±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36738
New Yesterday: 0 Visitors: 137

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Webmail forensics

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

CFEx
Senior Member
 

Webmail forensics

Post Posted: Feb 11, 10 23:42

Has anyone been successful with converting webmail, found in the cache, into a more readable format?

In Windows XP, C:\Documents and Settings\username\Temporary Internet Files\Content.IE5 may contain several folders which may have webmail that was cached by the browser - for example, "mail[1]" and "mail[1].htm".

Even EnCase Forensics can't convert the encodings (had a demo from them about two weeks ago and asked the question).  
 
  

Patrick4n6
Senior Member
 

Re: Webmail forensics

Post Posted: Feb 12, 10 00:22

Have you tried carving out the files and looking at them in various web browsers? Between MSIE and Firefox I can view most things. I've had some deleted file recovery stuff where I got a partial file and had to manually add in some HTML tags to get it to display. If you're missing the start of the file, simply adding <html> and <body> can get you started. Otherwise you need to manually inspect the close tags and insert the appropriate opening tags.
_________________
Tony Patrick, B. Inf Tech, CFCE
www.patrickcomputerfor...s.com/blog
www.twitter.com/Patrick4n6 
 
  

CFEx
Senior Member
 

Re: Webmail forensics

Post Posted: Feb 12, 10 02:12

I haven't tried carving out the files. The use of JSON to format Gmail has existed for quite a while, that I was hoping for a more automated way to read the cached webmail.

I'll give that a try.

By the way, did several searches before my posting, and there is not much out there.  
 
  

woany
Member
 

Re: Webmail forensics

Post Posted: Feb 12, 10 14:24

Not entirely sure of the format of the files you have identified, but you could try my gmailparser tool, its command line (requires .Net 3.5) but works on all files within a directory.

www.woanware.co.uk/gmailparser/  
 
  

binarybod
Senior Member
 

Re: Webmail forensics

Post Posted: Feb 12, 10 16:33

CFEx,

Check out Cacheback which is turning out to be an excellent investigative tool. Even better than Netanalysis now as it can parse most major browsers and crucially (in your case) can reconstruct pages from the cache and provide thumbnails of those pages. It seems it can do this even in cases where EnCase and Netanalysis can't.

Paul  
 
  

digintel
Senior Member
 

Re: Webmail forensics

Post Posted: Feb 12, 10 23:02

Yep, another happy Cacheback user here. A good example of an application that only does one thing, but does it well. It cannot reconstruct all pages, but I have yet to find an application that performs better than cacheback.

Roland

- binarybod
CFEx,

Check out Cacheback which is turning out to be an excellent investigative tool. Even better than Netanalysis now as it can parse most major browsers and crucially (in your case) can reconstruct pages from the cache and provide thumbnails of those pages. It seems it can do this even in cases where EnCase and Netanalysis can't.

Paul
 
 
  

KPryor
Senior Member
 

Re: Webmail forensics

Post Posted: Feb 16, 10 04:08

Add me to the happy users of Cacheback. It's expensive, but does a fantastic job and is quite easy to use too.
KP  
 

Page 1 of 3
Page 1, 2, 3  Next