Configuring The Mozilla FireFox Browser For OSINT

Joseph Moronwi 0

If you use the Windows Operating system, Microsoft presents you with either Internet Explorer or Microsoft Edge as your default web browser. Mac OS users are presented Safari by default. I believe OSINT investigators and cybersecurity professionals should avoid these at all costs. All are inferior in my opinion, and you will encounter difficulties with some of the websites and services mentioned later. Therefore, we need a better browser.


 Firefox



Mozilla Firefox is a free and open source web browser developed by the Mozilla Foundation. It has a great reputation for protecting users’ privacy since its launch. In fact, the Tor project uses Firefox as the preferred engine for its Tor Browser bundle. Firefox for Android is also open source software, and its code is available to anyone who wants to audit it.


Before identifying Firefox resources which will aid in our OSINT research, we must first secure our browser to the best of our ability. While the default Firefox installation is much more private and secure than most other browsers, we should still consider some modifications. 


 In this section, we will give technical advice on how to modify the Firefox settings to assure your online privacy and lower the amount of data leaking from your browser.

  • Access the Firefox options by clicking the menu in the upper-right corner of your browser and selecting "Options" or "Preferences".
  • In the "General" options, uncheck "Recommend extensions as you browse" and "Recommend features as you browse". This prevents some internet usage information from being sent to Firefox.
  •  In the "Home" options, change "Homepage and new windows" and "New tabs" to "Blank page". This prevents Firefox from loading their services in new pages and tabs.
  • Move to the Privacy tab. You need to turn on the option Use Tracking Protection in Private Windows. When this option is enabled, each time you visit a web site, Firefox will send a signal that you do not want to be tracked. Of course, this is a voluntary action because some web sites may not obey your request. Still, it’s a good choice to enable it. Now go to the History section on the same page and select the option “Never remember history” so that Firefox will delete all your history every time you close it. Finally, go to the Location Bar section and disable all the suggestions in the search bar because the suggestion process can leak excessive data about you.
  •  Uncheck the box titled "Remember search and form history".
  •  Do not check the box titled "Always use private browsing mode", as this will break Firefox Containers.
  •  In the "Permissions" menu, click "Settings" next to Location, Camera, Microphone, and Notifications. Check the box titled "Block new requests ... " for each of these options.
  •  Uncheck all options under "Firefox Data Collection and Use".
  •  Move to the Security tab. Please configure it to prevent loading  dangerous web sites and to prevent web sites from installing add-ons. Also, you need  to configure Firefox not to store user passwords.
  • Go to the Advanced tab. Here you will find multiple subtabs; select Data Choices. Disable the three available options named Enable Firefox Health Report, Share additional data (i.e., Telemetry), and Enable Crash Reporter. Crash reports can contain valuable data about your computer status. If such data should fall into the wrong hands when traveling online from your PC to Firefox servers, this can reveal the type of vulnerability/error you are facing and enable an outside attacker to exploit your machine.
  • While you are still in the Advanced tab, go to the Network subtab, and make sure that the option “Tell me when a website asks to store data for offline use” is selected. This prevents web sites from planting a tracking code on your computer.
  • While you are still on the Advanced tab, go to the Certificates subtab. In the Requests subtab, select "Ask Me Every Time".


Firefox allows users to modify many configuration settings, and some of these deal with privacy and security concerns. Though some of these changes can be made in the menu of Firefox's preferences, changes made through about:config tend to be more durable and granular. To access the list of configuration settings, open Firefox and type


about:config


into the Uniform Resource Locator (URL) field. This is the place where you would traditionally type the website you wish to visit.


A warning message will appear; hit the button “I accept the risk!”. The modifications we make will be safe.


Some of these about:config settings may already be on the correct setting, but most probably will not. To change most of these settings you can simply double-click the setting to toggle it between "True" and "False". Some may require additional input, such as a number. Because the list of about:config settings contain hundreds of entries, you should search for all of these through the search bar in the about:config interface. The settings displayed in the following examples are the desired options. To access a specific setting, you need to type its name in the Search box that appears at the top of the page.


  • geo.enabled: FALSE: This disables Firefox from sharing your location.
  • browser.formfill.enable: FALSE: To force Firefox to forget form information
  • media.navigator.enabled: FALSE: Website operators will identify your computer as unique to enable tracking around the web. One such tactic is to track the status of your webcam and microphone (ON/OFF). This disables the ability to website operators to see this information.
  • browser.cache.disk.enable: FALSE:  Firefox can cache data to disk. This is dangerous because some of your browsing history may reside  on your disk even after you delete all your previous browsing history. To disable this feature, set this field to false. You need to do the same with the setting browser.cache.disk_cache_ssl because Firefox has two setting for the content cache, one for normal websites and the second for secure websites (has SSL in its name).
  •  browser.cache.offline.enable: FALSE: You must also prevent Firefox from caching web contents for offline use by changing this setting to false.
  • dom.battery.enabled: FALSE: Another technique used by website operators to track you is to view your exact battery levels. This setting blocks this information.
  • extensions.pocket.enabled: FALSE: This disables the proprietary Pocket service.
  • It is a good idea to ask Firefox to throw away all cookies automatically every time you close your browser. To do this, change the setting network.cookie.lifetimePolicy to 2. To change its value, double-click and enter 2 at the prompt.
  • The most interesting setting that can reveal your list of installed plug-ins is plugin.scan.plid.all. It is essential to disable this setting so visited websites will not be able to distinguish your browser from the add-on already installed (to minimize browser footprinting). In addition, some websites may ask you to disable an ad blocker to view their web site because they can detect if you have an ad blocker already activated in your browser. Change this setting to false.


WebRTC: These settings address a potential vulnerability of leaked IP addresses.


  • media.peerconnection.enabled: FALSE
  • media.peerconnection.tum.disable: TRUE
  • media.peerconnection.use_document_iceservers: FALSE
  • media.peerconnection.video.enabled: FALSE


These advanced configurations will harden Firefox and make it more difficult for outside parties to track your activities. In the next section, we will cover privacy add-ons that can further secure Firefox and fight against online tracking and user profiling.


FireFox Extensions

There are thousands of extensions available for Firefox. Some are helpful, some are worthless, and some are fun. This section will discuss several of them. The Firefox add-ons, sometimes called extensions, detailed here will include a website for each option. You can either visit the website and download the add-on, or search for it from within Firefox. The latter is usually the easiest way. While Firefox is open, click on the menu in the upper right and then "Add-ons". This will present a page with a search field in the upper right corner. Enter the name of the extension and install from there. The following are my recommendations.


Firefox Multi-Account Containers

The first Firefox Add-on which I use daily is the Multi-Account Containers option from Mozilla. Multi-Account Containers allows you to separate your various types of browsing without needing to clear your history, log in and out, or use multiple browsers. These container tabs are like normal tabs, except the sites you visit will have access to a separate slice of the browser's storage. This means your site preferences, logged-in sessions, and advertising tracking data will not carry over to the new container. Likewise, any browsing you do within the new container will not affect your logged in sessions or tracking data of your other containers.


OSINT investigators can use this technique in many ways. With a traditional browser, you can only be logged in to one instance of a social network. If you are logged in to a covert Facebook account, then open a new tab and navigate to Facebook, you will be presented with the same logged-in account used in the previous tab. With containers, we can isolate this activity. You can log in to one Facebook account in one container, another Facebook account in a second container, and any additional accounts in their own containers. This applies to any service, such as Twitter, Reddit, or others. This allows us to simultaneously access multiple accounts within the same service without logging out or opening a different browser. Let's configure it for optimal use.


Once installed, you will see a new icon in the upper right in your Firefox browser which appears as three squares and a "+" character. Click on it and select the container you want to open. Default options include choices such as Personal and Shopping, but you can modify these any way you desire. You can create, delete, and edit containers from the main menu. When you click the "Manage Containers" option, you can change the color or icon associated with a container or change the container name. The following tutorial replicates my configuration for OSINT investigations.


  • Open the Multi-Account Containers menu and click the "Manage Containers" option.
  • Delete all containers by selecting each and clicking "Delete This Container".
  • In the "Manage Containers" menu, click the + in the upper left.
  • Enter the name of your new container, such as "User 01".
  • Choose a desired color and icon.
  • Repeat this process to create the number of containers desired.


You can now either open a new container as a blank page or open links in a new or different container.


uBlock Origin

It is a popular open source add-on with more than 2,000,000 downloads. It is efficient and easy on memory and CPU and yet can load and enforce thousands more filters than other popular blockers. The presence of this add-on in your browser makes other extensions such as NoScript, Adblock Plus, Privacy Badger, and Disconnect unnecessary.


Click on the uBlock Origin icon in the menu and select the "Dashboard" icon to the right, which appears as a settings option. This will open a new tab with the program's configuration page. On the "Settings" tab, click the option of "I am an advanced user". This will present an expanded menu from the uBlock Origin icon from now forward. Click on the "Filters" tab and consider enabling additional data sets that may protect your computer. I find the default options sufficient. You now have extended protection that will be applied to all visited websites without any interaction from you. When you encounter a web page with a lot of advertisements, such as a news media website, it should load much faster. It will block many of the pop-ups and auto-play media that can be quite annoying when conducting research. This protection will suffice for most users, but dedicated OSINT analysts may choose to take a more advanced approach.


The following is how I recommend using uBlock Origin. Install, enable advanced options, and proceed with your work. When you arrive at a website that is blocking something you want to see, open the menu and click on the left (grey) section of the top cell in the third column. That will allow everything to load on that page, and that page only. When you are about to navigate to a questionable site that may try to install malicious code on your machine, click on the right (red) section of the top cell in the second column. That will block all scripts on all pages. Conduct your research and reverse the change when you are finished. Remember to click the save button (padlock) after each change and refresh the page.


HTTPS Everywhere

This extension encrypts your communications with many major websites, making your browsing more secure. It is produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. As examples, a site may default to unencrypted HITP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting requests to these sites to HTTPS. This happens automatically after installing this add-on, and you do not need to take any additional actions. If the icon for this extension crowds your browser, you can remove it by clicking the Firefox menu, then Customize, then dragging the icon away from the menu bar. It does not need to be visually present to function. In November 2020, Firefox added this capability to their browser. You can click on Firefox's menu button and choose "Preferences"; select "Privacy & Security"; scroll to the section "HTTPS-Only Mode"; and choose "Enable HTTPS-Only Mode in all windows". I currently prefer this over HTTPS Everywhere, but either works well.


User-Agent Switcher

Occasionally, you may visit a website that does not want to cooperate with Firefox. Browsers notify websites of their identity and websites can alter or refuse content to certain products. One example is that some older websites require Microsoft's Internet Explorer to view the content. Even though Firefox is capable of displaying the information, a website can refuse the data to the browser. Another example is mobile websites that display different content if viewing from a mobile phone instead of a computer. This can now all be controlled with User-Agent Switcher.


When installed, you have a new option in your browser. The menu allows you to choose a mobile operating system, such as iOS or Android, or a desktop browser such as Internet Explorer or Chrome. It will also allow you to specify your operating system such as Mac or Windows. Whatever you choose, this data will be sent to any site that you visit. If you visit a website of a tech-savvy target, he or she may know that you were looking around. You may also be revealing that you are using a specific browser, such as Firefox, and a Windows computer (common in Government). You could now change your agent to that of a mobile device or Google Chromebook which may not look as suspicious.


To do so, you would click on the menu bar icon, select the desired operating system and browser configuration, click "Apply (active window)", then click "Refresh Tab". To return to the default Firefox option in your native operating system, click on the "Reset" button in the lower right and refresh the page. 


Please note that user-agent spoofing will not fool every website. If the target site includes JavaScript which scans for additional identifiers, such as touch points and video cards, the real details may be presented. While this level of scrutiny is rare, it is a possibility. Always know what websites may be able to see about your computer and connection before any sensitive investigation.


Exif Viewer

This extension provides right-click access to the Exif data embedded into images.  With this extension enabled, you can right-click on any full size image located on a web page. The menu option is "View Image Exif Data" and a new window will open when selected. This window will identify any available metadata about the image. Overall, most photos on social networks do not contain any metadata. They have been "scrubbed" in order to protect the privacy of users. However, many blogs and personal websites display images that still contain metadata. While there are online websites that  display this data, a browser add-on is much more efficient. In my experience, this extension will increase the amount of times that you will search for this hidden content.


Image Search Options

This extension automates the reverse search when an image is right clicked. When installed, "Image Search Options" is present when you right-click on an image. Highlighting this option presents several reverse image search services including Google, Bing, TinEye, Yandex, Baidu, and others. 


This add-on removes any excuse to not always check reverse images on target websites. With this add-on enabled, you will be ready to enhance your searches during that investigation.


Resurrect Pages

This extension provides a link to archived versions of websites whenever a page has been modified, is unavailable, or has been deleted. Right-clicking on any site will offer a new menu option of "Resurrect this page". That option will present the following archive services.


  • Google - A standard cache of the target address from Google.
  • Google (Text only) - The text-only view of a standard Google cache.
  • The Internet Archive - A link to the target page within The Internet Archive.
  • Archive.is - Any captures of the target address domain on Archive.is.
  • WebCite - Any captures of the target address domain on WebCite.
  • Memento Timetravel - standard cache of the target address from Memento.

This add-on will not give you any content that you could not locate manually from these sources. Instead, it serves as an easy way to quickly identify interesting content.


Copy Selected Links

This simple add-on will identify any hyperlinks within the selected text of an individual web page. It will store the links within your operating system's clipboard, which allows you to paste them into any application of your choice. While only a small utility, it can quickly turn a large project into an easily completed task.


Using the utility is fairly straightforward. While on any website, select any or all text, right-click anywhere in the page, and select the "Copy selected links" option in the menu. The links will be stored in your clipboard and you can paste them into Notepad, Excel, or any other productivity application. There are unlimited uses for Copy Selected Links, and below are a few use cases:


  • Facebook: When you are on a target's list of Facebook friends, select all text and use Copy Selected links to quickly record each hyperlink to an individual's profile. You can then paste these into Excel for later analysis. Comparison with previous captures identifies those that were "unfriended".
  • Twitter: When viewing a Twitter profile, you can use this utility to capture all links to external websites and photos.
  • YouTube: When viewing a person's YouTube videos page, Copy Selected Links allows you to paste the entire link collection of every linked video into a report.
  • eBay: While viewing results from a search for a specific fraudulent product, you can quickly copy the active hyperlinks to each auction and paste them directly into a report in seconds.
  • Human Trafficking: While viewing ad results for suspected human trafficking victims, you can copy all active hyperlinks and paste directly into a report, email, or memo for other investigators.
  • Documents: When you encounter a public FTP server or open web directory, this tool allows you to copy the native links to all files encountered. This is helpful for documentation after downloading all of the data.

 

Full Web Page Screenshot

Documenting and archiving your progress with an OSINT investigation is as important as the intelligence discovered. The general rule is that if you do not have proof of your findings, then they never existed. Full Web Page Screenshots, also known as FireShot, provides you with an easy solution to capturing all of your results. When enabled, this extension is a button in the upper right portion of your browser. It appears as a blue square containing the letter "S". Clicking the icon presents a menu with options. The best option is to select "Capture entire page" and then "Save to PDF". This will create a PDF document of the entire page exactly as it appears in your browser and then save it to anywhere you choose. The file can later be archived to a removable storage device. The title of the document will match the title of the web page and it will include the URL of the selected page.


This method is preferred over a standard screen capture for several reasons. A typical screen capture only captures the visible area and not the entire page. You must then open a program into which you "paste" the data and then save the file. This extension automates this and saves it in a format that is difficult to edit. This can be beneficial during testimony.


By accessing the "Options" area of the menu, you can assign customized naming features. Click "Show filename template settings" in the options page and change the default value to the following.


%n-%u-%t-%y-%m-%d-%H-%M-%S


This setting will change the default name of each page capture. Each file will be named a numerical value, followed by the website URL, followed by title, and followed by the date and time of capture. Changing the %n value to 0 and the Pad option to 3 will ensure that your captures always start with a numerical value of 0 and ascend chronologically. This can help determine the order of evidence you retrieved. Be sure to "Apply" and then "Save" after you have made your desired changes.


Stream Detector

This extension has become vital during OSINT research due to the prevalence of streaming videos. Whether pre-recorded or live, many websites now deliver video via embedded streams rather than traditional files. While we could once easily right-click an online video and download the file as an MP4, that is rare today. We must now be prepared to encounter video stream protocols such as playlists (M3U8) and transport stream (TS).


This tool comes in handy as it can help extract the link to the streaming video for downloading and analysis.


Tags

Joseph Moronwi

DFIR and Adversary Hunting, Malware Research, and OSINT.

Post a Comment

Post a Comment

Previous Post Next Post