In a recent examination I came across lots of urls in the unallocated space of a hard drive that were of interest and which I discovered were part of information recorded by the Mozilla browser to enable it to restore a user’s session in the event of a crash. A subsequent search revealed 66 instances of full Session Restore files in unallocated space each of which could be used to show a snapshot of the browser windows and tabs that the user had open at one point in time; in addition there were many other fragments of Session Restore files. There are similar possibilities with Internet Explorer.
Here are some notes on my findings.
http//
H
Good information. Thanks for posting it.
Very nice Harry thank you for posting.
Did you try any testing with the browser.sessionstore.* settings under the aboutconfig?
There is a line for browser.sessionstore.resume_from_crash that can be toggled.
You can set also create a new Boolean called browser.sessionstore.enabled and set it to false, to disable session manager.
This can become very intriguing when getting a subject machine that might have had the power pulled with out knowing what might have been running at time of decommission.
Thanks for your kind comments.
I have since added some useful updates to the paper following contact from a couple of people.
I have added reference to the Opera browser and Dc1743 has added Safari information from the sausage factory.
I have added reference to two programs that have now been made available a sessionstore parser from Woany and a JSON editor program from Allan Hay.
Thanks to each of these people for their contributions.
H
Harry,
Great stuff, thanks for posting!
Web sites, books and training courses all refer to the more popular areas to look for indications of browser activity, and it's nice to see other areas being explored.
Thanks again!
Just curious if anyone had been digging into and/or researching session restore artifacts over the last year. Finding some very interesting stuff (need some lab time to try to reproduce for sharing) in them and wondering if others have had any surprises.