Join Us!

Gmail browser optio...
 
Notifications
Clear all

Gmail browser options  

  RSS
jblakley
(@jblakley)
Active Member

All,

What options does one have to recover gmail artifacts if it was a browser login? I’ve carved out files from a memory dump, but I haven’t found any webmail related artifacts. I’ve seen several accesses to gmail, but unable to find anything useful in the image. Does anyone recommend any tools that may be able to rebuild from cache files? Encase isn’t showing me much, and I may be at a dead end.

Thanks!

Quote
Posted : 05/05/2018 6:41 pm
Igor_Michailov
(@igor_michailov)
Senior Member

AXIOM, Belkasoft can recover Gmail artifacts.

ReplyQuote
Posted : 05/05/2018 9:10 pm
jblakley
(@jblakley)
Active Member

Thanks! I’ll take a look to see if they have a demo.

ReplyQuote
Posted : 05/05/2018 10:13 pm
jblakley
(@jblakley)
Active Member

It appears that Axiom wants to be licensed even though it let me download it. Belkansoft installed, but refuses to license under a VM. I installed it on a physical machine and imported the E01 file into it and let it run. It found the activity, but it doesn't appear to have cached anything related to Gmail. Any other suggestions? I'm still waiting for Magnet to get back in touch with me for IEF. I'm not sure if it will help or not…

Thanks!

ReplyQuote
Posted : 07/05/2018 3:12 pm
passcodeunlock
(@passcodeunlock)
Senior Member

I think you face a "private browsing" issue, that is why you find no artifacts.

ReplyQuote
Posted : 07/05/2018 3:42 pm
jblakley
(@jblakley)
Active Member

I think you face a "private browsing" issue, that is why you find no artifacts.

Thanks! I have history though, so I'm not sure this is the issue. If it were, is there a registry entry that can confirm it was in incognito mode?

ReplyQuote
Posted : 07/05/2018 4:03 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Not really, the purpose of the private browsing is to leave no trails after the browser shutdown.

ReplyQuote
Posted : 07/05/2018 4:05 pm
jblakley
(@jblakley)
Active Member

Not really, the purpose of the private browsing is to leave no trails after the browser shutdown.

Right. So seeing as how I have history, I don't think this is a private browsing issue. Do you know of any applications that can recover Gmail artifacts (cached screenshots) whether paid or open source?

ReplyQuote
Posted : 07/05/2018 4:12 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Did you try already Belkasoft Evidence Center to look for everything (not the Browser tree only) with carving option enabled ?!

ReplyQuote
Posted : 07/05/2018 4:18 pm
jblakley
(@jblakley)
Active Member

Yes, but it's still chugging along on the image. I have a memory dump from the box as well, but I haven't run it on that yet. I'll start that after this completes. Everything Belkasoft has found shows the URL, but the image isn't cached for anything mail.google.com-related. I didn't enable file carving for the image I'm running against now. I carved the memory dump over the weekend with scalpel, but it provided me with nothing but a bunch of images not related to the Gmail.

ReplyQuote
Posted : 07/05/2018 4:50 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Sounds very interesting, scalpel usually works well.

Let us know if the Belkasoft Evidence Center results with carving enabled will differ from scalpel's carving results.

ReplyQuote
Posted : 07/05/2018 5:24 pm
mcman
(@mcman)
Active Member

You can get incognito and gmail from a memory dump if you have one. Not much will get stored on the disk, everything would be in memory, pagefile might be another option. Obviously anything in memory is time sensitive as you'll likely lose anything historical but it's worth trying.

For Gmail, you'll typically get the "Inbox view" instead of individual messages. Upside is you'll get a snippet of all the email messages, timestamp, sender, etc. in the inbox view, downside is it's only a snippet (first 255 characters) of the message. It's just how the browser data gets cached in memory. You'll likely need to get cloud access to get the full mailbox.

Send me an email if nobody is getting back to you about an IEF/AXIOM trial and I can help get you set up.

Jamie
Magnet Forensics
jamie.mcquaid@magnetforensics.com

ReplyQuote
Posted : 07/05/2018 6:18 pm
jblakley
(@jblakley)
Active Member

Thanks Jamie! I haven't heard anything from Magnet for the demo. I wanted to try IEF, but then I downloaded Axiom over the weekend. I submitted a trial for it this morning as well.

Thanks!

ReplyQuote
Posted : 07/05/2018 6:30 pm
jblakley
(@jblakley)
Active Member

I'm processing the evidence in Axiom as we speak…thanks!

ReplyQuote
Posted : 07/05/2018 8:25 pm
Share: