Gmail browser optio...
 
Notifications
Clear all

Gmail browser options

14 Posts
4 Users
0 Likes
1,218 Views
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

All,

What options does one have to recover gmail artifacts if it was a browser login? I’ve carved out files from a memory dump, but I haven’t found any webmail related artifacts. I’ve seen several accesses to gmail, but unable to find anything useful in the image. Does anyone recommend any tools that may be able to rebuild from cache files? Encase isn’t showing me much, and I may be at a dead end.

Thanks!

 
Posted : 05/05/2018 5:41 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

AXIOM, Belkasoft can recover Gmail artifacts.

 
Posted : 05/05/2018 8:10 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

Thanks! I’ll take a look to see if they have a demo.

 
Posted : 05/05/2018 9:13 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

It appears that Axiom wants to be licensed even though it let me download it. Belkansoft installed, but refuses to license under a VM. I installed it on a physical machine and imported the E01 file into it and let it run. It found the activity, but it doesn't appear to have cached anything related to Gmail. Any other suggestions? I'm still waiting for Magnet to get back in touch with me for IEF. I'm not sure if it will help or not…

Thanks!

 
Posted : 07/05/2018 2:12 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

I think you face a "private browsing" issue, that is why you find no artifacts.

 
Posted : 07/05/2018 2:42 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

I think you face a "private browsing" issue, that is why you find no artifacts.

Thanks! I have history though, so I'm not sure this is the issue. If it were, is there a registry entry that can confirm it was in incognito mode?

 
Posted : 07/05/2018 3:03 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Not really, the purpose of the private browsing is to leave no trails after the browser shutdown.

 
Posted : 07/05/2018 3:05 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

Not really, the purpose of the private browsing is to leave no trails after the browser shutdown.

Right. So seeing as how I have history, I don't think this is a private browsing issue. Do you know of any applications that can recover Gmail artifacts (cached screenshots) whether paid or open source?

 
Posted : 07/05/2018 3:12 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Did you try already Belkasoft Evidence Center to look for everything (not the Browser tree only) with carving option enabled ?!

 
Posted : 07/05/2018 3:18 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

Yes, but it's still chugging along on the image. I have a memory dump from the box as well, but I haven't run it on that yet. I'll start that after this completes. Everything Belkasoft has found shows the URL, but the image isn't cached for anything mail.google.com-related. I didn't enable file carving for the image I'm running against now. I carved the memory dump over the weekend with scalpel, but it provided me with nothing but a bunch of images not related to the Gmail.

 
Posted : 07/05/2018 3:50 pm
Page 1 / 2
Share: