Mozilla SQLite Parser (msp)


The Mozilla Firefox Browser has many artifacts available that the forensics examiner can use in identifying a user's Internet activity. This includes Firefox's various databases, local storage, JSON formatted text files and cache.

This tool only focuses on certain SQLite databases and specific tables within those databases that are used by the browser that have been deemed useful by the forensics community. Specifically, this tool currently targets the following five databases: (a) places.sqlite, (b) cookies.sqlite, (c) downloads.sqlite, (d) favicons.sqlite, and (e) formhistory.sqlite. Each of these databases are discussed briefly in the user's guide.

Mozilla Firefox SQLite database artifacts are located in the user's directory. This varies depending on the operating system used. Below is a table that breaks out the location by operating system.


When looking across the various versions of the Firefox Browser over time, the schemas of the databases have changed. One can think of the database schema as the roadmap that defines the fields and the type of data in each field that comprise a record in the table (where one or more tables reside in a database). The change in schemas across different versions is something that needed to be taken into account when designing the msp tool. The design that was used was similar to that used on past SQLite parsers developed by TZWorks, in that, the tool can dynamically detect and adjust to varying schemas as they are encountered during the parsing operation.

In addition to the auto-schema detection, the msp tool allows the user to parse a target database in three ways. (1) The first way makes use of the standard SQL (Structure Query Language) to parse the records. The SQL syntax is internal to the tool, so the user is not required to have any knowledge about SQL or its syntax. For this option to be available, the SQLite library was statically linked into the tool, which eliminates the need for a SQLite dynamic library to be present to run the tool. (2) The second approach allows the user to instruct the tool to parse each record by traversing the internal SQLite structures as they are encountered. This option does not use any part of the standard SQLite library, but utilizes the TZWorks' internally designed libraries. The benefit of 'rolling your own' library is multi-faceted; not only does it allow the tool to extract records from a corrupted database, but one can annotate the exact offset of the data where it was found. This enables one to easily validate it later with a hex-editor. (3) The third, and final approach, uses a signature-based parse. While this option is more limited in merging records from one table to another, this turns out to be a unique way in parsing a blob of data whether it be from memory or from a fragment of a database. All three approaches are designed into the tool for the analyst to use.

Options Available

Below is the menu with the various options.

msp menu options

More details of the tool and usage are discussed in the user's guide.


Intel 32-bit VersionIntel 64-bit VersionARM 64-bit Version
Mac OS X:Not Availablemsp.v.0.18.dmgmsp.v.0.18.dmgmd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.