Today I was asked for a copy of a website that was already nuked before the analysis was completed. No online platforms has yet picked up a copy and VirusTotal did not show a hash for the download.
Trying to come up with a solution for this problem, I remembered that browsers often keep a local cache copy of sites that have been visited. Luckily I have not yet closed my Firefox browser and was able to access the cache via the URL “about:cache
“.
From that page I selected “disk -> List Cache Entries”. The list contains the most recent sites visited and stored, with the full URL as the key. Clicking the URL brings you to the detail page of that cache entry, with more information like “last fetched date”, “fetch count”, “size”, the headers, and much more.
Scrolling down the list you can see the response body of the site. If the site did not compress the output (can be identified by the response header “Content-Encoding
” you can see the cleartext response.
If the server sent the data compressed, you need some magic to either read the response or you can use a regular expression to strip the parts before and after the hex to get a clean hexdump. This hexdump can be put into CyberChef.
With the recipe [{"op":"From Hex","args":["Space"]},{"op":"Gunzip","args":[]}]
you can convert and display the HTML code directly.
This neat little workflow has allowed me to extract the HTML body of a removed website, further investigate and share my findings.
It also seems that Google has recently removed their cache interface in Google Chrome:
https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/YNct7Nk6bd8
Chrome still caches on disk (/Users/XXXX/Library/Caches/Google/Chrome/Default/Cache
), but without a UI it is hard to navigate and finding the right resource.
One more reason to keep Firefox my investigation browser for incidents and analysis.
I was ecstatic when I found this, but the CyberChef doesn’t work at all. It always gives me errors, with the recipe and without.
Make “network.http.accept-encoding” empty in the about:config to avoid content compression.