±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35530
New Yesterday: 1 Visitors: 97

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Locating Gmail traces

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Stamitz
Member
 

Locating Gmail traces

Post Posted: Jan 09, 08 17:35

With Encase v. 6 it's possible to search webmail like Hotmail etc. But Gmail is not in the list. Is it possible to search traces of Gmail webmail ? Are there any html strings I can look for (like: ...gmail?inbox...)

Thanks,

Stamitz  
 
  

keydet89
Senior Member
 

Re: Locating Gmail traces

Post Posted: Jan 09, 08 18:48

With this sort of thing, it's not about the tool used, it's about the examiner.

I've use ProDiscover and its ability to parse the web browser history to find remnants of gmail activity to include attachments that were sent from the system.  
 
  

Stamitz
Member
 

Re: Locating Gmail traces

Post Posted: Jan 09, 08 19:21

Can you tell me if you have found any unique 'strings' with regard to Gmail ? If so, I can use them to search in my image  
 
  

keydet89
Senior Member
 

Re: Locating Gmail traces

Post Posted: Jan 09, 08 19:35

- Stamitz
Can you tell me if you have found any unique 'strings' with regard to Gmail ? If so, I can use them to search in my image


You mean like "gmail"?  
 
  

Stamitz
Member
 

Re: Locating Gmail traces

Post Posted: Jan 09, 08 20:00

Smile

I mean like:

gmail?search=inbox&
gmail?search=starred&
gmail?view=cl&search=contacts&

etc. This are old ones (I think) because they don't work ... So, if there are any good strings I can use that would be great  
 
  

Stamitz
Member
 

Re: Locating Gmail traces

Post Posted: Jan 23, 08 19:02

Okay, because nobody has replied for two weeks I guess there are no strings to be found and all webmail is cached at server side

Thanks,

Stamitz  
 
  

Buster
Member
 

Re: Locating Gmail traces

Post Posted: Jan 24, 08 15:02

Stamitz

Apologies for not posting sooner but I have been testing this area (in relation to Windows machines) myself and wanted to (mostly) finish before I posted.

Further apologies for the width of this post! I could not trim it down anymore whilst maintaining readability.

The short answer is I have found very few entries relating to artefact's left behind by "gmail" within the usual Windows internet history data although I have found some tidbits that may be of use.

I have been concentrating on the Cookies and Temporary Internet folders, specifically the main "index.dat" file for the latter. I have found that the only information I was able to recover was the "gmail" address used and some connection data from the "index.dat" along with some references to "gmail" from the Cookies folder. Interestingly, the strings "gmail" and "googlemail" produce differing results when used with grep to search the output.

Basically the process I used was to copy the "Cookies" folder and the "Index.dat" file to my linux box. I then used galleta to carve the "Cookies" folder data into a text file and used pasco to conduct a similar exercise on the "index.dat". I then used a variety of grep searches to search the txt files for relevant strings.

Some of the output is shown below:

This section shows extracts from the "index.dat":

Code:
[email protected]:~/case_work/testing/temp_internet$ cat index.txt | grep gmail
[email protected]:~/case_work/testing/temp_internet$ cat index.txt | grep googlemail
URL     Visited: [email protected]://mail.google.com/mail/?account_id=<username>%40googlemail.com&nsr=1&auth=<very long auth key in plain text>&gausr=<username>%40googlemail.com&<qq>=1e1n3rjvl4bzl        Thu Dec 27 15:05:26 2007    Thu Dec 27 15:05:26 2007        URL              
URL     Visited: [email protected]://mail.google.com/mail/?account_id=<username>%40googlemail.com&<qq>=1e1n3rjvl4bzl     Thu Dec 27 16:53:33 2007        Thu Dec 27 16:53:33 2007        URL              
[email protected]:~/case_work/testing/temp_internet$ cat index.txt | grep <username>
URL     Visited: [email protected]://picasaweb.google.com/<username>/<blog title>?authkey=********   Thu Dec 27 16:53:01 2007        Thu Dec 27 16:53:01 2007        URL              
URL     Visited: [email protected]://picasaweb.google.com/data/feed/base/user/<username>/albumid/5130838866650960145?kind=photo&alt=rss&authkey=**********k&hl=en_US   Thu Dec 27 16:52:45 2007        Thu Dec 27 16:52:45 2007    URL              
URL     Visited: [email protected]://mail.google.com/mail/?account_id=<username>1%40googlemail.com&nsr=1&auth=<very long auth key in plain text>=<username>%40googlemail.com&<qq>=1e1n3rjvl4bzl        Thu Dec 27 15:05:26 2007    Thu Dec 27 15:05:26 2007        URL              
URL     Visited: [email protected]://mail.google.com/mail/?account_id=<username>%40googlemail.com&<qq>=1e1n3rjvl4bzl     Thu Dec 27 16:53:33 2007        Thu Dec 27 16:53:33 2007        URL              

I have sanitized the data so <username> represents the first part of the email address, <blog title> represents the blog name associated with the gmail account an <very long auth key> replaces a plain text, apparently random generated strings of numbers and letters. You can see that the grep string gmail revealed no hits whilst googlemail produced the rest.

Code:
googlemail.com&<qq>=1e1n3rjvl4bzl

This entry is interesting, it appears to be the first two letters of the account password in plain text (sanitized to qq) followed by the rest under some sort of encryption.

These entries are from the Cookies output.

Code:
[email protected]:~/case_work/testing/cookies$ cat galleta_output | grep googlemail

mail.google.com/mail    gmailchat       <username>@googlemail.com/676823      10/10/2007 12:01:07     10/03/2012 12:01:07     1600

<#>www.google.com/accounts GAUSR   mail:<username>@googlemail.com        01/21/2008 11:22:15     01/18/2018 11:22:12     1537

[email protected]:~/case_work/testing/cookies$ cat galleta_output | grep gmail
mail.google.com/mail    gmailchat       <username>@googlemail.com/676823      10/10/2007 12:01:07     10/03/2012 12:01:07     1600

I still have a bit more work to do on these, and other Windows files concerning gmail but I hope this helps you a little.

I will be writing up both the full process used (including some (very) basic bash and perl scripts that I wrote to automate some this) and the results obtained on my blog before too much longer.

Buster  
 

Page 1 of 2
Page 1, 2  Next