Firefox places.sqlite Database

Last updated 1 year ago

Firefox places.sqlite Database

places.sqlite is the SQLite database file that stores history for Mozilla's Firefox browser. It also stores additional data such as favicons, bookmarks, and input history (used for autofill).

Analysis Value

Operating System Availability

Systems with Mozilla Firefox installed

Artifact Location(s)

%UserProfile%\AppData\Roaming\Mozilla\Firefox\Profiles\{FIREFOX_PROFILE}\places.sqlite*

Artifact Parsers

KAPE (Extraction and Parsing)

Artifact Interpretation

The following tables are present in this SQLite database:

Database Table

Information

moz_bookmarks

Bookmarks

moz_favicons

Favicon store. Provides URLs for each stored favicon.

moz_historyvisits

Firefox history

moz_inputhistory

Input history for the URL/search bar

moz_places

Stores URLs and some metadata regarding each URL such as visit frequency

In newer versions of Firefox (Firefox 55.0+), the moz_favicons table has been moved to its own unique database under the same directory, favicons.sqlite.

Firefox Bookmarks

The browser bookmark data for Firefox is stored in the moz_bookmarks table of this database. It has the following structure:

Field

Type

Interpretation

INT

Points to id in moz_places table, provides the URL for the bookmark.

title

LONGVARCHAR

The user-assigned name for the bookmark

dateAdded

INT

UNIX timestamp indicating when the bookmark was added

lastModified

INT

UNIX timestamp indicating when the bookmark was last modified

Firefox Favicons

The stored favicons for visited websites are stored either in the places.sqlite database for Firefox versions below 55.0, and in its own separate SQLite database favicons.sqlite for versions afterwards. The structure is as follows:

Field

Type

Interpretation

icon_url

TEXT

The URL of the original favicon

expire_ms

INT

UNIX timestamp representing the expiration time/date for the stored favicon. By default seems to be one week from the last visit.

data

BLOB

The raw favicon data

Firefox History

The browsing history for a particular Firefox profile can be extracted from the moz_historyvisits table. It has the following structure:

Field

Type

Interpretation

place_id

INT

Foreign key pointing to an entry in the moz_places table, which can be used to determine the URL that was visited

visit_date

INT

UNIX timestamp representing the time of the visit

visit_type

INT

Enumerated value, the type of visit

The following visit_type enumerations can provide additional information regarding how the site was visited:

Link followed to visit the URL
URL was typed and visited, or selected from an autocomplete result in the search bar
URL was visited through a bookmark
URL was embedded on another page
URL visited through a permanent redirect (HTTP 301)
URL visited through a temporary redirect (HTTP 307)
URL is a downloaded resource
URL was visited in a frame
URL was visited because the page was reloaded

Last updated 1 year ago

places.sqlite is the SQLite database file that stores history for Mozilla's Firefox browser. It also stores additional data such as favicons, bookmarks, and input history (used for autofill).

Analysis Value

Operating System Availability

Systems with Mozilla Firefox installed

Artifact Location(s)

%UserProfile%\AppData\Roaming\Mozilla\Firefox\Profiles\{FIREFOX_PROFILE}\places.sqlite*

Artifact Parsers

KAPE (Extraction and Parsing)

Artifact Interpretation

The following tables are present in this SQLite database:

Database Table

Information

moz_bookmarks

Bookmarks

moz_favicons

Favicon store. Provides URLs for each stored favicon.

moz_historyvisits

Firefox history

moz_inputhistory

Input history for the URL/search bar

moz_places

Stores URLs and some metadata regarding each URL such as visit frequency

In newer versions of Firefox (Firefox 55.0+), the moz_favicons table has been moved to its own unique database under the same directory, favicons.sqlite.

Firefox Bookmarks

The browser bookmark data for Firefox is stored in the moz_bookmarks table of this database. It has the following structure:

Field

Type

Interpretation

INT

Points to id in moz_places table, provides the URL for the bookmark.

title

LONGVARCHAR

The user-assigned name for the bookmark

dateAdded

INT

UNIX timestamp indicating when the bookmark was added

lastModified

INT

UNIX timestamp indicating when the bookmark was last modified

Firefox Favicons

Field

Type

Interpretation

icon_url

TEXT

The URL of the original favicon

expire_ms

INT

UNIX timestamp representing the expiration time/date for the stored favicon. By default seems to be one week from the last visit.

data

BLOB

The raw favicon data

Firefox History

The browsing history for a particular Firefox profile can be extracted from the moz_historyvisits table. It has the following structure:

Field

Type

Interpretation

place_id

INT

Foreign key pointing to an entry in the moz_places table, which can be used to determine the URL that was visited

visit_date

INT

UNIX timestamp representing the time of the visit

visit_type

INT

Enumerated value, the type of visit

The following visit_type enumerations can provide additional information regarding how the site was visited:

Link followed to visit the URL
URL was typed and visited, or selected from an autocomplete result in the search bar
URL was visited through a bookmark
URL was embedded on another page
URL visited through a permanent redirect (HTTP 301)
URL visited through a temporary redirect (HTTP 307)
URL is a downloaded resource
URL was visited in a frame
URL was visited because the page was reloaded