Treasure Hunting with FTK, EnCase, and SQLite Databases

treasure_box2_24711

The last tools we used to examine PirateBrowser, Mozilla 23, and Firefox Portable were EnCase and FTK.  SQLite databases that contained lists of the websites visited, as well as downloads saved by our team were found on each image.  We used a PDF from the SANS blog to assist us in finding the locations of these SQLite databases: https://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf.  The section that was the most helpful was the “Browser Search Terms” under “Physical Location.”

In both Mozilla 23 and Firefox Portable, the “places.sqlite” database was located in the file path that was set out in the SANS Windows Artifact Analysis chart: “%userprofile%\AppData\Roaming\Mozilla \Firefox\Profiles\<random text>.default\places.sqlite.”

When using FTK to follow this file path on the PirateBrowser image, the places.sqlite database could not be found.  When using EnCase, the file could be seen but not opened, and once the file was exported and opened, it did not turn up any information.  After re-processing the image in EnCase, the places.sqlite database could no longer be found.

Based on our research, it appears that PirateBrowser has some way of hiding or removing its’ places.sqlite database so that it cannot be found in the same location as in Mozilla 23, Firefox Portable, or Internet Explorer data.  Although a full list of the PirateBrowser’s artifacts cannot be obtained from FTK or EnCase, remnants of information can be seen using Bulk Extractor and Internet Evidence Finder.

-Olivia Hatalsky

More Research Projects
CyberRange Team: Creating The Perfect Sandbox Environment
The Internet of Things Team: An Inside Look
CyberTech: Creating a Safer Internet Through Education