Browser forensic with Dumpzilla on Linux and Windows

Read the original article here: https://www.infosecshirish.com/browser-forensic-with-dumpzilla-on-linux-and-windows/

Dumpzilla is a browser forensic tool written in Python 3.x and it can extract all interesting information from Firefox, Iceweasel and Seamonkey browsers. It is available for Mac, Linux, and Windows. It works in the commandline interface, so the information dumps could be redirected by pipes with tools such as grep, awk, cut, sed, etc.

You can extract addons, bookmarks, cookies, downloads, form fill-ups data, history, passwords and much more. It allows to export the data obtained after extraction either in a JSON file or plain text file. You can also use wildcards and regular expressions if you want to do some advanced filtering.

Below is a list of data it can extract:

• History, bookmarks, and cookies
• Browser saved passwords, forms, session data
• User preferences and addons
• Downloads
• Session data
• Live user surfing, URL open in each tab

Dumpzilla on Kali Linux

First, you need to install dumpzilla in your system with this simple command: apt install dumpzilla.

Then, run dumpzilla in terminal to start it. When you run dumpzilla without any argument it displays the help page. You can also run man dumpzillato get more information on the tool. You need to point dumpzilla to your firefox profile location for it to work. A profile in Firefox is the collection of settings, customizations, add-ons, and other personalizations that a user has made or installed into their copy of Firefox. You can find details about profiles on Mozilla's end-user support site. It's location is different in mac, windows, and Linux. At the bottom of the help page, the one you got when running dumpzilla command, you can see a firefox profile location for each platform. You will find it as below:

Windows -> C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\xxxx.default
MacOS -> /Users/$USER/Library/Application Support/Firefox/Profiles/xxxx.default
Linux/Unix -> /home/$USER/.mozilla/firefox/xxxx.default

We’ll first look at the summary of data that can be extracted from Firefox in a Kali Linux system. To get a summary of data available to extract run this command: dumpzilla /home/$USER/.mozilla/firefox/xxxx.default --Summary [Replace xxxx.default with your profile file]. This command will not extract any data, you can get a look at what data is available and use other arguments to extract them.

To extract the data run dumpzilla <profile location> --arguments. There are lots of arguments available (take a look at the help page) and each argument extracts one type of data like addons, bookmarks, cookies, downloads, forms, history, passwords, permissions, etc. To extract all information available at once run dumpzilla without any argument. To export the information, run dumpzilla /home/$USER/.mozilla/firefox/xxxx.default --Export /root/desktop/mozilla. It'll save all the extracted information in /root/desktop/mozilla directory in JSON format.

To save the extracted information in plain text format, pipe the output to tee command followed by file name, dumpzilla /home/$USER/.mozilla/firefox/xxxx.default | tee /root/desktop/mozilla.txt.

Dumpzilla on Windows

Dumpzilla does not come pre-installed with Windows, for sure. You first need to have Python 3.x installed on your system if you haven’t already. Then, get the python script from here. If you get module missing error when running dumpzilla for the first time, first install the missing module with pip installand then move forward. The options available for Windows are almost the same as Linux and, you guessed it, profile location is different from Linux. Let's try to extract all the information from the browser.
Running the command: python dumpzilla.py C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\xxxx.default, we get all the information extracted from the browser. As in Linux, run dumpzilla C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\xxxx.default --Export to save all the extracted information in JSON format.

I hope this post was informative for you. Please leave a comment and share this post.

Originally published at https://www.infosecshirish.com on October 25, 2019.