2

I want to know if it's possible to recover HTML web form data from MS IE11.

The 4 scenarios that I'm interested in, are:

  1. when you've closed IE11's process (iexplore.exe (*32)), but have not restarted or shutdown then booted your PC;

  2. when you've closed IE11's process and have restarted or shutdown then booted your PC;

  3. when you've closed IE11's process and have restarted or shutdown then booted your PC, but Windows has updated itself (or Windows has automatically updated only IE11) upon restarting itself/starting;

  4. when IE11's process is still running, i.e. you haven't killed it (but it might be lagging or frozen/unresponsive...) and you (obviously...) haven't restarted or shutdown then booted your PC.

To cut a long story short, a few days ago I accidentally had both IE11 (v11.0.9600.18124) and Mozilla Firefox (v40.0.3) opened, and I had the same e-shop webpage opened on both of them. I was logged into my account in that e-shop and the webpage in question had an HTML form (purpose: 'Send message' to seller) and was (I think) served as https:\\.

I had to be away from the keyboard (AFK) for a while, and when I went back to my PC, I accidentally started writing the message in IE11 rather than in Mozilla Firefox. I noticed that too late and by that time, IE11 had already frozen for some reason, so I had to kill its process.

Is it possible to somehow recover the text of that HTML web form, or is it hopeless? And, theoretically speaking, would it have been possible to recover it if the webpage was http:// and not https:// (though it's dead obvious that no self-respecting e-shop should ever use http:// instead of the more secure https://)? My particular scenario is like the one in scenario number 2 above.

I have Lazarus: Form Recovery (at addons.mozilla.org) (now abandoned, but it still works in my version of Firefox) installed in Firefox and that saves me in such cases, but this time, the problem is with IE11. So, please don't advise me to ditch IE11 completely, I keep IE11 installed just because I sometimes have to test websites under it...

So far, I've found some clues for possible text form data recovery only for the 4th scenario mentioned above, see http://benpiper.com/2011/11/how-to-recover-a-lost-form-in-internet-explorer-or-firefox-without-any-add-ons-or-pre-installed-utilities/ (basically, it's about downloading and installing HxD Hex Editor and dumping the RAM of the iexplore.exe process and then analyzing it for string matches; backup of that same webpage on archive.is, in case that particular webpage goes down: https://archive.is/Q4SSB).

As a side note, if it's not possible to recover any of my data, I'd like to see some ways to avoid this problem in the future (for IE11), like some sort of Lazarus-like add-on for IE11, or some cross-browser bookmarklet with this functionality (= saving (backup & recovery of) HTML text web form data, e.g. at specified second intervals, etc.) that works in IE11, or even a .bat batch script, anything, except for keyloggers.

Improve this question
2
  • 1
    Was the message to your seller longer than this question you typed out on Superuser? (Time management question). I lose long messages sometimes due to bad internet connection, I would suggest retyping it, because recovering data off RAM would take 100 times longer.
    – Aaron Gillion
    Commented Feb 3, 2016 at 2:35
  • @AaronGillion, The message was longer, I think. Even though your comment makes perfect sense, it doesn't answer the question that I asked, which is about whether or not HTML form data recovery from IE11 is possible, how to achieve it, and/or how to avoid it in the future via installing add-ons/etc. I wouldn't be asking this if retyping the lost message was trivial.
    – sahwar
    Commented Feb 3, 2016 at 2:42

1 Answer 1

Reset to default
1

You may be able to recover form data in any browser by using forensic RAM dump software.

Quoted from Magnet Forensics:

Since the memory collected by the utility is stored in a raw data format, it can be analyzed by most memory analysis and forensic tools including IEF, Volatility, and Mandiant Redline.

To answer your scenarios:

  1. Recoverable
  2. Probably, as long as computer hasn't been unplugged or turned off more than 10 minutes
  3. Probably, as long as computer hasn't been unplugged or turned off more than 10 minutes
  4. Absolutely recoverable

10 minute rule for RAM recovery is best explained by a user on Security Stack Exchange

Hope this helps

Improve this answer
2
  • Unfortunately, in my case (scenario number 2) I had the PC turned off for WAY more than 10 minutes... But your answer is very good. Related questions: 1. Why is there such a 'no more than 10 minutes after unplugging/powering off/restarting' limit, i.e. what causes such a limit? 2. Will it work for non-ACII (i.e. Unicode) text in the lost forms? 3. And to finish this matter, how do I decide which iexplore.exe process I should dump as RAM (since there are many iexplore.exe for each opened tab) or is RAM dumping done en-masse, i.e. the whole RAM gets dumped? Thanks in advance.
    – sahwar
    Commented Feb 7, 2016 at 21:12
  • 1
    The whole entire RAM gets dumped. That's why forensic companies provide additional software for one to decode a dump like that. Yes, RAM dumping will recover non-ASCII text. 10 minute rule pulled from here
    – Aaron Gillion
    Commented Feb 11, 2016 at 16:25

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .