################################################################## [ Index ]

###################################################################

1.- Introduction.
2.- Dependencies installation and Microsoft Windows use tips.
3.- Sintax.
4.- Options.
5.- Examples of use.

############################################################### [ Introduction ]
################################################################

Dumpzilla application is developed in Python 3.x and has as purpose extract all
forensic interesting information of Firefox, Iceweasel and Seamonkey browsers to be
analyzed. Due to its Python 3.x developement, might not work properly in old Python
versions, mainly with certain characters. Works under Unix and Windows 32/64 bits
systems. Works in command line interface, so information dumps could be redirected
by pipes with tools such as grep, awk, cut, sed... Dumpzilla allows to visualize
following sections, search customization and extract certain content.

- Cookies + DOM Storage (HTML 5).

- User preferences (Domain permissions, Proxy settings...).
- Downloads.
- Web forms (Searches, emails, comments..).
- Historial.
- Bookmarks.
- Cache HTML5 Visualization / Extraction (Offline cache).
- visited sites "thumbnails" Visualization / Extraction .
- Addons / Extensions and used paths or urls.
- Browser saved passwords.
- SSL Certificates added as a exception.
- Session data (Webs, reference URLs and text used in forms).
- Visualize live user surfing, Url used in each tab / window and use of forms.

Dumpzilla will show SHA256 hash of each file to extract the information and finally
a summary with totals.
Sections which date filter is not possible: DOM Storage, Permissions / Preferences,
Addons, Extensions, Passwords/Exceptions, Thumbnails and Session

To use a cache data extraction application (for example MozCache) is recommend to

complete the browser forensic analysis.
MozCache: : http://mozcache.sourceforge.net/

####################################################### [ Tips and install

dependencies ] #######################################################

Dependencies:
============

- Python 3.x (GNU/Linux Repositories or http://www.python.org/download/)

- Unix Systems with UTF-8 locale / Windows Systems
- Python Magic Module: https://github.com/ahupp/python-magic

Install Magic Module in Windows:

===============================
1.- Install Magic Module: https://github.com/ahupp/python-magic (python setup.py
install)
2.- Get the GnuWin32 File utility (Binaries and Dependencies):
http://gnuwin32.sourceforge.net/packages/file.htm
3.- Place magic1.dll from the Binaries package into your C:\windows\system32
directory.
4.- Put "magic" from the Binaries package into your C:\windows\system32 directory.
5.- Place zlib1.dll and regex2.dll from the Dependencies package into your system32
directory.

Windows Console Tips:

====================

In Windows command line:

set PYTHONIOENCODING=UTF-8

Why? http://wiki.python.org/moin/PrintFails#Windows

Ok, but I still see strange characters in the console !!

Solution 1: Redirect output to a file (>)

Solution 2: Unix is Sexy

Install Magic Module in Unix:

============================

Download Magic Module: https://github.com/ahupp/python-magic

$ cd python-magic-master/
# python setup.py install

################################################################# [ Sintax ]
##################################################################

Dumpzilla command line:

======================

Locate the profile browser directory which will for audit:

- Windows: 'C:\Documents and Settings\xx\Application

Data\Mozilla\Firefox\Profiles\xxxx.default'
- Unix: '$HOME/.mozilla/firefox/xxxx.default/'

Sintax: python dumpzilla.py browser_profile_directory [Options]

Options:

--All (Show everything but the DOM data. Doesn't extract thumbnails or HTML 5
offline)
--Cookies [-showdom -domain <string> -name <string> -hostcookie <string> -access
<date> -create <date> -secure <0/1> -httponly <0/1> -range_last -range_create
<start> <end>]
--Permissions [-host <string>]
--Downloads [-range <start> <end>]
--Forms [-value <string> -range_forms <start> <end>]
--History [-url <string> -title <string> -date <date> -range_history <start> <end>
-frequency]
--Bookmarks [-range_bookmarks <start> <end>]
--Cacheoffline [-range_cacheoff <start> <end> -extract <directory>]
--Thumbnails [-extract_thumb <directory>]
--Range <start date> <end date>
--Addons
--Passwords (Decode only in Unix)
--Certoverride
--Session
--Watch [-text <string>] (Only Unix: Show in daemon mode the URLs and text form in
real time. -text' Option allow filter, support all grep Wildcards. Exit: Ctrl +
C).

Wildcards: '%' Any string of any length (Including zero length)

'_' Single character
'\' Escape character

Date syntax: YYYY-MM-DD HH:MM:SS

################################################################# [ Options ]
##################################################################

--All Show all except DOM data and do not extract

content (thumbnails or HTML5 offline cache)

--Cookies Show cookies and DOM storage if is specified.

-showdom Show DOM stored data and cookies.

-domain <string> Filter by domain name (Wildcards support).
-name <string> Filter by cookie name (Wildcards support).
-hostcookie <string> Filter by Vhost (Wildcards support).
-access <date> Filter by access date (Wildcards support).
-create <date> Filter by creation date (Wildcards support).
-secure <0/1> Filter by cookies with secure flag secure enabled
0:Yes / 1:No.
-httponly <0/1> Filter by HttpOnly type 1:Yes / 0:No.
-range_last <start> <end> Filter last access date by range (YYYY-MM-DD
HH:MM:SS).
-range_create <start> <end> Filter data creation date by range (YYYY-MM-DD
HH:MM:SS).

--Permissions Show user preferences and permissions set on

certain webs.

-host <string> Filter by domain (Wildcards support).

--Downloads Show the downloads, also history stored, and list

directories download.

-range <start> <end> Filter by download initialization dates (YYYY-MM-

DD HH:MM:SS).

--Forms Show used forms data and written text in them

(Email, comments, searches,...).

-value <string> Filter written text in a form (Wildcards

support).
-range_forms <start> <end> Filter form used date by range (YYYY-MM-DD
HH:MM:SS).

--History Show visualized webs.

-url <string> Filter by URL (Wildcards support).

-title <title> Filter by web "title" (Wildcards support).
-date <date> Filter by access date (Wildcards support).
-range_history <start> <end> Filter visualization date by range (YYYY-MM-DD
HH:MM:SS).
-frequency Show most visited sites first.

--Bookmarks Show stored sites in bookmarks.

-range_bookmarks <start> <end> Filter last update / installation by date range

(YYYY-MM-DD HH:MM:SS).

--Cacheoffline Show which domains store offline data (html5) and

allow extract their data.

-range_cacheoff <start> <end> Filter stored date by range (YYYY-MM-DD

HH:MM:SS).
-extract <directory> Extract offline cache content to specified
directory.

--Thumbnails Extract browser start or new tab/window

thumbnails.

-extract_thumb <directory> Extract thumbnails pictures (If exist) to

specified directory.

--Range <start> <end> Filter Cookies, Downloads, Forms, history,

Bookmarks and offline Cache date by range (YYYY-MM-DD HH:MM:SS).
Do not filter: DOM Storage, Permissions / Preferences,
Addons, Extensions, Passwords/Exceptions, Thumbnails and Session.

--Addons Show browser used Addons / Extensions and paths /

URLs.

--Passwords Show stored users and passwords, and decode it

(if master key was not used).(Python 2.x)

--Certoverride Show added SSL certificates.

--Session Show last and next-to-last session data. Last

Webs and used forms.

--Watch Show in daemon mode the URLs and text form in

real time. To finish: Ctrl + C
Edit line 18 with Python3.x path on
"python3_path". Example: python3_path = /usr/bin/python3.3

-text <string> Filter by text strings, (grep Wildcards support).

Example: --Watch -text "yahoo\|live\|gmail"
############################################################# [ Examples of use ]
###############################################################

=====================================
Cookies with Wildcards and data range:
=====================================

These commands have the same output:

$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -create 02:35 -name GAPS

$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -create 02:35:1% -name _AP%
$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -create 2013-0_-04 %:35:1%
-name %A__ -hostcookie www.google.com

Domain: google.com
Host: www.google.com
Name: GAPS
Value: 1:IvFZXoV-6ihRuP658dfr7FjLQcnrhw:0X5FWx6hkt0Fp77C
Path: /accounts
Expiry: 2015-03-04 02:35:14
Last acess: 2013-03-04 02:35:14
Creation Time: 2013-03-04 02:35:14
Secure: 0
HttpOnly: 1

This command print domains and their DOM data with accessed cookies between two
given dates.

$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -domain google% -range_last

"2013-03-04 01:28:09" "2013-03-04 01:28:51" -secure 0 -httponly 0 -showdom

Domain: google.de
Host: .google.de
Name: PREF
Value:
ID=e59d6b724e975713:U=ed7938110e81ef61:FF=0:LD=en:TM=1361492092:LM=1361492092:S=XE3
J6pRySWKjnNuT
Path: /
Expiry: 2015-02-22 01:14:52
Last acess: 2013-03-04 01:28:11
Creation Time: 2013-02-22 01:14:52
Secure: 0
HttpOnly: 0

Domain: secure.shared.live.com
DOM data: 1361915953829

==================================
Use of escape characters to filter:
==================================

Not using escape characters:

$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -name "_ag%"

 Domain: objectmix.com
Host: .objectmix.com
Name: _agads
Value: ID=9cd33476f2c9ad11:T=1361492099:S=ALNI_MaEx-Nl-AeR5nAgJq8o_Hz44yDfow
Path: /
Expiry: 2015-02-22 01:14:59
Last acess: 2013-03-04 14:44:13
Creation Time: 2013-03-04 14:44:13
Secure: 0
HttpOnly: 0

Domain: objectmix.com
Host: .objectmix.com
Name: Xagads
Value: 0
Path: /
Expiry: 2014-02-22 01:15:01
Last acess: 2013-03-04 14:44:55
Creation Time: 2013-03-04 14:44:55
Secure: 0
HttpOnly: 0

Using escape characters (two ways, same output)

$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -name "\_ag%"

$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -name \\_ag%

Domain: objectmix.com
Host: .objectmix.com
Name: _agads
Value: ID=9cd33476f2c9ad11:T=1361492099:S=ALNI_MaEx-Nl-AeR5nAgJq8o_Hz44yDfow
Path: /
Expiry: 2015-02-22 01:14:59
Last acess: 2013-03-04 14:44:13
Creation Time: 2013-03-04 14:44:13
Secure: 0
HttpOnly: 0

==================================================================
Audit real time surfing filtering Yahoo, hotmail and Gmail content:
==================================================================

Remember that "-text" option of "--Watch" can use grep wildcards. This command
prints all the windows / tabs that contain "-text".

$ python3.2 dumpzilla.py .mozilla/firefox/yle8qt6e.default --Watch -text "yahoo\|

live\|gmail"

Title: Redactar - luser1985@gmail.com - Gmail

URL: https://mail.google.com/mail/?shva=1#drafts/13d4aa3d5e74265e

Title: (29 no leídos) - Karl Müller - Yahoo! Mail

URL: http://es-mg42.mail.yahoo.com/neo/launch?.rand=4vhbkln5s409p#mail
 Title: Yahoo! - 404 Not Found
URL: http://es-mg42.mail.yahoo.com/app/minty/options/general
Form: {'s1p': 'Big Butt'}

Title: A password is not enough

URL: https://account.live.com/Proofs/Manage?
ru=https://login.live.com/login.srf%3flc%3d3082%26sf%3d1%26id%36%26cbcxt%3dmai
%2mspp_shared%3d1%26seclog%3d0%26wa%3dwsignin1.0%26wp%6ru
%3dhttp://mail.live.com/default.aspx&mkt=ES-ES&uiflavor=web&id=6455&lqsp=ntprob%3d-
1&mpcxt=AFP&oru=http://mail.live.com/default.aspx&lmif=100
Form: {'Question': {'selectedIndex': 0, 'value': '0'}, 'DisplayPhoneNumber':
'650457892', 'EmailAddress': 'recovery@hotmail.com', 'DisplayPhoneCountryISO':
{'selectedIndex': 60, 'value': 'ES'}}

=========================
Combining mutiple options:
=========================

$ python3.2 dumpzilla.py .yle8qt6e.default --Cookies -access "16:32:18"

--Permissions -host addons.cdn.mozilla.net --History -date "14:27:32"

Execution time: 2013-03-05 18:55:23.691384

Mozilla Profile: .mozilla/firefox/yle8qt6e.default

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Cookies [SHA256 hash:
d05199c0ff5db35bedb47e536076d0aeda108940edb47e536076d0aeda108940]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++

Domain: filldisk.com
Host: .filldisk.com
Name: __utmz
Value: 30275752.1362488826.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Path: /
Expiry: 2013-09-04 05:32:18
Last acess: 2013-03-05 16:32:18
Creation Time: 2013-03-05 14:07:05
Secure: 0
HttpOnly: 0

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
DOM Storage [SHA256 hash:
d2edb47e536076d0aeda1089408004d7a11e361a45c660dd507d2aed2b10061b]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++

Domain: secure.shared.live.com
Domain: 2.filldisk.com
Domain: 1.filldisk.com
Domain: secure.shared.live.com

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Permissions [SHA256 hash:
1448abfa05363d0b68bcaeb75bb1bbf2bf873edb47e536076d0aeda10894019c]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++

Host: addons.cdn.mozilla.net
Type: sts/subd
Permission: 2
ExpiteType: 0
ExpiteTime: 1970-01-01 01:00:00

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Preferences [SHA256 hash:
eedb47e536076d0aeda108940371076d8be30ae13751ddd3e42e793cda78a4fd]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++

Browser cache disk capacity: 228352

Download directory: /home/jasmin/Descargas

Last Download directory: /home/jasmin/Escritorio

Browser Version: 19.0

URL proxy autoconfig: http://caca.com/

FTP backup proxy: 127.0.0.1

FTP backup proxy port: 4001
Socks backup proxy: 127.0.0.1
Socks backup proxy port: 4001
SSL backup proxy: 127.0.0.1
SSL backup proxy port: 4001
FTP proxy: 127.0.0.1
FTP proxy port: 4001
Http proxy: 127.0.0.1
Http proxy port: 4001
Share proxy settings: true
Socks proxy: 127.0.0.1
Socks proxy port: 4001
SSL proxy port: 4001
Type Proxy: 1 (0: No proxy | 4: Auto detect settings | 1: Manual
configuration | 2: URL autoconfig)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
History [SHA256 hash:
edb47e536076d0aeda108940f9cabf311389c5b79810a2ac7369bc797307a80e]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++

Last visit: 2013-03-05 14:27:32

Title: ‫ لوحة المفاتيح‬SwiftKey X ‫للندرويد وتدعم العربية‬
URL: http://www.vip4soft.com/%D9%84%D9%88%D8%AD%D8%A9-
%D8%A7%D9%84%D9%85%D9%81%D8%A7%D8%AA%D9%8A%D8%AD-swiftkey-x-
%D9%84%D9%84%D8%A3%D9%86%D8%AF%D8%B1%D9%88%D9%8A%D8%AF-%D9%88%D8%AA%D8%AF
%D8%B9%D9%85-%D8%A7%D9%84%D8%B9%D8%B1.html
Frequency: 1

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Total information
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++

Total Cookies: 3
Total DOM Data: 14
WARNING: For show the DOM storage data , use the option -showdom
Total Permissions: 2
Total urls in History: 1

================================
Get the Passwords (NO python3.x):
================================

Show configured webs in order to not save credentials, encoded credentials and
their decoded. (Only executing dumpzilla under 2.x brach)

$ python2.7 dumpzilla.py .mozilla/firefox/yle8qt6e.default --Passwords

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++
Exceptions/Passwords [SHA256 hash:
15ba116a979ba4edb47e536076d0aeda1089401cce582b2d78c2fa5fb24a570c]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++

Exception Web: https://www.facebook.com

Exception Web: http://www.gmx.net
Exception Web: https://login.yahoo.com
Exception Web: https://accounts.google.com

Web: http://www.shodanhq.com
User field: username
Password field: password
User login (crypted):
MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECE5kYU15qEEzBBA0nPH2m3bNM3wVEziqY02u
Password login (crypted):
MEoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECE+XsaqLhIfIBCBoHtRGHjQ/Vq3FbPZgq2sGDL/
YT9P5PHiUZ0QW6vktew==
Encripton type: 1
Created: 2013-03-05 13:19:22
Last used: 2013-03-05 13:19:22
Change: 2013-03-05 13:19:22
Frequency: 21

Web: https://www.facebook.com
User field: email
Password field: pass
User login (crypted):
MEoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECIkQJPfZJbL/BCB/lc86x0KEyhw8NBwR/dhJGdX
uV0QDCcLqaFg/rVayBw==
Password login (crypted):
MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECNHMNFUnu2I+BAiA6BBtclMuFQ==
Encripton type: 1
Created: 2013-03-05 13:21:07
Last used: 2013-03-05 13:21:07
Change: 2013-03-05 13:21:07
 Frequency: 9

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++
Decode Passwords
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++

Web: http://www.shodanhq.com:
Username: Bladimir
Passsword: Вакансиидерьмо

Web: https://www.facebook.com:
Username: justinbieber@hotmail.com
Passsword: 12345

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
Total information
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++

Total passwords: 2
Total passwords decode: 2

========================
Dumpzilla with grep pipe:
========================

Show installed extensions and paths in C:\ (Windows) used by their.

$ python3.2 dumpzilla.py .yle8qt6e.default --Addons | grep -A 1 -B 1 -i "C:"

Type: theme
Descriptor: C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-
a285-3208198ce6fd}
Version: 19.0
--
Type: extension
Descriptor: C:\Documents and Settings\jasminpc\Application
Data\Mozilla\Firefox\Profiles\5s28qo2r.default\extensions\exif_viewer@mozilla.dosla
sh.org.xpi
Version: 2.00
--
APP: chrome://exif/content/exif.xul#history-loc-1
URL/PATH:
C:\DocumentsandSettings\AllUsers\Documents\Porn\Sandra_2011\beach.jpg"
--
APP: chrome://exif/content/exif.xul#history-loc-1
URL/PATH:
C:\DocumentsandSettings\AllUsers\Documents\Porn\Sandra_2011\ricorico.jpg"

################################################################# [ CopyLeft ]
##################################################################

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.

This is free software: you are free to change and redistribute it. There is NO
WARRANTY, to the extent permitted by law.