search

volatilityfoundation / community

Volatility plugins developed and maintained by the community
340 stars 143 forks source link

How to get needles #30

Open zachturing opened 5 years ago

zachturing commented 5 years ago

In file community/DatQuoc/LinuxFirefox.py:

class Linux_FFHis(linux_common.AbstractLinuxCommand): """Listing History of FireFox Browser"""

def __init__(self,config, *args, **kwargs):
    linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs)   
def calculate(self):
    address_space = utils.load_as(self._config, astype = 'physical')        
    row_avaiable = []   
    needles = ['\x06\x25\x08', '\x06\x25\x09', 
        '\x00\x25\x08', '\x00\x25\x09']

In the code above, i have two questions. (1)How is the value of the variable needles obtained? (2)Does this string(needles) appear in memory when viewing firefox history?

datquoc93 commented 5 years ago

You need reading about SQLite Structure, Varints & Serial Type Code.

It's end of places.sqlite header: : Payload Header Length (Varint) : Serial Type Code of ID : Serial Type Code of URL : Serial Type Code of Title : Serial Type Code of Rev_host : Serial Type Code of Visit_count : Serial Type Code of Hiden : Serial Type Code of Typed : Serial Type Code of Favicon_id : Serial Type Code of Frecency \x06 or \x00 : Serial Type Code of Last_visit_date \x25 : Serial Type Code of Guid \x08 or \x09 : Serial Type Code of Foreign_count ***: PAYLOAD

https://www.sqlite.org/fileformat.html -> Reading 2.1. Record Format can help you understand