Dumpzilla Package Description

Dumpzilla application is developed in Python 3.x and has as purpose extract all forensic interesting information of Firefox, Iceweasel and Seamonkey browsers to be analyzed. Due to its Python 3.x developement, might not work properly in old Python versions, mainly with certain characters. Works under Unix and Windows 32/64 bits systems. Works in command line interface, so information dumps could be redirected by pipes with tools such as grep, awk, cut, sed… Dumpzilla allows to visualize following sections, search customization and extract certain content.

  • Cookies + DOM Storage (HTML 5).
  • User preferences (Domain permissions, Proxy settings…).
  • Downloads.
  • Web forms (Searches, emails, comments..).
  • Historial.
  • Bookmarks.
  • Cache HTML5 Visualization / Extraction (Offline cache).
  • visited sites “thumbnails” Visualization / Extraction .
  • Addons / Extensions and used paths or urls.
  • Browser saved passwords.
  • SSL Certificates added as a exception.
  • Session data (Webs, reference URLs and text used in forms).
  • Visualize live user surfing, Url used in each tab / window and use of forms.

Dumpzilla will show SHA256 hash of each file to extract the information and finally a summary with totals.
Sections which date filter is not possible: DOM Storage, Permissions / Preferences, Addons, Extensions, Passwords/Exceptions, Thumbnails and Session

Source: http://www.dumpzilla.org/Manual_dumpzilla_en.txt
Dumpzilla Homepage | Kali Dumpzilla Repo

  • Author: Busindre
  • License: GPLv3

Tools included in the dumpzilla package

dumpzilla – Mozilla browser forensic tool
[email protected]:~# dumpzilla

Version: 15/03/2013

Usage: python dumpzilla.py browser_profile_directory [Options]

Options:

 --All (Shows everything but the DOM data. Doesn't extract thumbnails or HTML 5 offline)
 --Cookies [-showdom -domain <string> -name <string> -hostcookie <string> -access <date> -create <date> -secure <0/1> -httponly <0/1> -range_last -range_create <start> <end>]
 --Permissions [-host <string>]
 --Downloads [-range <start> <end>]
 --Forms    [-value <string> -range_forms <start> <end>]
 --History [-url <string> -title <string> -date <date> -range_history <start> <end> -frequency]
 --Bookmarks [-range_bookmarks <start> <end>]
 --Cacheoffline [-range_cacheoff <start> <end> -extract <directory>]
 --Thumbnails [-extract_thumb <directory>]
 --Range <start date> <end date>
 --Addons
 --Passwords (Decode only in Unix)
 --Certoverride
 --Session
 --Watch [-text <string>] (Shows in daemon mode the URLs and text form in real time. -text' Option allow filter,  support all grep Wildcards. Exit: Ctrl + C. only Unix).

Wildcards: '%'  Any string of any length (Including zero length)
           '_'  Single character
       '\'  Escape character

Date syntax: YYYY-MM-DD HH:MM:SS

Win profile: 'C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\xxxx.default'
Unix profile: '/home/xx/.mozilla/seamonkey/xxxx.default/'

dumpzilla Usage Example

Analyze the Mozilla profile folder (‘/root/.mozilla/firefox/k780shir.default/’) and dump everything except the DOM data (–All):

[email protected]:~# dumpzilla '/root/.mozilla/firefox/k780shir.default/' --All

====================================================================================================
Cookies              [SHA256 hash: 18d35b51ec9865ea3dd21e9bc69dc3d286d4e20373bbb0b350a0e41c8bf2da42]
====================================================================================================


Domain: google.com
Host: .google.com
Name: PREF
Value: ID=ddcc3d04cf65b33f:TM=1400253352:LM=1400253352:S=LrFq_HXVbaconjt0l
Path: /
Expiry: 2016-05-15 11:15:52
Last acess: 2014-05-16 11:15:52
Creation Time: 2014-05-16 11:15:52
Secure: No
HttpOnly: No


Domain: kali.org
Host: .kali.org
Name: __utma
Value: 24402336.1888242215.144BAC0N56.1400253356.14322255.1
Path: /
Expiry: 2016-05-15 11:15:55
Last acess: 2014-05-16 11:15:55
Creation Time: 2014-05-16 11:15:55