Browser Session Restore Forensics

In a recent examination I came across lots of urls in the unallocated space of a hard drive that were of interest and which I discovered were part of information recorded by the Mozilla browser to enable it to restore a user’s session in the event of a crash. A subsequent search revealed 66 instances of full Session Restore files in unallocated space each of which could be used to show a snapshot of the browser windows and tabs that the user had open at one point in time; in addition there were many other fragments of Session Restore files. Here are some notes on my findings.

Web Browser Session Restore Forensics

Allan Hay has made his JSON viewer available (updated June 2010), this can be used to view to view the Mozilla Session Restore files.

Lycos Chat Artefact Recovery Enscript

Having had a couple of Lycos Chat investigations recently the team have done some research and developed an Encase script to recover artefacts of chat conversations. The script has worked well in tests, any feedback is welcome, contact details are in the script.

LycosChatFinderv1.2.zip

Reverse Engineering Passwords

That is a bit of an eye-catching headline, perhaps not quite reverse engineering but something akin to it. In some investigations cracking the password for an encrypted volume can be a major breakthrough; however there are some cases where associating a password with a particular user can be even more significant by showing their culpability in the matter under investigation.

This short paper relates a couple of examples of cases where this has been significant and provides a list of what people use as passwords.