±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36783
New Yesterday: 0 Visitors: 153

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Gmail Forensics - Help !

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Webbie
Member
 

Gmail Forensics - Help !

Post Posted: Apr 09, 06 15:59

I am currently examining a drive (Windows XP) where the user is a google mail subscriber. Does anyone know where (if anywhere) the username/password is cached if saved by the user (Registry?, if so where?) . Also are there files cached to the local machine (except for the pagefile.sys/hybernation files etc) similar to hotmails 'getmsg','compose' etc and yahoos 'showletter',compose etc so I can reconstruct the emails sent/recieved as you can in other web based clients? . Any help on Gmail would be greatly appreciated.  
 
  

keydet89
Senior Member
 

Re: Gmail Forensics - Help !

Post Posted: Apr 09, 06 16:21

"Does anyone know where (if anywhere) the username/password is cached if saved by the user (Registry?, if so where?)"

Sure. If the suspect used IE to connect to GMail, and had AutoCompletion enabled, this information is stored in Protected Storage. This is an area of the Registry maintained in the NTUSER.DAT file for that user.

"Also are there files cached to the local machine..."

Not that I've seen. I've been using GMail recently and haven't seen anything like this.

Is there any evidence that this person is using the GMail Drive?

Harlan  
 
  

Webbie
Member
 

Re: Gmail Forensics - Help !

Post Posted: Apr 09, 06 16:54

Thanks for the prompt reply, the suspect is using IE and I will go looking in the protected storage. Thankyou.

I do not believe the user is using the Gmail Drive, but not sure of this, How would I find out? As I understand the Gmail Drive, its a virtual drive or volume. Does it actually exist on the data on the HDD?
_________________
Paul Webb 
 
  

keydet89
Senior Member
 

Re: Gmail Forensics - Help !

Post Posted: Apr 09, 06 17:50

"How would I find out? As I understand the Gmail Drive, its a virtual drive or volume. Does it actually exist on the data on the HDD?"

That's what Google is for, my friend...

windowsir.blogspot.com...rints.html  
 
  

Webbie
Member
 

Re: Gmail Forensics - Help !

Post Posted: Apr 09, 06 19:02

Point taken, Embarassed

I followed your link, very helpful, I shall try this myself, I actually use as a refrence your registry spreadsheet and the info supplied in your blog will be added to my own little list of 'cheat sheets' !!
Thankyou very much for all your help.  
 

Page 1 of 1