Fix Firefox History Parsing and add name to Firefox Bookmarks (#44)

Fixes Firefox history parsing by changing the join id from
moz_places.origin_id and moz_historyvisits.id to moz_places.id and
moz_historyvisits.place_id.

Additionally adds moz_historyvisits.visit_date which displays the unique
visit date of each site every time it is visited rather than just the
last visited timestamp. This also sorts by this field but retains the
last visited timestamp as this is useful if a site is visited multiple
times.

Also adds a Firefox History Legacy definition which is functionally
identical but drops the description and preview_image_url fields as
several third party browsers as well as older Firefox versions do not
have these fields and result in failure to parse otherwise. This also
modifies the identify query to gate based on if these fields exist or
not. This means there will only be one output rather than potentially
two of the same database.

Adds name to Firefox Bookmarks to help find it easier in the interface
as well as spreadsheet exports.

Author: reece394

definitions/Firefox_Bookmarks.yaml

@@ -20,8 +20,9 @@ Globs:
   - "{{MacOSFirefoxProfiles}}/*/places.sqlite"
 
 Sources:
-- Preamble: |
-    LET BookmarkTypes <= dict(`1`="URL", `2`="Folder", `3`="Separator")
+- name: Bookmarks
+  Preamble: |
+    LET BookmarkTypes <= dict(`1`='URL', `2`='Folder', `3`='Separator')
 
   VQL: |
     SELECT ID, ParentID,
@@ -68,39 +69,3 @@ Sources:
     INNER JOIN moz_anno_attributes ON moz_annos.anno_attribute_id = moz_anno_attributes.id
     WHERE moz_anno_attributes.name IN ('downloads/destinationFileURI','downloads/destinationFileName','downloads/metaData')
     ORDER BY moz_annos.dateAdded ASC
-
-- name: History
-  Preamble: |
-    LET VisitType <= dict(`1`='TRANSITION_LINK', `2`='TRANSITION_TYPED', `3`='TRANSITION_BOOKMARK',
-      `4`='TRANSITION_EMBED', `5`= 'TRANSITION_REDIRECT_PERMANENT', `6`='TRANSITION_REDIRECT_TEMPORARY',
-      `7`='TRANSITION_DOWNLOAD', `8`='TRANSITION_FRAMED_LINK', `9`='TRANSITION_RELOAD')
-
-  VQL: |
-    SELECT VisitID, FromVisitID,
-       timestamp(epoch= last_visit_date) AS LastVisitDate,
-       VisitCount, URL, Title, Description,
-       get(item= VisitType, field=str(str=visit_type), default="Unknown") AS VisitType,
-       Bool(Value=hidden) AS Hidden,
-       Bool(Value=typed) AS Typed,
-       Frecency, PreviewImageURL, OSPath
-    FROM Rows
-    WHERE LastVisitDate > DateAfter AND LastVisitDate < DateBefore
-      AND (Title, URL, Description) =~ FilterRegex
-
-  SQL: |
-    SELECT
-      moz_historyvisits.id AS VisitID,
-      moz_historyvisits.from_visit AS FromVisitID,
-      moz_places.last_visit_date,
-      moz_places.visit_count AS VisitCount,
-      moz_places.url AS URL,
-      moz_places.title AS Title,
-      moz_places.description AS Description,
-      moz_historyvisits.visit_type,
-      moz_places.hidden,
-      moz_places.typed,
-      moz_places.frecency AS Frecency,
-      moz_places.preview_image_url AS PreviewImageURL
-    FROM moz_places
-    INNER JOIN moz_historyvisits ON moz_places.origin_id = moz_historyvisits.id
-    ORDER BY moz_places.last_visit_date ASC

definitions/Firefox_History.yaml

@@ -0,0 +1,61 @@
+Name: Firefox Places History
+Author: Andrew Rathbun, Reece394
+Email: andrew.d.rathbun@gmail.com
+Reference: https://github.com/EricZimmerman/SQLECmd
+SQLiteIdentifyQuery: |
+  SELECT (
+  SELECT COUNT(*)
+  FROM sqlite_master
+  WHERE type='table'
+     AND (name='moz_historyvisits' OR name='moz_bookmarks'
+          OR name='moz_places' OR name='moz_inputhistory')) +
+  (SELECT CASE WHEN (SELECT COUNT(*) FROM pragma_table_info('moz_places') WHERE name IN ('description','preview_image_url')) > 1
+  THEN 1 ELSE 0 END) AS `Check`;
+SQLiteIdentifyValue: 5
+Categories:
+  - Firefox
+  - Browser
+
+FilenameRegex: "places.sqlite"
+Globs:
+  - "{{WindowsFirefoxProfiles}}/*/places.sqlite"
+  - "{{LinuxFirefoxProfiles}}/places.sqlite"
+  - "{{MacOSFirefoxProfiles}}/*/places.sqlite"
+
+Sources:
+- Preamble: |
+    LET VisitType <= dict(`1`='TRANSITION_LINK', `2`='TRANSITION_TYPED', `3`='TRANSITION_BOOKMARK',
+      `4`='TRANSITION_EMBED', `5`= 'TRANSITION_REDIRECT_PERMANENT', `6`='TRANSITION_REDIRECT_TEMPORARY',
+      `7`='TRANSITION_DOWNLOAD', `8`='TRANSITION_FRAMED_LINK', `9`='TRANSITION_RELOAD')
+
+  VQL: |
+    SELECT VisitID, FromVisitID,
+       timestamp(epoch= visit_date) AS VisitDate,
+       timestamp(epoch= last_visit_date) AS LastVisitDate,
+       VisitCount, URL, Title, Description,
+       get(item= VisitType, field=str(str=visit_type), default="Unknown") AS VisitType,
+       Bool(Value=hidden) AS Hidden,
+       Bool(Value=typed) AS Typed,
+       Frecency, PreviewImageURL, OSPath
+    FROM Rows
+    WHERE VisitDate > DateAfter AND VisitDate < DateBefore
+      AND (Title, URL, Description) =~ FilterRegex
+
+  SQL: |
+    SELECT
+      moz_historyvisits.id AS VisitID,
+      moz_historyvisits.from_visit AS FromVisitID,
+      moz_historyvisits.visit_date,
+      moz_places.last_visit_date,
+      moz_places.visit_count AS VisitCount,
+      moz_places.url AS URL,
+      moz_places.title AS Title,
+      moz_places.description AS Description,
+      moz_historyvisits.visit_type,
+      moz_places.hidden,
+      moz_places.typed,
+      moz_places.frecency AS Frecency,
+      moz_places.preview_image_url AS PreviewImageURL
+    FROM moz_places
+    INNER JOIN moz_historyvisits ON moz_places.id = moz_historyvisits.place_id
+    ORDER BY moz_historyvisits.visit_date ASC

definitions/Firefox_HistoryLegacy.yaml

@@ -0,0 +1,59 @@
+Name: Firefox Places History Legacy
+Author: Andrew Rathbun, Reece394
+Email: andrew.d.rathbun@gmail.com
+Reference: https://github.com/EricZimmerman/SQLECmd
+SQLiteIdentifyQuery: |
+  SELECT (
+  SELECT COUNT(*)
+  FROM sqlite_master
+  WHERE type='table'
+     AND (name='moz_historyvisits' OR name='moz_bookmarks'
+          OR name='moz_places' OR name='moz_inputhistory')) +
+  (SELECT CASE WHEN (SELECT COUNT(*) FROM pragma_table_info('moz_places') WHERE name IN ('description','preview_image_url')) > 1
+  THEN 0 ELSE 1 END) AS `Check`;
+SQLiteIdentifyValue: 5
+Categories:
+  - Firefox
+  - Browser
+
+FilenameRegex: "places.sqlite"
+Globs:
+  - "{{WindowsFirefoxProfiles}}/*/places.sqlite"
+  - "{{LinuxFirefoxProfiles}}/places.sqlite"
+  - "{{MacOSFirefoxProfiles}}/*/places.sqlite"
+
+Sources:
+- Preamble: |
+    LET VisitType <= dict(`1`='TRANSITION_LINK', `2`='TRANSITION_TYPED', `3`='TRANSITION_BOOKMARK',
+      `4`='TRANSITION_EMBED', `5`= 'TRANSITION_REDIRECT_PERMANENT', `6`='TRANSITION_REDIRECT_TEMPORARY',
+      `7`='TRANSITION_DOWNLOAD', `8`='TRANSITION_FRAMED_LINK', `9`='TRANSITION_RELOAD')
+
+  VQL: |
+    SELECT VisitID, FromVisitID,
+       timestamp(epoch= visit_date) AS VisitDate,
+       timestamp(epoch= last_visit_date) AS LastVisitDate,
+       VisitCount, URL, Title,
+       get(item= VisitType, field=str(str=visit_type), default="Unknown") AS VisitType,
+       Bool(Value=hidden) AS Hidden,
+       Bool(Value=typed) AS Typed,
+       Frecency, OSPath
+    FROM Rows
+    WHERE VisitDate > DateAfter AND VisitDate < DateBefore
+      AND (Title, URL, Description) =~ FilterRegex
+
+  SQL: |
+    SELECT
+      moz_historyvisits.id AS VisitID,
+      moz_historyvisits.from_visit AS FromVisitID,
+      moz_historyvisits.visit_date,
+      moz_places.last_visit_date,
+      moz_places.visit_count AS VisitCount,
+      moz_places.url AS URL,
+      moz_places.title AS Title,
+      moz_historyvisits.visit_type,
+      moz_places.hidden,
+      moz_places.typed,
+      moz_places.frecency AS Frecency
+    FROM moz_places
+    INNER JOIN moz_historyvisits ON moz_places.id = moz_historyvisits.place_id
+    ORDER BY moz_historyvisits.visit_date ASC

test_files/Firefox/firefox.sqlite

@@ -5,25 +5,25 @@
     "  \"LastVisitDate\": \"2020-06-27T09:29:54.51375Z\",",
     "  \"URL\": \"https://www.mozilla.org/privacy/firefox/\",",
     "  \"Description\": null,",
-    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places_History\"",
+    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places History\"",
     " },",
     " {",
     "  \"LastVisitDate\": \"2020-06-27T09:30:05.721357Z\",",
     "  \"URL\": \"http://github.com/seanbreckenridge/dotfiles\",",
     "  \"Description\": null,",
-    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places_History\"",
+    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places History\"",
     " },",
     " {",
     "  \"LastVisitDate\": \"2020-06-30T05:53:37.171Z\",",
     "  \"URL\": \"https://www.mozilla.org/en-US/firefox/78.0a2/firstrun/\",",
     "  \"Description\": \"Firefox Developer Edition is the blazing fast browser that offers cutting edge developer tools and latest features like CSS Grid support and framework debugging\",",
-    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places_History\"",
+    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places History\"",
     " },",
     " {",
     "  \"LastVisitDate\": \"2021-02-21T08:55:10.488Z\",",
     "  \"URL\": \"https://www.mozilla.org/en-US/privacy/firefox/\",",
     "  \"Description\": \"\\n  Our Privacy Notices describe the data our products and services receive, share, and use, as well as choices available to you.\\n\",",
-    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places_History\"",
+    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places History\"",
     " }",
     "]"
   ],
@@ -33,7 +33,7 @@
     "  \"LastVisitDate\": \"2021-02-21T08:55:10.488Z\",",
     "  \"URL\": \"https://www.mozilla.org/en-US/privacy/firefox/\",",
     "  \"Description\": \"\\n  Our Privacy Notices describe the data our products and services receive, share, and use, as well as choices available to you.\\n\",",
-    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places_History\"",
+    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places History\"",
     " }",
     "]"
   ],
@@ -43,7 +43,7 @@
     "  \"LastVisitDate\": \"2020-06-27T09:29:54.51375Z\",",
     "  \"URL\": \"https://www.mozilla.org/privacy/firefox/\",",
     "  \"Description\": null,",
-    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places_History\"",
+    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places History\"",
     " }",
     "]"
   ],
@@ -53,7 +53,7 @@
     "  \"LastVisitDate\": \"2020-06-30T05:53:37.171Z\",",
     "  \"URL\": \"https://www.mozilla.org/en-US/firefox/78.0a2/firstrun/\",",
     "  \"Description\": \"Firefox Developer Edition is the blazing fast browser that offers cutting edge developer tools and latest features like CSS Grid support and framework debugging\",",
-    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places_History\"",
+    "  \"_Source\": \"Generic.Forensic.SQLiteHunter/Firefox Places History\"",
     " }",
     "]"
   ]