Dumpzilla: a forensic tool to extract information from browsers based on Firefox
Dumpzilla is a Python 3 script developed to extract artifacts from Firefox, Iceweasel and Seamonkey browsers, useful durgin a forensic analysis.
It works in command line under Unix and Windows 32/64 bits systems.
Supported artifacts
- Cookies + DOM Storage (HTML 5).
- User preferences (Domain permissions, Proxy settings...).
- Downloads.
- Web forms (Searches, emails, comments..).
- Historial.
- Bookmarks.
- Cache HTML5 Visualization / Extraction (Offline cache).
- Visited sites "thumbnails" Visualization / Extraction .
- Addons / Extensions and used paths or urls.
- Browser saved passwords.
- SSL Certificates added as a exception.
- Session data (Webs, reference URLs and text used in forms).
- Visualize live user surfing, Url used in each tab / window and use of forms.
https://www.youtube.com/watch?v=kr9SVBFdSXc&hd=1
Installation
First, solve the dependencies:
- Python 3.x
- Python Magic Module: https://github.com/ahupp/python-magic
Install Magic Module in Windows:
- Install Magic Module: https://github.com/ahupp/python-magic (python setup.py install)
- Get the GnuWin32 File utility (Binaries and Dependencies): http://gnuwin32.sourceforge.net/packages/file.htm
- Place magic1.dll from the Binaries package into your C:\windows\system32 directory.
- Put "magic" from the Binaries package into your C:\windows\system32 directory.
- Place zlib1.dll and regex2.dll from the Dependencies package into your system32 directory.
Install Magic Module in Unix
- Download Magic Module: https://github.com/ahupp/python-magic
- Install using setup.py:
$ cd python-magic-master/ # python setup.py install
Then, simply clone the git repository:
git clone https://github.com/Busindre/dumpzilla.git
Sample usage
Cookies with Wildcards and data range
These commands have the same output:
$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -create 02:35 -name GAPS $ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -create 02:35:1% -name _AP% $ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -create 2013-0_-04 %:35:1% -name %A__ -hostcookie www.google.com Domain: google.com Host: www.google.com Name: GAPS Value: 1:IvFZXoV-6ihRuP658dfr7FjLQcnrhw:0X5FWx6hkt0Fp77C Path: /accounts Expiry: 2015-03-04 02:35:14 Last acess: 2013-03-04 02:35:14 Creation Time: 2013-03-04 02:35:14 Secure: 0 HttpOnly: 1
This command print domains and their DOM data with accessed cookies between two given dates.
$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -domain google% -range_last "2013-03-04 01:28:09" "2013-03-04 01:28:51" -secure 0 -httponly 0 -showdom Domain: google.de Host: .google.de Name: PREF Value: ID=e59d6b724e975713:U=ed7938110e81ef61:FF=0:LD=en:TM=1361492092:LM=1361492092:S=XE3J6pRySWKjnNuT Path: / Expiry: 2015-02-22 01:14:52 Last acess: 2013-03-04 01:28:11 Creation Time: 2013-02-22 01:14:52 Secure: 0 HttpOnly: 0 Domain: secure.shared.live.com DOM data: 1361915953829
Use of escape characters to filter
Not using escape characters:
$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -name "_ag%" Domain: objectmix.com Host: .objectmix.com Name: _agads Value: ID=9cd33476f2c9ad11:T=1361492099:S=ALNI_MaEx-Nl-AeR5nAgJq8o_Hz44yDfow Path: / Expiry: 2015-02-22 01:14:59 Last acess: 2013-03-04 14:44:13 Creation Time: 2013-03-04 14:44:13 Secure: 0 HttpOnly: 0 Domain: objectmix.com Host: .objectmix.com Name: Xagads Value: 0 Path: / Expiry: 2014-02-22 01:15:01 Last acess: 2013-03-04 14:44:55 Creation Time: 2013-03-04 14:44:55 Secure: 0 HttpOnly: 0
Using escape characters (two ways, same output)
$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -name "\_ag%" $ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -name \\_ag% Domain: objectmix.com Host: .objectmix.com Name: _agads Value: ID=9cd33476f2c9ad11:T=1361492099:S=ALNI_MaEx-Nl-AeR5nAgJq8o_Hz44yDfow Path: / Expiry: 2015-02-22 01:14:59 Last acess: 2013-03-04 14:44:13 Creation Time: 2013-03-04 14:44:13 Secure: 0 HttpOnly: 0
Audit real time surfing filtering Yahoo, hotmail and Gmail content
Remember that "-text" option of "--Watch" can use grep wildcards. This command prints all the windows / tabs that contain "-text".
$ python3.2 dumpzilla.py .mozilla/firefox/yle8qt6e.default --Watch -text "yahoo\|live\|gmail" Title: Redactar - luser1985@gmail.com - Gmail URL: https://mail.google.com/mail/?shva=1#drafts/13d4aa3d5e74265e Title: (29 no leídos) - Karl Müller - Yahoo! Mail URL: http://es-mg42.mail.yahoo.com/neo/launch?.rand=4vhbkln5s409p#mail Title: Yahoo! - 404 Not Found URL: http://es-mg42.mail.yahoo.com/app/minty/options/general Form: {'s1p': 'Big Butt'} Title: A password is not enough URL: https://account.live.com/Proofs/Manage?ru=https://login.live.com/login.srf%3flc%3d3082%26sf%3d1%26id%36%26cbcxt%3dmai%2mspp_shared%3d1%26seclog%3d0%26wa%3dwsignin1.0%26wp%6ru%3dhttp://mail.live.com/default.aspx&mkt=ES-ES&uiflavor=web&id=6455&lqsp=ntprob%3d-1&mpcxt=AFP&oru=http://mail.live.com/default.aspx&lmif=100 Form: {'Question': {'selectedIndex': 0, 'value': '0'}, 'DisplayPhoneNumber': '650457892', 'EmailAddress': 'recovery@hotmail.com', 'DisplayPhoneCountryISO': {'selectedIndex': 60, 'value': 'ES'}}
Combining mutiple options
$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -access "16:32:18" --Permissions -host addons.cdn.mozilla.net --History -date "14:27:32" Execution time: 2013-03-05 18:55:23.691384 Mozilla Profile: .mozilla/firefox/yle8qt6e.default ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Cookies [SHA256 hash: d05199c0ff5db35bedb47e536076d0aeda108940edb47e536076d0aeda108940] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Domain: filldisk.com Host: .filldisk.com Name: __utmz Value: 30275752.1362488826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Path: / Expiry: 2013-09-04 05:32:18 Last acess: 2013-03-05 16:32:18 Creation Time: 2013-03-05 14:07:05 Secure: 0 HttpOnly: 0 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DOM Storage [SHA256 hash: d2edb47e536076d0aeda1089408004d7a11e361a45c660dd507d2aed2b10061b] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Domain: secure.shared.live.com Domain: 2.filldisk.com Domain: 1.filldisk.com Domain: secure.shared.live.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Permissions [SHA256 hash: 1448abfa05363d0b68bcaeb75bb1bbf2bf873edb47e536076d0aeda10894019c] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Host: addons.cdn.mozilla.net Type: sts/subd Permission: 2 ExpiteType: 0 ExpiteTime: 1970-01-01 01:00:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Preferences [SHA256 hash: eedb47e536076d0aeda108940371076d8be30ae13751ddd3e42e793cda78a4fd] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Browser cache disk capacity: 228352 Download directory: /home/jasmin/Descargas Last Download directory: /home/jasmin/Escritorio Browser Version: 19.0 URL proxy autoconfig: http://caca.com/ FTP backup proxy: 127.0.0.1 FTP backup proxy port: 4001 Socks backup proxy: 127.0.0.1 Socks backup proxy port: 4001 SSL backup proxy: 127.0.0.1 SSL backup proxy port: 4001 FTP proxy: 127.0.0.1 FTP proxy port: 4001 Http proxy: 127.0.0.1 Http proxy port: 4001 Share proxy settings: true Socks proxy: 127.0.0.1 Socks proxy port: 4001 SSL proxy port: 4001 Type Proxy: 1 (0: No proxy | 4: Auto detect settings | 1: Manual configuration | 2: URL autoconfig) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ History [SHA256 hash: edb47e536076d0aeda108940f9cabf311389c5b79810a2ac7369bc797307a80e] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Last visit: 2013-03-05 14:27:32 Title: لوحة المفاتيح SwiftKey X للأندرويد وتدعم العربية URL: http://www.vip4soft.com/%D9%84%D9%88%D8%AD%D8%A9-%D8%A7%D9%84%D9%85%D9%81%D8%A7%D8%AA%D9%8A%D8%AD-swiftkey-x-%D9%84%D9%84%D8%A3%D9%86%D8%AF%D8%B1%D9%88%D9%8A%D8%AF-%D9%88%D8%AA%D8%AF%D8%B9%D9%85-%D8%A7%D9%84%D8%B9%D8%B1.html Frequency: 1 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Total information ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Total Cookies: 3 Total DOM Data: 14 WARNING: For show the DOM storage data , use the option -showdom Total Permissions: 2 Total urls in History: 1
Dumpzilla with grep pipe
Show installed extensions and paths in C:\ (Windows) used by their.
$ python3.2 dumpzilla.py .yle8qt6e.default --Addons | grep -A 1 -B 1 -i "C:" Type: theme Descriptor: C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} Version: 19.0 -- Type: extension Descriptor: C:\Documents and Settings\jasminpc\Application Data\Mozilla\Firefox\Profiles\5s28qo2r.default\extensions\exif_viewer@mozilla.doslash.org.xpi Version: 2.00 -- APP: chrome://exif/content/exif.xul#history-loc-1 URL/PATH: C:\DocumentsandSettings\AllUsers\Documents\Porn\Sandra_2011\beach.jpg" -- APP: chrome://exif/content/exif.xul#history-loc-1 URL/PATH: C:\DocumentsandSettings\AllUsers\Documents\Porn\Sandra_2011\ricorico.jpg"
More information and downloads