Firefox - Images ev...
 
Notifications
Clear all

Firefox - Images evicted from the cache.

7 Posts
7 Users
0 Likes
552 Views
(@hamelsmith1999)
Posts: 1
New Member
Topic starter
 

Im attempting to establish when some images were viewed via the Firefox browser.

I've traweled these forums and Google for an answer but to no avail. As a total amateur i'm not getting very far. I'm aware the files were probably created over a year ago due to a change in ownership of the laptop.

I have only used the free software Recuva so far to try and establish dates the files the files were viewed

Basically, upon running a Deep Scan thousands of images show up under the location C/? but there is no information as to when the images were modified accessed or created. All file names show in the format [00001].jpg and do not show up in the normal scan.

Is there any way of finding out when the images would have been cached/viewed with any sort of forensics software or in combintion with any other files?

Thanks

 
Posted : 14/10/2013 5:48 pm
(@ali-b)
Posts: 16
Active Member
 

Are you running Recuva on the actual laptop or have you removed the drive and using an alternative machine?

Does recuva show the images as deleted? Just out of interest what is the purpose of establishing when they were viewed?

Depending on the files and their location there may not be any time/date data stored.

Do you know what operating system and what version of firefox is being used?

 
Posted : 14/10/2013 9:41 pm
(@sgware)
Posts: 42
Eminent Member
 

The question "…Is there any way of finding out when the images would have been cached/viewed…" can possibly be answered with the right selection of tools, but, more importantly, with the right skill set and experience to analyze the information.

One can carve a hard drive, find images and video. The result will be, as you said, thousands of files to analyze However, that's only the beginning if you are attempting to show when a file was modified, accessed, or created. if the file you found was allocated (not deleted), then the meta-data (information about the file) will still be in tact and can be helpful in filling in the blanks. However, if the files you are looking for are in unallocated space (deleted), the meta-data may not be complete or there at all.

So, taking you at your word, "…As a total amateur…" If this is practice or research, then do some testing, and try different things …have fun. There are plenty of good books on the market to help guide your research.

If this is a real investigation, please consult a digital forensic professional for this task.

 
Posted : 14/10/2013 11:38 pm
(@garethb)
Posts: 13
Active Member
 

Not meaning to be unecessarily pedantic but determining when an image was "viewed" would be a bit tricky. Assuming it isn't carved from unallocated then created timestamps, method of creation (eg cached from a webpage) etc should be feasible but if this is part of an investigation I would not try to claim something has been actually viewed. Unless you have further evidence to back up they were actually looked at by a person? Eye witness, cctv?

This might seem silly but I have seen attempted defences based around images not having been actually seen by the suspect - screen resolution settings, wasn't wearing glasses (yes really!) and so on.

Afraid I have never used recuva so I cannot comment on that but I have no doubt someone can suggest alternative open source tools to try!

 
Posted : 15/10/2013 1:19 am
(@clear2go)
Posts: 1
New Member
 

@Garethb – That was a good reply .. well done!

 
Posted : 30/11/2013 4:46 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Basically, upon running a Deep Scan thousands of images show up under the location C/? but there is no information as to when the images were modified accessed or created. All file names show in the format [00001].jpg and do not show up in the normal scan.

Is there any way of finding out when the images would have been cached/viewed with any sort of forensics software or in combintion with any other files?

So, as I understand it, you have 'thousands of images', with no file system metadata of any kind…no MAC times, no file names, nothing. If you can't even establish where the file existed within the file system, I'm not sure how you'd go about answering your question.

There is a chance, albeit a slim one, that you can answer your question. You'll have to generate hashes of the files you have (MD5, SHA-1, doesn't matter). Then, *IF* the version of the operating system you're looking at is Windows, and it's Vista or above, and *IF* the image has Volume Shadow Copies going back far enough, you may be able to establish when the files in question (assuming they're whole and not partial files) could be found within the file system, through hash comparison.

Hope that helps.

 
Posted : 30/11/2013 5:53 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Then, *IF* the version of the operating system you're looking at is Windows, and it's Vista or above, and *IF* the image has Volume Shadow Copies going back far enough, you may be able to establish when the files in question (assuming they're whole and not partial files) could be found within the file system, through hash comparison.

Were/are not Shadow Copies also in XP since SP1? ?

jaclaz

 
Posted : 30/11/2013 9:15 pm
Share: