±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36231
New Yesterday: 0 Visitors: 203

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Gmail browser options

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

jblakley
Senior Member
 

Re: Gmail browser options

Post Posted: May 07, 18 15:12

- passcodeunlock
Not really, the purpose of the private browsing is to leave no trails after the browser shutdown.


Right. So seeing as how I have history, I don't think this is a private browsing issue. Do you know of any applications that can recover Gmail artifacts (cached screenshots) whether paid or open source?  
 
  

passcodeunlock
Senior Member
 

Re: Gmail browser options

Post Posted: May 07, 18 15:18

Did you try already Belkasoft Evidence Center to look for everything (not the Browser tree only) with carving option enabled ?!
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

jblakley
Senior Member
 

Re: Gmail browser options

Post Posted: May 07, 18 15:50

Yes, but it's still chugging along on the image. I have a memory dump from the box as well, but I haven't run it on that yet. I'll start that after this completes. Everything Belkasoft has found shows the URL, but the image isn't cached for anything mail.google.com-related. I didn't enable file carving for the image I'm running against now. I carved the memory dump over the weekend with scalpel, but it provided me with nothing but a bunch of images not related to the Gmail.  
 
  

passcodeunlock
Senior Member
 

Re: Gmail browser options

Post Posted: May 07, 18 16:24

Sounds very interesting, scalpel usually works well.

Let us know if the Belkasoft Evidence Center results with carving enabled will differ from scalpel's carving results.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

mcman
Senior Member
 

Re: Gmail browser options

Post Posted: May 07, 18 17:18

You can get incognito and gmail from a memory dump if you have one. Not much will get stored on the disk, everything would be in memory, pagefile might be another option. Obviously anything in memory is time sensitive as you'll likely lose anything historical but it's worth trying.

For Gmail, you'll typically get the "Inbox view" instead of individual messages. Upside is you'll get a snippet of all the email messages, timestamp, sender, etc. in the inbox view, downside is it's only a snippet (first 255 characters) of the message. It's just how the browser data gets cached in memory. You'll likely need to get cloud access to get the full mailbox.

Send me an email if nobody is getting back to you about an IEF/AXIOM trial and I can help get you set up.

Jamie
Magnet Forensics
jamie.mcquaid @ magnetforensics.com  
 
  

jblakley
Senior Member
 

Re: Gmail browser options

Post Posted: May 07, 18 17:30

Thanks Jamie! I haven't heard anything from Magnet for the demo. I wanted to try IEF, but then I downloaded Axiom over the weekend. I submitted a trial for it this morning as well.

Thanks!  
 
  

jblakley
Senior Member
 

Re: Gmail browser options

Post Posted: May 07, 18 19:25

I'm processing the evidence in Axiom as we speak...thanks!  
 

Page 2 of 2
Page Previous  1, 2