Fix Firefox History Parsing and add name to Firefox Bookmarks

definitions/Firefox_Bookmarks.yaml

@@ -20,8 +20,9 @@ Globs:
   - "{{MacOSFirefoxProfiles}}/*/places.sqlite"
 
 Sources:
-- Preamble: |
-    LET BookmarkTypes <= dict(`1`="URL", `2`="Folder", `3`="Separator")
+- name: Bookmarks
+  Preamble: |
+    LET BookmarkTypes <= dict(`1`='URL', `2`='Folder', `3`='Separator')
 
   VQL: |
     SELECT ID, ParentID,
@@ -68,39 +69,3 @@ Sources:
     INNER JOIN moz_anno_attributes ON moz_annos.anno_attribute_id = moz_anno_attributes.id
     WHERE moz_anno_attributes.name IN ('downloads/destinationFileURI','downloads/destinationFileName','downloads/metaData')
     ORDER BY moz_annos.dateAdded ASC
-
-- name: History
-  Preamble: |
-    LET VisitType <= dict(`1`='TRANSITION_LINK', `2`='TRANSITION_TYPED', `3`='TRANSITION_BOOKMARK',
-      `4`='TRANSITION_EMBED', `5`= 'TRANSITION_REDIRECT_PERMANENT', `6`='TRANSITION_REDIRECT_TEMPORARY',
-      `7`='TRANSITION_DOWNLOAD', `8`='TRANSITION_FRAMED_LINK', `9`='TRANSITION_RELOAD')
-
-  VQL: |
-    SELECT VisitID, FromVisitID,
-       timestamp(epoch= last_visit_date) AS LastVisitDate,
-       VisitCount, URL, Title, Description,
-       get(item= VisitType, field=str(str=visit_type), default="Unknown") AS VisitType,
-       Bool(Value=hidden) AS Hidden,
-       Bool(Value=typed) AS Typed,
-       Frecency, PreviewImageURL, OSPath
-    FROM Rows
-    WHERE LastVisitDate > DateAfter AND LastVisitDate < DateBefore
-      AND (Title, URL, Description) =~ FilterRegex
-
-  SQL: |
-    SELECT
-      moz_historyvisits.id AS VisitID,
-      moz_historyvisits.from_visit AS FromVisitID,
-      moz_places.last_visit_date,
-      moz_places.visit_count AS VisitCount,
-      moz_places.url AS URL,
-      moz_places.title AS Title,
-      moz_places.description AS Description,
-      moz_historyvisits.visit_type,
-      moz_places.hidden,
-      moz_places.typed,
-      moz_places.frecency AS Frecency,
-      moz_places.preview_image_url AS PreviewImageURL
-    FROM moz_places
-    INNER JOIN moz_historyvisits ON moz_places.origin_id = moz_historyvisits.id
-    ORDER BY moz_places.last_visit_date ASC

definitions/Firefox_History.yaml

@@ -0,0 +1,61 @@
+Name: Firefox Places History
+Author: Andrew Rathbun, Reece394
+Email: andrew.d.rathbun@gmail.com
+Reference: https://github.com/EricZimmerman/SQLECmd
+SQLiteIdentifyQuery: |
+  SELECT (
+  SELECT COUNT(*)
+  FROM sqlite_master
+  WHERE type='table'
+     AND (name='moz_historyvisits' OR name='moz_bookmarks'
+          OR name='moz_places' OR name='moz_inputhistory')) +
+  (SELECT CASE WHEN (SELECT COUNT(*) FROM pragma_table_info('moz_places') WHERE name IN ('description','preview_image_url')) > 1
+  THEN 1 ELSE 0 END) AS `Check`;
+SQLiteIdentifyValue: 5
+Categories:
+  - Firefox
+  - Browser
+
+FilenameRegex: "places.sqlite"
+Globs:
+  - "{{WindowsFirefoxProfiles}}/*/places.sqlite"
+  - "{{LinuxFirefoxProfiles}}/places.sqlite"
+  - "{{MacOSFirefoxProfiles}}/*/places.sqlite"
+
+Sources:
+- Preamble: |
+    LET VisitType <= dict(`1`='TRANSITION_LINK', `2`='TRANSITION_TYPED', `3`='TRANSITION_BOOKMARK',
+      `4`='TRANSITION_EMBED', `5`= 'TRANSITION_REDIRECT_PERMANENT', `6`='TRANSITION_REDIRECT_TEMPORARY',
+      `7`='TRANSITION_DOWNLOAD', `8`='TRANSITION_FRAMED_LINK', `9`='TRANSITION_RELOAD')
+
+  VQL: |
+    SELECT VisitID, FromVisitID,
+       timestamp(epoch= visit_date) AS VisitDate,
+       timestamp(epoch= last_visit_date) AS LastVisitDate,
+       VisitCount, URL, Title, Description,
+       get(item= VisitType, field=str(str=visit_type), default="Unknown") AS VisitType,
+       Bool(Value=hidden) AS Hidden,
+       Bool(Value=typed) AS Typed,
+       Frecency, PreviewImageURL, OSPath
+    FROM Rows
+    WHERE VisitDate > DateAfter AND VisitDate < DateBefore
+      AND (Title, URL, Description) =~ FilterRegex
+
+  SQL: |
+    SELECT
+      moz_historyvisits.id AS VisitID,
+      moz_historyvisits.from_visit AS FromVisitID,
+      moz_historyvisits.visit_date,
+      moz_places.last_visit_date,
+      moz_places.visit_count AS VisitCount,
+      moz_places.url AS URL,
+      moz_places.title AS Title,
+      moz_places.description AS Description,
+      moz_historyvisits.visit_type,
+      moz_places.hidden,
+      moz_places.typed,
+      moz_places.frecency AS Frecency,
+      moz_places.preview_image_url AS PreviewImageURL
+    FROM moz_places
+    INNER JOIN moz_historyvisits ON moz_places.id = moz_historyvisits.place_id
+    ORDER BY moz_historyvisits.visit_date ASC

definitions/Firefox_HistoryLegacy.yaml

@@ -0,0 +1,59 @@
+Name: Firefox Places History Legacy
+Author: Andrew Rathbun, Reece394
+Email: andrew.d.rathbun@gmail.com
+Reference: https://github.com/EricZimmerman/SQLECmd
+SQLiteIdentifyQuery: |
+  SELECT (
+  SELECT COUNT(*)
+  FROM sqlite_master
+  WHERE type='table'
+     AND (name='moz_historyvisits' OR name='moz_bookmarks'
+          OR name='moz_places' OR name='moz_inputhistory')) +
+  (SELECT CASE WHEN (SELECT COUNT(*) FROM pragma_table_info('moz_places') WHERE name IN ('description','preview_image_url')) > 1
+  THEN 0 ELSE 1 END) AS `Check`;
+SQLiteIdentifyValue: 5
+Categories:
+  - Firefox
+  - Browser
+
+FilenameRegex: "places.sqlite"
+Globs:
+  - "{{WindowsFirefoxProfiles}}/*/places.sqlite"
+  - "{{LinuxFirefoxProfiles}}/places.sqlite"
+  - "{{MacOSFirefoxProfiles}}/*/places.sqlite"
+
+Sources:
+- Preamble: |
+    LET VisitType <= dict(`1`='TRANSITION_LINK', `2`='TRANSITION_TYPED', `3`='TRANSITION_BOOKMARK',
+      `4`='TRANSITION_EMBED', `5`= 'TRANSITION_REDIRECT_PERMANENT', `6`='TRANSITION_REDIRECT_TEMPORARY',
+      `7`='TRANSITION_DOWNLOAD', `8`='TRANSITION_FRAMED_LINK', `9`='TRANSITION_RELOAD')
+
+  VQL: |
+    SELECT VisitID, FromVisitID,
+       timestamp(epoch= visit_date) AS VisitDate,
+       timestamp(epoch= last_visit_date) AS LastVisitDate,
+       VisitCount, URL, Title,
+       get(item= VisitType, field=str(str=visit_type), default="Unknown") AS VisitType,
+       Bool(Value=hidden) AS Hidden,
+       Bool(Value=typed) AS Typed,
+       Frecency, OSPath
+    FROM Rows
+    WHERE VisitDate > DateAfter AND VisitDate < DateBefore
+      AND (Title, URL, Description) =~ FilterRegex
+
+  SQL: |
+    SELECT
+      moz_historyvisits.id AS VisitID,
+      moz_historyvisits.from_visit AS FromVisitID,
+      moz_historyvisits.visit_date,
+      moz_places.last_visit_date,
+      moz_places.visit_count AS VisitCount,
+      moz_places.url AS URL,
+      moz_places.title AS Title,
+      moz_historyvisits.visit_type,
+      moz_places.hidden,
+      moz_places.typed,
+      moz_places.frecency AS Frecency
+    FROM moz_places
+    INNER JOIN moz_historyvisits ON moz_places.id = moz_historyvisits.place_id
+    ORDER BY moz_historyvisits.visit_date ASC

testing/fixtures/TestArtifact.golden

@@ -5,25 +5,25 @@
     "  \"LastVisitDate\": \"2020-06-27T09:29:54.51375Z\",",
     "  \"URL\": \"https://www.mozilla.org/privacy/firefox/\",",
     "  \"Description\": null,",
-    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places_History\"",
+    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places History\"",
     " },",
     " {",
     "  \"LastVisitDate\": \"2020-06-27T09:30:05.721357Z\",",
     "  \"URL\": \"http://github.com/seanbreckenridge/dotfiles\",",
     "  \"Description\": null,",
-    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places_History\"",
+    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places History\"",
     " },",
     " {",
     "  \"LastVisitDate\": \"2020-06-30T05:53:37.171Z\",",
     "  \"URL\": \"https://www.mozilla.org/en-US/firefox/78.0a2/firstrun/\",",
     "  \"Description\": \"Firefox Developer Edition is the blazing fast browser that offers cutting edge developer tools and latest features like CSS Grid support and framework debugging\",",
-    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places_History\"",
+    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places History\"",
     " },",
     " {",
     "  \"LastVisitDate\": \"2021-02-21T08:55:10.488Z\",",
     "  \"URL\": \"https://www.mozilla.org/en-US/privacy/firefox/\",",
     "  \"Description\": \"\\n  Our Privacy Notices describe the data our products and services receive, share, and use, as well as choices available to you.\\n\",",
-    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places_History\"",
+    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places History\"",
     " }",
     "]"
   ],
@@ -33,7 +33,7 @@
     "  \"LastVisitDate\": \"2021-02-21T08:55:10.488Z\",",
     "  \"URL\": \"https://www.mozilla.org/en-US/privacy/firefox/\",",
     "  \"Description\": \"\\n  Our Privacy Notices describe the data our products and services receive, share, and use, as well as choices available to you.\\n\",",
-    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places_History\"",
+    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places History\"",
     " }",
     "]"
   ],
@@ -43,7 +43,7 @@
     "  \"LastVisitDate\": \"2020-06-27T09:29:54.51375Z\",",
     "  \"URL\": \"https://www.mozilla.org/privacy/firefox/\",",
     "  \"Description\": null,",
-    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places_History\"",
+    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places History\"",
     " }",
     "]"
   ],
@@ -53,7 +53,7 @@
     "  \"LastVisitDate\": \"2020-06-30T05:53:37.171Z\",",
     "  \"URL\": \"https://www.mozilla.org/en-US/firefox/78.0a2/firstrun/\",",
     "  \"Description\": \"Firefox Developer Edition is the blazing fast browser that offers cutting edge developer tools and latest features like CSS Grid support and framework debugging\",",
-    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places_History\"",
+    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places History\"",
     " }",
     "]"
   ]