Mozilla Cache Parser (mcp)
Introduction
The Mozilla Cache Parser (mcp) targets the Mozilla Firefox cache and extracts useful information for the examiner. This tool is not unique, in that there are other Mozilla cache parsers available. This tool was primarily created based on a need to provide more insight into the association of the cache metadata and cache content data, especially when applied to the earlier versions of the Mozilla formats.
Background
As background, the Mozilla cache (like any other browser cache) is a repository for web data a user has viewed or downloaded. In general, the purpose of the cache is to store data locally, to allow the browser quick access for later requests to that same website. The cache includes: website pages, files, and images that were viewed by a user. In addition to the raw data that was received from a web server, the Mozilla cache also contains useful metadata associated with each item. From the point of view of the forensic examiner the data is interesting, since it contains items such as: the URL of the webpage, number of times the page was fetched from the cache, filename/type/size, last modified time, last fetched time, server time, etc. Having a tool available that can take advantage of this artifact data is necessary to have insights into the user's activity.
Mozilla artifacts are located in the user's directory. This varies depending on the operating system used. Below is a table that breaks out the location by OS.
-
- Win XP - %userprofile%\Local Settings\Application Data\Mozilla\Firefox\Profiles\<random text>.default\Cache
- Vista - Win10 - %userprofile%\AppData\Local\Mozilla\Firefox\Profiles\<random text>.default\Cache
- OSX - /Users/[user acct]/Library/Caches/Firefox/Profiles/<random text>.default/Cache
- Linux - /home/[user acct]/.mozilla/firefox/<random text>.default/Cache
Capabilities
The mcp tool is flexible in that it can target multiple subdirectories of different Mozilla Firefox accounts and automatically adjust to the appropriate parsing engine so it can handle (if required) various cache formats ranging from Firefox 3 to the current version (which about the time of this posting was version 78). Normally a computer with multiple accounts will have the same cache format accross the accounts, however, if your use-case is to collect artifacts across multiple computers/accounts, and store them in a single repository prior to parsing them, then the mcp tool can parse them all in one go.
To help out keeping the cache metadata (eg. timestamps, URL, http request/response, etc), together with actual cache content (eg. data for the webpage that is displayed) as part of the archive, mcp has the option to combine the metadata results with the raw cache content data by taking advantage of SQLite to store the final results.
If only desiring to extract the cache metadata with pointers to the cache content, one can use the either of the text delimited options CSV or Log2Timeline.
Below is the menu with the various options. The details of the usage is discussed in the user's guide.
Downloads
| Intel 32-bit Version | Intel 64-bit Version | ARM 64-bit Version | ||||
| Windows: | mcp32.v.0.21.win.zip | mcp64.v.0.21.win.zip | mcp64a.v.0.21.win.zip | md5/sha1 | ||
| Linux: | mcp32.v.0.21.lin.tar.gz | mcp64.v.0.21.lin.tar.gz | mcp64a.v.0.21.lin.tar.gz | md5/sha1 | ||
| Mac OS X: | Not Available | mcp.v.0.21.dmg | mcp.v.0.21.dmg | md5/sha1 | ||
| *32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present. | ||||||