Len,
What can I say …. hmm … your post rocks!
FIRST, Andrew has always had Win32 apps … just never released 'em to the masses. His big users have requested a few things and he's delivered. SMART Mount, SAW, etc., all are very useful tools.
But SECOND, and why your post rocks, I've got to save this because you typed … "You might take a look at this tool. It is a nice package." And if you're like me and ya read it real quick … well let's just say "this" was "his" and that made me laugh!!! 😉
All is well, Len. Was just up in Ohio a couple weeks back. Ping me privately.
Cheers!
farmerdude
Get SMART!
I've seen a lot of downloads from this forum does anyone who downloaded the toolkit have any question or comments about functionality?
Is your program able to parse the cache map files and index file for Google Chrome if the user has deleted these entries and they are now in unalloacted space?
Currently the Toolkit cannot access unalocated space for those files at the moment however we are looking into creating our own imaging software that will allow us to implement more features in time, Thanks for the post however we havent looked at the cache map and index file, will be something we will look at shortly.
Checkout what we can pull back for chrome, maybe there is information burried in there that is useful to you aswell.
Thanks
Ryan
Thanks for your reply Ryan,
I just wondered if you if you knew of any software currently available that is able to do this at this time.
I have looked into the Chrome Cache View tool by nirsoft that is able to parse LIVE cache files however unsure whether it can display deleted cache files (with their original file name and extention) without the cache map files being present.
I also wondered if you knew of a tool that can retrieve chrome's deleted sqlite records as i undertsand that there are tools available for firefox.
What are the potential problems with Google Chrome forensics when these files have been deleted - i aware aware that Firefox 3 records are potentially discoverable in slack space.
I appreciate you time and I am a forensics student currently researching google chrome. Many Thanks
Im not aware of any that will at the moment, however it may be possible to pull the cache files back using FTK Imager(browse for deleted files) an then analyzing them using that program you mentioned before from Nirsoft. As for Chrome the records are stored in a SQL Lite3 database format I am not sure how to retrieve deleted entries yet, however I will look into this further and post what I have learned in the future.
We have that in common, Wise Forensics was founded by Forensic Students who delved deeper into file deconstruction rather than clicking a button and expecting results. We were taught to learn by doing by a great Professor and Friend,Thanks Lenny
Good luck and never stop asking questions Forensic82
Ryan Manley
On the SANS Institute's forensics blog, I have published new methods for preserving and authenticating evidence in a cyber investigation. http//