Introduction

Rebuilding a web page from the data contained within a suspect's Temporary Internet Files (also known as the Cache) can be one of the strongest pieces of evidence available.  NetAnalysis was the first forensic software to include the functionality for rebuilding web pages from an offline cache.

Warning

Do not examine rebuilt web pages on a workstation which is connected to the Internet.  Whilst every effort is made to disable links to external content, embedded scripting and code may result in requests being made for content from external servers when pages are viewed.  This risk is negated by adhering to forensic best practice and not allowing forensic workstations to have live Internet connections.

 

To rebuild a cached page, you will need to have access to the live cache data.  This can either be a cache exported from a forensic image, copied from a write protected suspect disk or from a mounted forensic image.  First, you will need to identify the location of cached data for Mozilla Firefox.

Location of Firefox Browser Data

Microsoft Windows XP

 

History, Downloads and Cookies
C:\Documents and Settings\{user}\Application Data\Mozilla\Firefox\Profiles\{profile folder}\
Cache
C:\Documents and Settings\{user}\Local Settings\Application Data\Mozilla\Firefox\Profiles\{profile folder}\Cache\

Microsoft Windows Vista / 7 / 8

 

History, Downloads and Cookies
C:\Users\{user}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile folder}\
Cache v1
C:\Users\{user}\AppData\Local\Mozilla\Firefox\Profiles\{profile folder}\Cache\
Cache v2
C:\Users\{user}\AppData\Local\Mozilla\Firefox\Profiles\{profile folder}\cache2

 

Apple Macintosh OS X

 

History, Downloads and Cookies
/Users/{user}/Library/Application Support/Firefox/Profiles/{profile folder}/
Cache v1
/Users/{user}/Library/Caches/Firefox/Profiles/{profile folder}/Cache/
Cache v2
/Users/{user}/Library/Caches/Firefox/Profiles/{profile folder}/cache2

GNU / Linux

 

History, Downloads and Cookies
/home/{user}/.mozilla/firefox/{profile folder}/
Cache v1
/home/{user}/.mozilla/firefox/{profile folder}/Cache/
Cache v2
/home/{user}/.cache/mozilla/firefox/{profile folder}/cache2

Unable to render {include} The included page could not be found.