Gmail Forensics - H...
 
Notifications
Clear all

Gmail Forensics - Help !

5 Posts
2 Users
0 Likes
629 Views
Webbie
(@webbie)
Posts: 29
Eminent Member
Topic starter
 

I am currently examining a drive (Windows XP) where the user is a google mail subscriber. Does anyone know where (if anywhere) the username/password is cached if saved by the user (Registry?, if so where?) . Also are there files cached to the local machine (except for the pagefile.sys/hybernation files etc) similar to hotmails 'getmsg','compose' etc and yahoos 'showletter',compose etc so I can reconstruct the emails sent/recieved as you can in other web based clients? . Any help on Gmail would be greatly appreciated.

 
Posted : 09/04/2006 3:59 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

"Does anyone know where (if anywhere) the username/password is cached if saved by the user (Registry?, if so where?)"

Sure. If the suspect used IE to connect to GMail, and had AutoCompletion enabled, this information is stored in Protected Storage. This is an area of the Registry maintained in the NTUSER.DAT file for that user.

"Also are there files cached to the local machine…"

Not that I've seen. I've been using GMail recently and haven't seen anything like this.

Is there any evidence that this person is using the GMail Drive?

Harlan

 
Posted : 09/04/2006 4:21 pm
Webbie
(@webbie)
Posts: 29
Eminent Member
Topic starter
 

Thanks for the prompt reply, the suspect is using IE and I will go looking in the protected storage. Thankyou.

I do not believe the user is using the Gmail Drive, but not sure of this, How would I find out? As I understand the Gmail Drive, its a virtual drive or volume. Does it actually exist on the data on the HDD?

 
Posted : 09/04/2006 4:54 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

"How would I find out? As I understand the Gmail Drive, its a virtual drive or volume. Does it actually exist on the data on the HDD?"

That's what Google is for, my friend…

http//windowsir.blogspot.com/2005/04/gmail-drive-footprints.html

 
Posted : 09/04/2006 5:50 pm
Webbie
(@webbie)
Posts: 29
Eminent Member
Topic starter
 

Point taken, oops

I followed your link, very helpful, I shall try this myself, I actually use as a refrence your registry spreadsheet and the info supplied in your blog will be added to my own little list of 'cheat sheets' !!
Thankyou very much for all your help.

 
Posted : 09/04/2006 7:02 pm
Share: