Firefox will automatically restore your sessions after software updates, restart or the browser crashed unexpectedly. Session restore information are stored in a file named “sessionrestore.js” in the user’s Firefox profile. A backup of the session restore file is named “sessionrestore.bak”. This folder contain the details of the website visited, and other information such as open tabs, typed-text in forms and windows size require to be restore when Firefox is restarts. Web Browser Session Restore Forensics is a writeup detailing session restore forensics on Firefox and other browsers.
Firefox’s session restore information can be extracted from the users’ Firefox profile or by craving out from the seized evidence. The information are stored in JSON data structure. The information extracted can then be read using a JSON file editor. The tool of my choice is Allan S Hay’s JSON Viewer. Below is an example of a Session Restore information:
The time value 1291963762473 is the date/time stamp of the saved session in Firefox. The time can be decode in DCode, using “Unix: Millisecond Value”
Other information could be determined at the time of the crash including number of Firefox’s Windows and Tabs saved in the session. In my example, there is one window opened and 3 tabs in the Windows.
Another tool that can be used to parse Firefox session restore data is a command line by Mark Woan called firefoxsessionstoreextractor: