How Firefox stores web history

Firefox version 3 (first released in 2008) employs a different system of storing browser history than its predecessor Firefox 2. Since only 2.75% of Firefox users still use version 2 or smaller, only Firefox version 3 will be explored here and will hence just been known as Firefox.

Firefox uses SQLite database files to store browser history, bookmarks, cookies, downloads, form field entries and web site logins. Assuming the computer is running Windows XP, the Firefox default path to the databases is:

C:\Documents and Settings\<user>\Application Data\Mozilla\Firefox\Profiles\<profile folder>\

For Windows Vista and Windows 7, the default path is:

C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile folder>\

The Firefox databases are stored in several different .sqlite files, which can be viewed using a SQLite viewer such as SQLite Database Browser. Several of these files hold important forensic data, the most useful being places.sqlite and formhistory.sqlite. Firefox stores history for a default of 90 days, whereas Internet Explorer for only 20 days and Firefox version 2 for only 9 days.


places.sqlite is the main web history database and stores URLs accessed and user bookmarks. The database contains 11 tables, two important ones are moz_places and moz_historyvisits. The fields in moz_places can be found in the table below.

idThe table’s primary key. This is used in a lot of other tables to reference this table.
urlStores a unique visited URL.
titleStores the URLs page title.
rev_hostStores the reverse host name.
visit_countStores the total visit count for this URL.
hiddenIndicates if the URL will be displayed by the autocomplete function. A value of 1 will keep it hidden.
typedIndicates if the URL was typed into the address bar or not. A value of 1 means it was manually entered.
favicon_idA foreign key to the favicon table which stores the favicon for each URL.
frecencyAmalgamation of the words frequency and recency. Frecency is “a score given to each unique URI in Places, encompassing bookmarks, history and tags. This score is determined by the amount of revisitation, the type of those visits, how recent they were, and whether the URI was bookmarked or tagged“, Mozilla Developer Center. This value is used by Firefox’s autocomplete. URLs start with a value of -1, and the higher the frecency the higher in the autocomplete the URL will appear. Values of 0 are ignored (and have a value of 1 for hidden).
last_visit_dateStores the last time the URL was visited. This is a 64bit integer storing number of microseconds since 1st January 1970 UTC called PRTime.

Another important table in places.sqlite is moz_historyvisits which stores all accessed URLs. The fields can be found in the table below.

idThe table’s primary key.
from_visitStores the id from where the URL came from originally. If the URL does not have a referring URL this value is 0.
place_idStores a foreign key to the moz_places table.
visit_dateStores the time the URL was visited in PRTime.
visit_typeShows how the URL has been accessed. This is one of seven possible values, the most common being: 1 – the user followed a link and got a new top-level window; 2 – the user typed in the URL or selected it from autocomplete results; or 3 – the user clicked on one of their bookmarks to get to the page.
sessionStores the session ID that the URL belongs to.

Using from_visit and place_id it is possible to retrace a user’s steps and see how they got to a particular page. Using the two images below, it can be shown that an example user accessed three additional pages on the website after they accessed it for the first time. In between these visits, the user also searched on Google for lyrics and followed a link – this can happen because they were using tabbed browsing or had two instances of Firefox open to access multiple websites at the same time. This is confirmed by the session being different for both sets of URLs. moz_places only stores the unique URLs accessed, but combined with moz_historyvisits a full account of the user’s online history can be made. Every URL impression is stored in moz_historyvisits, so the number of entries will be considerably more if the user visits a URL more than once.

Figure 1- Part of moz_historyvisits table showing the user clicking on links
Figure 2 – Part of moz_places table showing the corresponding URLs in Figure 1


Form history can provide useful information such as usernames, email addresses, postal addresses and search engine queries. Firefox stores this data in formhistory.sqlite which has a singular table called moz_formhistory. The fields can be found in the table below.

idThe table’s primary key.
fieldnameStores the name of the field on the form
valueStores the value the user entered on the form
timeusedStores the number of times this value was submitted.
firstusedStores the time the value was submitted for the first time in PRTime.
lastusedStores the time the value was submitted for the last time in PRTime.

Google queries appear in here with the fieldname as “q”. Other possible searches will have fieldnames such as “query”, “search” and “search_terms”. Some web mail use forms to send email, so email subjects and email address recipients will be available too. Usernames and passwords to websites can be found in signons.sqlite, but the username and password fields are both stored encrypted.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s