy port: 4001
FTP proxy: 127.0.0.1
FTP proxy port: 4001
Http proxy: 127.0.0.1
Http proxy port: 4001
Share proxy settings: true
Socks proxy: 127.0.0.1
Socks proxy port: 4001
SSL proxy port: 4001
Type Proxy: 1 (0: No proxy | 4: Auto detect settings | 1: Manual configuration | 2: URL autoconfig)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
History [SHA256 hash: edb47e536076d0aeda108940f9cabf311389c5b79810a2ac7369bc797307a80e]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Last visit: 2013-03-05 14:27:32
Title: لوحة المفاتيح SwiftKey X للأندرويد وتدعم العربية
URL: http://www.vip4soft.com/%D9%84%D9%88%D8%AD%D8%A9-%D8%A7%D9%84%D9%85%D9%81%D8%A7%D8%AA%D9%8A%D8%AD-swiftkey-x-%D9%84%D9%84%D8%A3%D9%86%D8%AF%D8%B1%D9%88%D9%8A%D8%AF-%D9%88%D8%AA%D8%AF%D8%B9%D9%85-%D8%A7%D9%84%D8%B9%D8%B1.html
Frequency: 1

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Total information
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Total Cookies: 3
Total DOM Data: 14
WARNING: For show the DOM storage data , use the option -showdom
Total Permissions: 2
Total urls in History: 1

 

Dumpzilla with grep pipe

Show installed extensions and paths in C:\ (Windows) used by their.

$ python3.2 dumpzilla.py .yle8qt6e.default --Addons | grep -A 1 -B 1 -i "C:"

Type: theme
Descriptor: C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
Version: 19.0
--
Type: extension
Descriptor: C:\Documents and Settings\jasminpc\Application Data\Mozilla\Firefox\Profiles\5s28qo2r.default\extensions\[email protected]
Version: 2.00
--
APP: chrome://exif/content/exif.xul#history-loc-1
URL/PATH: C:\DocumentsandSettings\AllUsers\Documents\Porn\Sandra_2011\beach.jpg"
--
APP: chrome://exif/content/exif.xul#history-loc-1
URL/PATH: C:\DocumentsandSettings\AllUsers\Documents\Porn\Sandra_2011\ricorico.jpg"

More information and downloads

 

 

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.