Analysing Firefox Session Restore data
09 May 2019
Like most web browsers Firefox includes a Session Restore feature allowing your currently open windows and tabs to be restored in the event of a forced-restart or crash. You can also set Firefox to always restore your previous session on startup.
To support this feature Firefox records session data within the Firefox profile folder which is typically in the following location on a Windows machine:
The following files are used to store session data:
- sessionstore.jsonlz4 - The state of the browser during the last shut down.
- sessionstore-backups/recovery.jsonlz4 - The current state of the browser
- sessionstore-backups/recovery.baklz4 - The previous version of recovery.jsonlz4
- sessionstore-backups/previous.jsonlz4 - The state of the browser during the second to last shut down.
- sessionstore-backups/upgrade.jsonlz4-[timestamp] - The state of the browser before an upgrade
In general, sessionstore.jsonlz4 only exists when Firefox is not running and recovery.jsonlz4 / recovery.baklz4 only exists when Firefox is running.
All session data is stored in a compressed file format referred to as MOZLZ4 or JSONLZ4. Mozilla use this format for a number of other files within the Firefox profile folder. The file format is standard LZ4 data with a custom header. The custom header consists of the ASCII "mozLz40", followed by a NUL byte, followed by the size of the uncompressed file. The compressed data begins at offset 12, and the decompressed data is in JSON format.
To allow these files to be easily analysed we have updated the JSON Viewer built into Browser History Examiner
(BHE) to support MOZLZ4 files. The JSON Viewer can be used for free within the BHE trial version (a BHE licence is not required).
In terms of analysing browser history the following information contained in the session data is of most interest:
- Website visits - URL, referrer URL, page title
- Tabs - timestamp when last accessed / closed
- Windows - timestamp when closed
- Session - timestamp when started / last updated
The general structure of the JSON for extracting this information is explained below. All timestamps are stored as the number of milliseconds since 01/01/1970 00:00:00.
The root level of the JSON contains the following properties:
- windows - an array of Window objects
- _closedWindows - an array of Window objects
- session - a Session object
- cookies - an array of Cookie objects
Window object properties:
- tabs - an array of Tab objects
- _closedTabs - an array of ClosedTab objects
- closedAt - the timestamp when the window was closed
Tab object properties:
- entries - an array of Entry objects
- lastAccessed - the timestamp when the tab was last accessed
ClosedTab object properties:
- state - a Tab object
- closedAt - the timestamp when the tab was closed
Entry object properties:
- url - the URL of a web page visited within the tab
- title - the title of the web page visited
- referrer - the URL of the previous web page from which a link was followed
Session object properties:
- lastUpdate - the timestamp when the session was last updated
- startTime - the timestamp when the session started
Cookie object properties:
- host - the domain of the page that set the cookie
- value - the value of the cookie
- path - the path of the page that set the cookie
- name - the name of the cookie
- secure - indicates if the cookie should only be sent when using HTTPS
We have recently updated BHE to automatically extract session data from the sessionstore.jsonlz4 file and any files within the sessionstore-backups folder. Session tab data is displayed within a separate Session Tabs table and Cookie data is displayed within the Cookies table.
To try this out for yourself, visit our Downloads
page for a free trial of Browser History Examiner.