Join Us!

GMail Drive footpri...
 
Notifications
Clear all

GMail Drive footprints  

  RSS
keydet89
(@keydet89)
Community Legend

I hope someone finds the following information
useful…

As a follow-up to my Registry key spreadsheet, I
wanted to take a look at the 'footprints' created on a
system by installing the GMail drive shell extension.
This is a nifty little tool that lets folks w/ GMail
accounts install a shell extension and use their
storage space like a drive. This could have some
interesting repercussions in cases.

The exemplar system in my testing is WinXP Pro, and
the testing tool is InControl5.

During installation of this shell extension, several
files are added to %WINDIR%\system32\ShellExt (ie,
GMailFS.*).

Registry entries that are added or updated include
(but are not limited to):

-> HKCU\Software\Niko Mak Computing\WinZip\filemenu
(if user has WinZip and uses it to open the archive)

->
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.zip

-> HKLM\Software\Classes\.GMailFS (and GMailFS, w/o
the preceeding '.') (CLSID =
{2B3453E4-49DF-11D3-8229-0080BE509050} and maps to the
appropriate HKEY_CLASSES_ROOT subkeys on a live
system, as well as under
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\
and
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved).

-> The CLSID can be found under
HKLM\Software\Classes\CLSID, along with consecutive
CLSIDs (ie, ending in 51, 52, etc.) for various
components.

-> The user's UserAssist (please refer to the
spreadsheet) entries are updated, based on user
activity.

Once a user logins into the Gmail drive, the
HKCU\Software\Viksoe.dk\GMailFS key is created, with
several values. "Auto Login" is set to 1 if the user
chooses autologin at the initial GUI. Also, several
text files (C:\gmail_*.txt) are created.

Approximate installation dates can be determined by
retrieving the LastWrite times from the Registry keys
listed above.

Thanks. Please feel free to direct any
comments/questions to the list, or to me directly.

——————————————
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
——————————————

Quote
Posted : 27/04/2005 8:59 pm
Share: