±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 5
New Yesterday: 4
Overall: 26260
Visitors: 85

±Forensics Europe Expo


±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Firefox - Images evicted from the cache.

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Firefox - Images evicted from the cache.

Post Posted: Mon Oct 14, 2013 6:48 am

Im attempting to establish when some images were viewed via the Firefox browser.

I've traweled these forums and Google for an answer but to no avail. As a total amateur i'm not getting very far. I'm aware the files were probably created over a year ago due to a change in ownership of the laptop.

I have only used the free software Recuva so far to try and establish dates the files the files were viewed

Basically, upon running a Deep Scan thousands of images show up under the location C:/? but there is no information as to when the images were modified accessed or created. All file names show in the format [00001].jpg and do not show up in the normal scan.

Is there any way of finding out when the images would have been cached/viewed with any sort of forensics software or in combintion with any other files?

Thanks  

hamelsmith1999
Newbie
 
 
  

Re: Firefox - Images evicted from the cache.

Post Posted: Mon Oct 14, 2013 10:41 am

Are you running Recuva on the actual laptop or have you removed the drive and using an alternative machine?

Does recuva show the images as deleted? Just out of interest what is the purpose of establishing when they were viewed?

Depending on the files and their location there may not be any time/date data stored.

Do you know what operating system and what version of firefox is being used?  

Ali-B
Member
 
 
  

Re: Firefox - Images evicted from the cache.

Post Posted: Mon Oct 14, 2013 12:38 pm

The question "...Is there any way of finding out when the images would have been cached/viewed..." can possibly be answered with the right selection of tools, but, more importantly, with the right skill set and experience to analyze the information.

One can carve a hard drive, find images and video. The result will be, as you said, thousands of files to analyze However, that's only the beginning if you are attempting to show when a file was modified, accessed, or created. if the file you found was allocated (not deleted), then the meta-data (information about the file) will still be in tact and can be helpful in filling in the blanks. However, if the files you are looking for are in unallocated space (deleted), the meta-data may not be complete or there at all.

So, taking you at your word, "...As a total amateur..." If this is practice or research, then do some testing, and try different things ...have fun. There are plenty of good books on the market to help guide your research.

If this is a real investigation, please consult a digital forensic professional for this task.
_________________
Scott Ware
MSDF, CFCE 

sgware
Member
 
 
  

Re: Firefox - Images evicted from the cache.

Post Posted: Mon Oct 14, 2013 2:19 pm

Not meaning to be unecessarily pedantic but determining when an image was "viewed" would be a bit tricky. Assuming it isn't carved from unallocated then created timestamps, method of creation (eg cached from a webpage) etc should be feasible but if this is part of an investigation I would not try to claim something has been actually viewed. Unless you have further evidence to back up they were actually looked at by a person? Eye witness, cctv?

This might seem silly but I have seen attempted defences based around images not having been actually seen by the suspect - screen resolution settings, wasn't wearing glasses (yes really!) and so on.

Afraid I have never used recuva so I cannot comment on that but I have no doubt someone can suggest alternative open source tools to try!  

Garethb
Newbie
 
 
  

Re: Firefox - Images evicted from the cache.

Post Posted: Sat Nov 30, 2013 6:46 am

@Garethb -- That was a good reply .. well done!  

Clear2Go
Newbie
 
 
  

Re: Firefox - Images evicted from the cache.

Post Posted: Sat Nov 30, 2013 7:53 am

- hamelsmith1999

Basically, upon running a Deep Scan thousands of images show up under the location C:/? but there is no information as to when the images were modified accessed or created. All file names show in the format [00001].jpg and do not show up in the normal scan.

Is there any way of finding out when the images would have been cached/viewed with any sort of forensics software or in combintion with any other files?


So, as I understand it, you have 'thousands of images', with no file system metadata of any kind...no MAC times, no file names, nothing. If you can't even establish where the file existed within the file system, I'm not sure how you'd go about answering your question.

There is a chance, albeit a slim one, that you can answer your question. You'll have to generate hashes of the files you have (MD5, SHA-1, doesn't matter). Then, *IF* the version of the operating system you're looking at is Windows, and it's Vista or above, and *IF* the image has Volume Shadow Copies going back far enough, you may be able to establish when the files in question (assuming they're whole and not partial files) could be found within the file system, through hash comparison.

Hope that helps.  

keydet89
Senior Member
 
 
  

Re: Firefox - Images evicted from the cache.

Post Posted: Sat Nov 30, 2013 11:15 am

- keydet89
Then, *IF* the version of the operating system you're looking at is Windows, and it's Vista or above, and *IF* the image has Volume Shadow Copies going back far enough, you may be able to establish when the files in question (assuming they're whole and not partial files) could be found within the file system, through hash comparison.

Were/are not Shadow Copies also in XP since SP1? Question

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1