Notifications
Clear all

Places.sqlite

8 Posts
4 Users
0 Likes
497 Views
(@jbizzle)
Posts: 4
New Member
Topic starter
 

Does anyone know how to recover windows live emails from the Places.sqlite file. I have ran numerous enscrypts and filters and cannot locate any web mail.

any suggestions?

 
Posted : 08/02/2011 5:25 pm
(@philh)
Posts: 28
Eminent Member
 

Hmm, I'm not entirely sure (it's been a while since I looked at web-based e-mail) but my understanding was that the Places.sqlite file stores the addresses of visited web pages but not the actual content itself.

The actual content of any Windows Live e-mails could potentially be recovered from cached web pages ? You could try running a keyword search, using a known e-mail address, over the Internet cache or possibly use a regular expression to search for any e-mail addresses within the Internet cache. Although my personal experience (limited though it may be) has shown that web-based mail is often difficult to recover since many of the sites do not cache the viewed web pages.

PhilH

 
Posted : 08/02/2011 5:33 pm
(@jbizzle)
Posts: 4
New Member
Topic starter
 

Thats the problem I'm having, I can find the header and url that show messages have been viewed, edited and sent but no content.

Does it make a difference to the web browser? the user in question uses firefox 3.

 
Posted : 08/02/2011 5:39 pm
(@philh)
Posts: 28
Eminent Member
 

I guessed it was probably Firefox, given that you were looking at the "Places.sqlite" file. The problem is that file, and the other ".sqlite" files, store the web browsing history but do not store the content of the web pages themselves (assuming they have been cached).

What you need to look for is the Firefox browser cache folder - sadly I don't believe this stores data in a similar, plain format, as IE but instead uses a binary format ? However it appears that Firefox itself can be used to examine the cache and extract files from it (Accessing files directly from the Firefox cache). I've not tried this method myself so can't vouch for it, but otherwise there are commercial tools available that support viewing of cached web pages etc.

HTH

PhilH

 
Posted : 08/02/2011 8:15 pm
(@jbizzle)
Posts: 4
New Member
Topic starter
 

Thanks for the help Phil.
J

 
Posted : 08/02/2011 10:41 pm
(@bithead)
Posts: 1206
Noble Member
 

SQLite Manager is invaluable in looking at Mozilla SQL files.

 
Posted : 09/02/2011 9:42 am
(@Anonymous)
Posts: 0
Guest
 

Hi all,

if you want to retrieve livemail artefact , you have to use a software like IEF (Internet Evidence Finder) from Jadsoftware.
This program read an entire disk or image and retrive some artefact about Facebook, msn, twitter etc…
http//www.jadsoftware.com/go/?page_id=141

Joël Gomez
Forensic expert
French Gendarmerie

 
Posted : 09/02/2011 5:59 pm
(@philh)
Posts: 28
Eminent Member
 

Okay, so I had another poke at this over the weekend and it is possible to use Firefox to view the contents of the cache )

To do this for an external cache folder (i.e. not your own) I think you'd need to either a) boot the hard disk image, using a virtual machine, and use the Firefox browser on the VM to view the cache; b) extract the Firefox cache from the hard disk image, then redirect your own browser to use the extracted cache. Apparently b) could be achieved by creating a "User.js" in your profile directory, and adding // Path to Cache folder
user_pref("browser.cache.disk.parent_directory","x \\");

where X\\ is the directory you want to place the cache. I've not actually tried this yet, so don't know if this'll work - the VM technique should be fine though.

Oh and IEF is indeed a great tool, although I believe there is no longer a free version ?

 
Posted : 14/02/2011 2:31 pm
Share: