A tool for extracting, analysing, attacking, and dumping Firefox browser artifacts on Linux platforms for forensic purposes.
FoxHunter extracts and dumps:
- Addons
- Bookmarks (Active & Deleted)
- Browsing History
- Browsing History Searches
- Certificates (x509)
- Cookies
- Downloads
- Extensions
- Form History
- Saved Logins (Encrypted)
FoxHunter allows users to decrypt extracted logins through:
- Anonymous Authentication (Blank Password)
- Password Authentication (Known Factor)
- Brute Force Authentication (Wordlist/Dictionary Attack)
Finally, FoxHunter performs analysis on gathered artifacts:
- Identifies addons not installed through Mozilla store.
- Identifies addons with low download rates and/or ratings.
- Identifies out-of-date addons - potential security risks.
- Identifies extensions with interesting/abnormal permissions.
- Identifies certificates from relatively unknown issuers.
- Identifies certificates with weak/unrecommended encryption standards.
- Identifies deleted bookmarks.
- Identifies possible malware downloads by file name.
- Identifies common file download websites.
- Categorises downloads by file type.
- Produces graphs of user downloads over extended periods of time.
- Identifies interesting form history fields containing PII.
- Identifies commonly used form fields.
- Identifies commonly used login usernames and passwords.
- Identifies potential patterns within usernames or passwords.
- Identifies cookies with interesting values (Base64, Hex, GA Cookies).
- Identifies the most common browsing history searches.
- Identifies common browsing history searches.
- Identifies commonly used search engines.
- Identifies commonly used social media sites.
- Identifies times of the day when the user is most active.
- Identifies days of the week when the user is most active.
First, install Python 3 and Pip.
sudo apt-get update
sudo apt-get install python3.10
sudo apt-get install python3-pip
Install the required dependencies for FoxHunter, using pip.
pip install -r requirements.txt
To verify that dependencies have been installed correctly, run FoxHunter.
python3 foxhunter.py -h
By default, FoxHunter extracts artifacts from a profile, and displays statistics about gathered artifacts on the terminal.
- A specific Firefox profile can be specified with the
-pargument. If this argument is not supplied, FoxHunter will attempt to search the system for Firefox profiles, and let the user choose. - To dump gathered artifacts out, use any of the
-oC,-oJor-oXarguments to dump in CSV, JSON and XML formats respectively. - To perform additional analysis of artifacts, specify the
-Aargument. This requires an Internet connection.
$ python3 foxhunter.py -h
usage: foxhunter.py [-h] [-q] [-p PROFILE] [-oC OUTPUT_DIR] [-oJ OUTPUT_DIR] [-oX OUTPUT_DIR] [-A]
options:
-h, --help show this help message and exit
-q, --quiet don't display debug messages
-p PROFILE, --profile PROFILE directory of firefox profile to seek artifacts
-oC OUTPUT_DIR, --output-csv OUTPUT_DIR directory to dump artifacts in CSV format
-oJ OUTPUT_DIR, --output-json OUTPUT_DIR directory to dump artifacts in JSON format
-oX OUTPUT_DIR, --output-xml OUTPUT_DIR directory to dump artifacts in XML format
-A, --analyse analyse gathered artifacts
FoxHunter is tested using the bash-tap testing framework.
To run all tests, execute ./test. In order for a test to be picked up by this program, it must have:
- An extension of
.t. - Executable permissions. (
chmod +x test.t)
To verify the program is working as intended, a set of pregenerated testing profiles are used. These can be found at testing/data/profile-no-password and testing/data/profile-password.
Saved login data for the former profile is unlocked. Saved login data for the latter is protected using the master password in testing/data/master-password, which can also be obtained using the getPassword function within tests.
NOTE: Testing is done on GitHub runners with a UTC timezone. If you attempt to test on a machine that is not running on UTC time, tests may fail.
FoxHunter is free and open-source software licensed under the MIT License.