Tuesday, 5 January 2010

Web Browser Session Restore Forensics

As this is the first post of the year I would like to wish you a happy new year.

The posting title is the title of an excellent paper written by Harry Parsonage relating to Session Restore files created by the latest Mozilla (Firefox) and Internet Explorer 8 browsers. These files may contain enough information to allow the browser to display a users workspace exactly as it was prior to a forced restart. Obviously these files may contain significant evidence. I am not going to steal Harry's thunder so download his paper from http://computerforensics.parsonage.co.uk/other/other.htm

I know that Harry is not keen on blogs simply regurgitating information found elsewhere so I will try and add a little value.

Safari v4
Session Restore functionality is now a must have in modern browsers. Another browser to have similar functionality is Safari v4. The last session information is contained in a file entitled LastSession.plist

In Mac OSX 10.6 this file is stored at /Users/<user name>/Library/Safari

In XP this file is stored at C:\Documents and Settings\<User name>\Application Data\Apple Computer\Safari

I use the mac application - property list editor to review plists, there are windows applications to do this as well.

Firefox v3.5.6 running in Mac OSX 10.6
Harry's paper applies here in the main.

The sessionstore.js file is stored at /Users/<User Name>/Library/Application Support/Firefox/Profiles/XXXXXXX.default

No comments: