• Tutorial: recover lost saved session in Firefox

    Have you noticed that sometimes the saved sessions in Firefox are lost after a crash, leaving you with a clean, default homepage when launching it?

    However if this happens to you, you’re not alone! There is a quite simple way to recover it.

    The Saved Sessions are saved in a file called sessionstore.js under your ~/.mozilla/firefox/yourprofilename.default-backup-crqashrecovery-date

    Your profile name has a series of letters and it finishes in “.default”. For example: mcwubzdq.default

    Now if you list the files in ~/.mozilla/firefox you will see various of these files, ending with a date and time (for example: mcwubzdq.default-backup-crashrecovery-20140217_075716). The trick here is to save an old sessionstore.js file and overwriting the empty one in your profile.

    So first of all close Firefox and go to your profile directory and rename sessionstore.js:

    cd ~/.mozilla/firefox/profilename.default

    mv sessionstore.js sessionstore.js.old

    and now let’s assume that you want to use the session from the 17th of February 2014:

    cp ~/.mozilla/firefox/profilename.default.default-backup-crashrecovery-20140217_075716/sessionstore.js .

    That’s it! Now you can launch Firefox and enjoy your saved session tabs!

  • Tutorial: computer forensic analysis – how to recover lost or hidden data (on both Win/Ubuntu)

    Magnifying Glass

    No matter what but if you work in the IT support business you will have to deal with user’s data. You will have some interesting tasks assigned like:

    1. Recover data from somebody else’s pc (Live Capture);
    2. Restore deleted data (Data reconstruction);
    3. Network Investigation;
    4. Wipe data.

    We need to remember that the machines we use in a corporate environment are property of the company which bought them. Even the data located on those machines are property of the same company. This means that you can receive some requests that look like something that should be done by a computer forensics expert.

    In this article I will list some of the most used freeware tools for both Windows and Linux to recover data from a forensic point of view.

    What we can recover?

    There are software available to recover almost every kind of file (images, music, video, documents like word, excel, etc).

    The basic idea is that every kind of file has one or more parts in common (like the header, just to give an example). This means that if we are looking for a specific kind of file we can use the right tool to not only undelete files, but to focus on the ones we really need and try to better recover the ones which have been partially overwritten.


    From where we can recover?

    The options we have are basically two:

    1. Recover lost information from RAM (if the machine has not been turned off)
    2. Recover lost information from DISK (file has been deleted from OS)

    How do we recover?

    There are different toolsets, frameworks and even small freeware utilities available. Some of them are free others are quite expensive. I’ll put a small list here and I’ll try to cover each one of them in a different, specific article during the next days.

    Caine: www.caine-live.net/

    MDD: http://sourceforge.net/projects/mdd/

    The Volatility Framework: https://www.volatilesystems.com/default/volatility

    Windows Forensics Toolchest: http://www.foolmoon.net/security/wft/screenshots.html

    PTK: http://ptk.dflabs.com/

    Ocfa: http://sourceforge.net/apps/trac/ocfa