Computer Forensics Miscellany
In a recent examination I came across lots of urls in the unallocated space of a hard drive that were of interest and which I discovered were part of information recorded by the Mozilla browser to enable it to restore a user’s session in the event of a crash. A subsequent search revealed 66 instances of full Session Restore files in unallocated space each of which could be used to show a snapshot of the browser windows and tabs that the user had open at one point in time; in addition there were many other fragments of Session Restore files. I subsequently looked at how other web browsers dealt with the recovery of browsing sessions and the findings are reported in this paper.
Allan Hay has made his JSON viewer available , this can be used to view to view the Mozilla Session Restore files. The viewer can be found on his site along with many other useful forensic tools that Allan has developed.
Having had a couple of Lycos Chat
investigations recently my team did some research and
developed an Encase script to recover artefacts of chat
conversations. The script has worked well in tests, any feedback is
welcome, contact details are in the script.
That is a bit of an eye-catching headline, perhaps not quite
reverse engineering but something akin to it. In some investigations
cracking the password for an encrypted volume can be a major
breakthrough; however there are some cases where associating
a password with a particular user can be even more significant by
showing their culpability in the matter under investigation.
This short paper relates a couple of examples of cases where this has been significant and provides a list of what people use as passwords.