How to: Recover Form Submission Data

No replies
afib
afib's picture
Offline
Scriptonaut
Joined: 2011/12/06

First, let me apologize if this should go in another section of the forum.

A few weeks ago, I had to recover some form submission data for a friend. The typical story, you know: they spent 30+ minutes typing out a response in a forum/Wordpress/etc and when they hit Submit/Post/Reply, they got a "Server not found" or "connection reset" error. Pressing the back key, they hoped to find the data still there, as sometimes Firefox will save it.

Alas, they were unable to recover it, were too pissed to type it all up again, and so I got a phone call. I know a lot of you would know how to do this, but I am sure some other users do not. This is pretty easy and will introduce people to Hex Editors who may have never used them.

First, there are a few things this method assumes:

1) That you do not have an extension, ala Lazarus, installed.
2) That you have not rebooted the computer
3) You have not closed the application (or it closed itself)

Steps

1) You're going to need a Hex Editor. For this purpose, I really prefer to use HxD hex Editor for this. It's not exactly the BEST Hex Editor, but it's pretty simply to use. You could use WinHex, or any other editor or RAM viewer. Go download one.

2) In HxD Editor, you need to open up the RAM viewer. Click on the RAM module icon, or push Shift+Ctrl+R. It's also under the Extras menu.

3) Select the process. This could be iexplore.exe or firefox.exe or whatever.

4) You're going to need to search the contents, so hit Ctrl+F and type in a SMALL portion of a string of text you remember writing. By small portion, I mean "I thought I was" NOT "I" or "was." The RAM viewer is viewing the RAM for that program, so you may find all sorts of totally unrelated things. The trick is to make sure you've entered an exact phrase to eliminate false results. Also, do not type anything too long. I'll explain why later.

5) In the far left column will be offsets, like 06B280D0. This is the address. Moving to the right is the HEX area, and over to the farthest column will be the characters. Your text will be in that last column.

6) If you do get false entries, just hit F3 and keep scanning. If you've picked a good string, this will take no time.

7) Once you've found it, you're going to notice something funky. The text is most likely going to be interspersed with characters you didn't type. For example, say I remember typing "how are you" and thus I search for "how are." Now that I've found the block with my text, I notice the actual text says "how are yo\\u". You don't need to know what this is for for this exercise, simply copy and paste your text somewhere safe and remove these extraneous characters.

Thoughts: How to avoid this?

1) You could download an extension like 'Lazarus.' It does come in handy, but it really isn't necessary and I'll tell you why. For one thing, Lazarus will remember small and large entries of text. Do you really need Lazarus to remind you what you typed in the textbox for "Name?" This is redundant for a lot of people for two reasons: small entries are easily remembered, and for these types of textboxes you can often just hit the down key and find all the recent entries. It's up to you, but I don't really see the point in adding Firefox extensions for tasks that don't require extensions.

2) What you should do is get in the habit of securing your data, not relying on an extension to do it for you. It doesn't matter if I am writing in WordPress, Word, Firefox, or IE. If I find myself writing something long, or important, I just open up Notepad and Ctrl+A, Ctrl+C from the app and Ctrl+V into Notepad. For one thing, this doesn't require an extension that could break, cause conflicts, disappear, etc. For another, it allows you to use a totally separate area of RAM by using a different program. That way, even if the application crashes, Notepad probably won't.

(I do think Lazarus will remember if Firefox crashes, which gives it a point, but there are a lot of other programs that do not have this function. In other words, it could happen at any time, with any application, so why not just get into the habit of making working backups as you're writing?)

Questions I have:

I am sure there are other ways to do this as well. I recall at one time that Firefox kept a cache of files in its directory structure somewhere, but I do not know if this is still the case. I do not know a lot about networking beyond setting them up and some basics, but I would think you could also recover the packet? I'm not really sure, so I. Thoughts on that?