What steps should an attacker follow to verify and extract Firefox saved passwords?

First, determine the Firefox version from the registry to identify the correct record file (`logins.json` for ≥32.0, `signons.sqlite` for 3.5–32.0). Locate the file using `dir %APPDATA%\Mozilla\Firefox\Profiles\*logins.json /s /b` (or for signons.sqlite). Check if records exist. Then, if no Master Password is set, simply copy the record and key files and decrypt them with `firepwd.py`. If a Master Password is set, either use `firefox_decrypt.py` on a complete profile or load the profile into Firefox to enter the password. After extraction, the attacker may also need to cover their tracks, similar to deletion and bypass of Windows logs.