Brian’s Blog

The golden rule when doing any work on a computer is Save your work. Save early and save often! Yet even as a self described computer guru and security guy, I still forget to save my work at times. Luckilly, I was editing only text and had some common GNU/Linux utilities available to save me the frustration of doing the work all over again!

It was shortly after midnight, and I was up writing a quick page on my wiki about planning what to run on the wiesefam.org website. Time passed quickly and I had now been working on it for nearly 1/2 hour, but it was not quite finished yet and I didn’t want to “save” it until I was done. The “just save it” thought came into my head (thanks God), yet I dismissed it thinking “what could go wrong? I’m just adding text”.

Just then I clicked a link to check out a geneology website to leave a comment about it on the page - and suddenly my browser crashed! All (half-dozen, each with 2-10 tabs open) of my Firefox windows disappeared. (Note: I had just upgraded to a newer version of Firefox a few hours earlier, but had not yet restarted Firefox all day, so it was a little flaky.) After a the initial shock wore off… I thought I must find this data. Rewriting was not an option, at least for that night.

Now I was only constantly “previewing” the text of the webpage I was writing, and this involved sending a POST/GET to the site with my text. I thought at first… maybe in some local cache. I did a grep -R wiesefam ~/.mozilla/ but only found the URL addresses of my related activity. My next thought was to immediately check my RAM (/dev/mem) while I’ve still done minimal activity (did not even restart Firefox yet), and the history feature in there would be worthless anyways.

So, as root I did a dd if=/dev/mem of=mem.dd bs=512 and strings mem.dd > mem.str dance to see what was in memory that I could use. I opened mem.str in vim and searched for wiesefam. Searching for this case-sensitive, I only found the URL-encoded (not sure of proper term) version of my text, where spaces are “+” and equal signs are apparently “%3D”. (This is shown on the left in the screenshot) I used these key characters to find other fragments of text, but the jackpot was in searching for “Note:” which was encoded as “Note%3A” in what I was looking at. By doing this, I found my entire text — just as I had written it — ready for me to copy and paste back onto my wiki website. (This is shown on the right in the screenshot). The screenshot below shows my Eureka! moment. =)

This entry was posted on Tuesday, August 30th, 2005 at 10:24 am and is filed under science & tech, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.