Does anyone know how to recover windows live emails from the Places.sqlite file. I have ran numerous enscrypts and filters and cannot locate any web mail.
any suggestions?
Hmm, I'm not entirely sure (it's been a while since I looked at web-based e-mail) but my understanding was that the Places.sqlite file stores the addresses of visited web pages but not the actual content itself.
The actual content of any Windows Live e-mails could potentially be recovered from cached web pages ? You could try running a keyword search, using a known e-mail address, over the Internet cache or possibly use a regular expression to search for any e-mail addresses within the Internet cache. Although my personal experience (limited though it may be) has shown that web-based mail is often difficult to recover since many of the sites do not cache the viewed web pages.
PhilH
Thats the problem I'm having, I can find the header and url that show messages have been viewed, edited and sent but no content.
Does it make a difference to the web browser? the user in question uses firefox 3.
I guessed it was probably Firefox, given that you were looking at the "Places.sqlite" file. The problem is that file, and the other ".sqlite" files, store the web browsing history but do not store the content of the web pages themselves (assuming they have been cached).
What you need to look for is the Firefox browser cache folder - sadly I don't believe this stores data in a similar, plain format, as IE but instead uses a binary format ? However it appears that Firefox itself can be used to examine the cache and extract files from it (
HTH
PhilH
Thanks for the help Phil.
J
Hi all,
if you want to retrieve livemail artefact , you have to use a software like IEF (Internet Evidence Finder) from Jadsoftware.
This program read an entire disk or image and retrive some artefact about Facebook, msn, twitter etc…
http//
Joël Gomez
Forensic expert
French Gendarmerie
Okay, so I had another poke at this over the weekend and it is possible to use Firefox to view the contents of the cache )
To do this for an external cache folder (i.e. not your own) I think you'd need to either a) boot the hard disk image, using a virtual machine, and use the Firefox browser on the VM to view the cache; b) extract the Firefox cache from the hard disk image, then redirect your own browser to use the extracted cache. Apparently b) could be achieved by creating a "User.js" in your profile directory, and adding // Path to Cache folder
user_pref("browser.cache.disk.parent_directory","x \\");
where X\\ is the directory you want to place the cache. I've not actually tried this yet, so don't know if this'll work - the VM technique should be fine though.
Oh and IEF is indeed a great tool, although I believe there is no longer a free version ?