On Wednesday 13 June 2007 Ghiora Drori wrote: > Hi, > I heard a story about how a program called > encase by http://www.guidancesoftware.com/ > was supposedly used to recover web mail (yahoo) from a disk of a person > after the person had deleted the cache etc.. I am talking about large > amounts of email perfectly being restored. >
From a brief glance it looks like a forensic tool, which means it probably accesses hard drive content of files that have been erased. Every HTML file you see went through the hard drive at some point, and so all your web mail was stored on the hard drive over the course of the hard drive life. Whether the software is so good that it can recover the emails in perfect shape, I don't know - but the fact the files have a specific structure and predefined strings to look for makes the work of the forensic tool a lot easier. > I find the idea that web mail is stored on the local disk over long > periods weird. > The web browsers does use a cache to speed up browsing but I assume that > things like web mail pages get overwritten pretty fast. If not it would > be possible to go into an Internet cafe or university and read all web > mail read there in the past from the disk. This would be a huge security > hole. Anyone got some solid information about what happens when you read > webmail? Webmail uses HTTPS which is not stored in the cache. It does, however, gets stored temporarily and then deleted. Anyone viewing the hard drive with forensic software will see it. > My guess is that the above program was running and storing the webmail > when it was being read not month later. That's also possible. Like I said, I never heard or used this program and it could very well be snakeoil. > Thanks Ghiora - Aviram ================================================================To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
