All,
What options does one have to recover gmail artifacts if it was a browser login? I’ve carved out files from a memory dump, but I haven’t found any webmail related artifacts. I’ve seen several accesses to gmail, but unable to find anything useful in the image. Does anyone recommend any tools that may be able to rebuild from cache files? Encase isn’t showing me much, and I may be at a dead end.
Thanks!
AXIOM, Belkasoft can recover Gmail artifacts.
Thanks! I’ll take a look to see if they have a demo.
It appears that Axiom wants to be licensed even though it let me download it. Belkansoft installed, but refuses to license under a VM. I installed it on a physical machine and imported the E01 file into it and let it run. It found the activity, but it doesn't appear to have cached anything related to Gmail. Any other suggestions? I'm still waiting for Magnet to get back in touch with me for IEF. I'm not sure if it will help or not…
Thanks!
I think you face a "private browsing" issue, that is why you find no artifacts.
I think you face a "private browsing" issue, that is why you find no artifacts.
Thanks! I have history though, so I'm not sure this is the issue. If it were, is there a registry entry that can confirm it was in incognito mode?
Not really, the purpose of the private browsing is to leave no trails after the browser shutdown.
Not really, the purpose of the private browsing is to leave no trails after the browser shutdown.
Right. So seeing as how I have history, I don't think this is a private browsing issue. Do you know of any applications that can recover Gmail artifacts (cached screenshots) whether paid or open source?
Did you try already Belkasoft Evidence Center to look for everything (not the Browser tree only) with carving option enabled ?!
Yes, but it's still chugging along on the image. I have a memory dump from the box as well, but I haven't run it on that yet. I'll start that after this completes. Everything Belkasoft has found shows the URL, but the image isn't cached for anything mail.google.com-related. I didn't enable file carving for the image I'm running against now. I carved the memory dump over the weekend with scalpel, but it provided me with nothing but a bunch of images not related to the Gmail.