Is recovery possible in this case?

[kurt2121]

Hey everyone! I'm not the sharpest knife in the drawer when it comes to this stuff, so I figured I'd create an account here to ask some people who know what they are talking about!


So older versions of firefox used to store internet history in a file called history.dat. When you clear the private data from the browser, the data from the file is also cleared. Since the file isn't technically being deleted, just "wiped", does that mean recovery of that history is impossible? (I mean, the file creation date stays the same after clearing private data, so I assuming it is the same file) I just tried using Recuva to see if it worked with a test, but I just got a few PNG files that said "Files data could not be found on disk". Anything at all you can tell me would be greatly appreciated.

Also, this is assuming the recovery attemept is immediately or soon after the file is cleared

Thanks!!

[LarrySabo]

In the current version of Firefox, browsing history is kept in places.sqlite in the user profile, according to this.

The places.sqlite file contains all your Firefox bookmarks and lists of all the files you've downloaded and websites you’ve visited.

I don't know if you can use "Restore previous version" on that but on my Win7 system, there are no previous versions. Previous versions is not available in XP and may not be enabled on other versions of Windows (See System protection settings for System Restore).

[fzabkar]

Try a sector-level test.

Create a history.dat file in the normal way and then use a disc editor (eg DMDE freeware) to determine the sectors occupied by the file (or you could use one of several other methods for locating these sectors). Then clear the private data in your browser and re-examine those same sectors.

[kurt2121]

In the current version of Firefox, browsing history is kept in places.sqlite in the user profile, according to this.

The places.sqlite file contains all your Firefox bookmarks and lists of all the files you've downloaded and websites you’ve visited.

I don't know if you can use "Restore previous version" on that but on my Win7 system, there are no previous versions. Previous versions is not available in XP and may not be enabled on other versions of Windows (See System protection settings for System Restore).

The version of firefox I want to figure this out for is version 2, and I guess places.sqlite didn't come around until version 3. Plus this is on XP as well, so I guess according to what you posted, there is no previous versions.

[kurt2121]

Try a sector-level test.

Create a history.dat file in the normal way and then use a disc editor (eg DMDE freeware) to determine the sectors occupied by the file (or you could use one of several other methods for locating these sectors). Then clear the private data in your browser and re-examine those same sectors.

Hm, would a guy with not much experience with forensics or that kind of stuff be able to do this, do you think? I'm going to read up on this though, that seems like a good idea.

[fzabkar]

Try a sector-level test.

Create a history.dat file in the normal way and then use a disc editor (eg DMDE freeware) to determine the sectors occupied by the file (or you could use one of several other methods for locating these sectors). Then clear the private data in your browser and re-examine those same sectors.

Hm, would a guy with not much experience with forensics or that kind of stuff be able to do this, do you think? I'm going to read up on this though, that seems like a good idea.

It's easy in DMDE.

Launch DMDE
Select your physical disk
Check the Show Partitions box
Double-click the desired volume
Expand the Root
Navigate to your desired file
Double-click the desired file group in the left pane
Double-click the desired file in the top right pane
The bottom right pane should now identify the LBA of the first sector of the file

[kurt2121]

Try a sector-level test.

Create a history.dat file in the normal way and then use a disc editor (eg DMDE freeware) to determine the sectors occupied by the file (or you could use one of several other methods for locating these sectors). Then clear the private data in your browser and re-examine those same sectors.

Hm, would a guy with not much experience with forensics or that kind of stuff be able to do this, do you think? I'm going to read up on this though, that seems like a good idea.

It's easy in DMDE.

Launch DMDE
Select your physical disk
Check the Show Partitions box
Double-click the desired volume
Expand the Root
Navigate to your desired file
Double-click the desired file group in the left pane
Double-click the desired file in the top right pane
The bottom right pane should now identify the LBA of the first sector of the file

Awesome, so I found the desired file. I'm not sure what I should be looking for, though.

The LBA says 13331200.. anything else I should note? I'm afraid I know very little of what this all means. (sorry)

[fzabkar]

The LBA (Logical Block Address) is the sector where the file is located. The contents of this sector are the beginning of the file. Save the file (use Windows explorer or DMDE) and use a hex editor (eg HxD) to view it. The contents should be the same in both cases.

Now exit DMDE and delete your private data in Firefox. Then ...

Launch DMDE
Select your physical disk
Uncheck the Show Partitions box
Editor -> Goto offset

Sector = 13331200
Sector offset = 0
From Start/End
Dec

You should now see the contents of sector 13331200. Examine the next few sectors (using the Page Down key). Do you still see your original data?

https://mh-nexus.de/en/hxd/

[kurt2121]

The LBA (Logical Block Address) is the sector where the file is located. The contents of this sector are the beginning of the file. Save the file (use Windows explorer or DMDE) and use a hex editor (eg HxD) to view it. The contents should be the same in both cases.

Now exit DMDE and delete your private data in Firefox. Then ...

Launch DMDE
Select your physical disk
Uncheck the Show Partitions box
Editor -> Goto offset

Sector = 13331200
Sector offset = 0
From Start/End
Dec

You should now see the contents of sector 13331200. Examine the next few sectors (using the Page Down key). Do you still see your original data?

https://mh-nexus.de/en/hxd/

I tried twice, and in both cases all the data was still to be found. So I guess that means its not overwritten.

The first file was written to sector 13331200 and the second to 18811611. Seems pretty "far apart" to me. Why do people say things like "Don't use firefox if you want to find old firefox history" or something of that nature, it seems to me each file has no impact on another whatsoever in this case.

Also, with DMDE , am I able to search a keyword through an entire drive and see if there are undeleted data that way?

[fzabkar]

Also, with DMDE , am I able to search a keyword through an entire drive and see if there are undeleted data that way?

Tools -> Search for String in Object

[kurt2121]

Also, with DMDE , am I able to search a keyword through an entire drive and see if there are undeleted data that way?

Tools -> Search for String in Object

Is it okay to ignore all cyclic redundancy checks?

[data-medics]

I would guess then that it's creating a new, empty, history file before it deletes the old one. Now it's just a matter of determining an identifiable characteristic of the file type to be able to search for it.

[kurt2121]

I would guess then that it's creating a new, empty, history file before it deletes the old one. Now it's just a matter of determining an identifiable characteristic of the file type to be able to search for it.

Well, the mozilla file description says its written in a complex format called "Mork". Not sure if that is useful.

So if I find this identifiable characteristic, will I be able to search the entire disk, deleted and undeleted, for all firefox files that have not been overwritten?