Prompt
Analyze a Firefox sqlite history database and answer questions about what happened. It you are not familiar with SQL you may want to learn more about SQL here: https://www.tutorialrepublic.com/sql-tutorial/
Tutorial Video
Walk-Through
This challenge will give you experience analyzing a SQLite database. The answers can be obtained by using the sqlite3 Linux program or a GUI-based viewer. There are also browser-based SQLite viewers such as https://inloop.github.io/sqlite-viewer/.
Click into the terminal on the Cyber Skyline platform. Thebrowser.sqlite file in the current directory. Use the command sqlite3 browser.sqlite to start the SQLite program.
sqlite> prompt will indicate that the SQLite program has startedUse the command .tables to see all of the database tables available to view.
Use the command SELECT * FROM moz_hosts; (or use any of the other table names) to view the information contained in the tables. The wildcard indicates that we want to select all the columns, and the semicolon at the end of the query signal the end of the query, like a full stop at the end of a sentence.
Searching for Firefox Sqlite Database can help narrow down which tables to look through. This site mentions that moz_places contains the sites visited, so that might be helpful for the first few questions: Places.sqlite - MozillaZine Knowledge Base.
There is a way to list of the columns in the moz_places table with PRAGMA table_info(moz_places); :
For the first question, look for the user’s search on craigslist. This information is most likely to be in the ‘url’ column, so we can display that with the query select url from moz_places;
The price of bitcoin when the user was browsing will show up in the “title” column in this table. Search for the $ sign with select * from moz_places where title like '%$%'; :
For question 3, run select url from moz_places; and scroll to see where the user signs in.
To find the user’s gmail account, query the table for any titles containing ‘gmail’ with select * from moz_places where title like '%gmail%'; :
Scrolling further down from the output of select url from moz_places; , we can see the transaction ID that the user looked at:
The remaining questions can be answers by visiting the URLs that are listed inside the database. The URL with id 290 is for a bitcoin transaction listed on blockchain.info. The main page displays the ID as well as the total value of the inputs.
The Bitcoin transaction ID and the amounts that were transferred are all listed on the blockchain.info page.
Alternatively for this challenge, you can upload the SQLite database file to theSQLite Viewer Web App to navigate through a GUI:
Helpful Tools:
Questions
Q1. What did the user search for on craigslist?
The user’s search can be seen in row 23 inside the “query’ parameter in the URL.
Q2. What was the current price (USD) of bitcoin when the user was browsing?
The current price is listed in row 23 in of the “title” of Bitstamp’s homepage.
Q3. What Bitcoin exchange did the user log in to?
The Bitcoin exchange is identified in row 253, which shows the user successfully loading their account page after logging in.
Q4. What is the email that was used to log into the exchange?
The email can be found on row 47 in the “title” of the Gmail webpage.
Q5. What was the ID of the Bitcoin transaction that the user looked at?
The ID of the Bitcoin transaction is the “Hash” value listed on the blockchain.info page.
Q6. What was the total BTC value of all the inputs of the Bitcoin transaction?
The total BTC value of the inputs can be obtained by adding up the values of all the BTC inputs on the blockchain.info page.
Q7. Which Bitcoin address received the majority of the Bitcoin in the transaction?
The right side of the blockchain.info page contains the addresses and amounts that were sent to each recipient. The address that received the majority of the Bitcoin was that one that was sent the most BTC.
©️ 2025 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.