Internet Explorer RecoveryStore(Travelog) 解析工具


Based on the research in to Internet Explorer’s Automatic Crash Recovery files, two command line applications were created; RipRS and ParseRS; collectively known as RecoverRS.  Detailed information regarding the operation of these two applications is available in Appendix C, the RecoverRS manual.
RipRS is designed to extract ACR files from a raw disk image using known decimal offsets.  A list of known offsets can be obtained by using the search string discussed in the above section titled ‘Finding Compound Files in Unallocated Space’ using programs such as EnCase or FTK.  Using these known offsets, RipRS uses the methodology discussed in the above section titled ‘Carving Compound Files in Unallocated Space’ to determine the compound file’s size.  RipRS then searches the compound file for the string ‘0B00252A-8D48-4D0B-7B79887F2B96’, a GUID that is unique to ACR files.  If RipRS determines that the compound file is in fact an ACR file, it searches the ACR file for strings unique to either recovery store files or tab data files to determine which type the file it.  Once RipRS has determined the ACR file type, the file is written to the output directory specified by the user using the naming convention RecoveryStore.{offset}.dat or {offset}.dat for recovery store files and tab data files respectively. 
ParseRS is designed to extract browsing information from ACR files; either those found on the system or those carved from unallocated space by RipRS.  As mentioned previously, if ACR files are carved from unallocated space, information linking the tab data files with their respective recovery store files and some date/time information will be lost.


0 意見: