firefox-downloads
Parses Firefox browser's places.sqlite database file and retrieves file download history. Extracts the local path of the downloaded file, file size, and download start and end times from the download annotation table, and combines them with download URLs retrieved from the places table.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zippath=STR- Path to the ZIP file containing the
places.sqlitefile. Use this to query SQLite files directly inside a ZIP archive. zipcharset=STR- Character set for ZIP file entries (default:
utf-8)
Target
FILE_PATH- Path to the Firefox
places.sqlitefile to query. You can use a wildcard (*) to specify multiple files.
Output fields
| Field | Type | Description |
|---|---|---|
_time | timestamp | Download start time. Assigned the same value as start_time. |
start_time | timestamp | Download start time |
end_time | timestamp | Download end time. Assigned only when the download succeeded. |
file_path | string | Local path of the downloaded file |
file_size | long | Size of the downloaded file (bytes). Assigned only when the download succeeded. |
url | string | Original download URL |
Error codes
Parse errors
N/A
Runtime errors
| Error code | Message | Description | Post-processing |
|---|---|---|---|
| - | cannot load firefox places database: PATH | Unable to read the Firefox places database | Stops query execution |
Description
The firefox-downloads command parses the places.sqlite file where Firefox stores its download history. Internally, it queries three tables: moz_anno_attributes, moz_annos, and moz_places to build download information.
The download destination file path is extracted from the moz_annos table using the downloads/destinationFileURI attribute, and the download status, file size, and end time are extracted from the downloads/metaData attribute. The file_size and end_time fields are only assigned when the download status is successful (state=1).
Timestamps are converted from UNIX timestamps in microseconds to milliseconds and assigned as dates.
Examples
-
Retrieve Firefox download history
firefox-downloads /opt/logpresso/evidence/places.sqliteRetrieves all download history from the
places.sqlitefile at the specified path. -
Query multiple files using a wildcard
firefox-downloads /opt/logpresso/evidence/*/places.sqliteRetrieves download history from all
places.sqlitefiles matching the specified pattern. -
Query a places.sqlite file inside a ZIP archive
firefox-downloads zippath=/opt/logpresso/evidence/browser.zip places.sqliteRetrieves download history from the
places.sqlitefile inside the ZIP archive.