Lunascape's interesting bits and pieces
There's a new kid on the browser-block, and it's name is Lunascape. I've been playing around with this relatively new browser a bit, and have to say I quite like it. But this post isn't about the use of Lunascape. I was curious, because Lunascape imports many of its settings from IE and Firefox, if it used its own location to store settings and data (think: cookies and other forensic artifacts) or that it just throws it all in IE's and Firefox' directories.
A quick search on my harddisk for 'lunascape' reveals that a new directory was created in my user account's Application Data named Lunascape, having a subdirectory of Lunascape5. Some interesting information can be found here, such as for example:
C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\rebar.bmp
This one seems pretty odd. It appears to me that this is a screenshot of Lunascape's title bar taken at the moment the browser is closed. It seems to be updated every time the browser is closed, so it's not a 'default' image. As you can see below, useful information such as the last entered URL can be seen this way, and possibly a searchword if the search bar was used.
C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\Profile\Favorite
Contains three files (linked to the three default Lunascape profiles) listing the RSS feeds subscribed to.
When using the Gecko engine, some more locations exist with useful data:
C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\gecko\userprefs.js
I expected this file would contain the user preferences for the Gecko engine, but it seems to be a default file. The real preferences are stored 1 directory up in the chain, in C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\userprefs.js. It contains information such as the homepage and which proxy to be used.
C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\gecko\signons.sqlite
In this file the user stored passwords and their respective websites can be found. The username and password fields are encrypted, but at least you can see which websites are known and used by the user.
C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\gecko\cookies.sqlite
This SQLite database is used to store cookie information.
C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\gecko\Cache
This directory seems like a mashup of cached data. I'm not sure what format it is in, but most of the files contain URLs of websites visited, while others start with JFIF when viewed in an editor so images might be in there as well.
When the Trident (IE) engine is used, it seems the cookies are stored in the default IE cookies directory. So there's no possiblity to distinguish between cookies coming from IE or those coming from Lunascape.
Looking through the Windows registry, at first sight I don't find too much interesting information about Lunascape. The only thing that might be useful is the HKCU\Software\Lunascape Corporation\Lunascape5\General\SettingRootFolder key, as it points to the location where the user's Lunascape profile is stored. Because Lunascape allows the user to manage his profile, and thus store his profile in a different location, this might be interesting to find the files listed above.
A quick search on my harddisk for 'lunascape' reveals that a new directory was created in my user account's Application Data named Lunascape, having a subdirectory of Lunascape5. Some interesting information can be found here, such as for example:
C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\rebar.bmp
This one seems pretty odd. It appears to me that this is a screenshot of Lunascape's title bar taken at the moment the browser is closed. It seems to be updated every time the browser is closed, so it's not a 'default' image. As you can see below, useful information such as the last entered URL can be seen this way, and possibly a searchword if the search bar was used.
C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\Profile\Favorite
Contains three files (linked to the three default Lunascape profiles) listing the RSS feeds subscribed to.
When using the Gecko engine, some more locations exist with useful data:
C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\gecko\userprefs.js
I expected this file would contain the user preferences for the Gecko engine, but it seems to be a default file. The real preferences are stored 1 directory up in the chain, in C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\userprefs.js. It contains information such as the homepage and which proxy to be used.
C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\gecko\signons.sqlite
In this file the user stored passwords and their respective websites can be found. The username and password fields are encrypted, but at least you can see which websites are known and used by the user.
C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\gecko\cookies.sqlite
This SQLite database is used to store cookie information.
C:\Documents and Settings\[USERNAME]\Application Data\Lunascape\Lunascape5\ApplicationData\gecko\Cache
This directory seems like a mashup of cached data. I'm not sure what format it is in, but most of the files contain URLs of websites visited, while others start with JFIF when viewed in an editor so images might be in there as well.
When the Trident (IE) engine is used, it seems the cookies are stored in the default IE cookies directory. So there's no possiblity to distinguish between cookies coming from IE or those coming from Lunascape.
Looking through the Windows registry, at first sight I don't find too much interesting information about Lunascape. The only thing that might be useful is the HKCU\Software\Lunascape Corporation\Lunascape5\General\SettingRootFolder key, as it points to the location where the user's Lunascape profile is stored. Because Lunascape allows the user to manage his profile, and thus store his profile in a different location, this might be interesting to find the files listed above.
Labels: digital forensics
Post a Comment