I am currently examining a drive (Windows XP) where the user is a google mail subscriber. Does anyone know where (if anywhere) the username/password is cached if saved by the user (Registry?, if so where?) . Also are there files cached to the local machine (except for the
"Does anyone know where (if anywhere) the username/password is cached if saved by the user (Registry?, if so where?)"
Sure. If the suspect used IE to connect to GMail, and had AutoCompletion enabled, this information is stored in Protected Storage. This is an area of the Registry maintained in the NTUSER.DAT file for that user.
"Also are there files cached to the local machine…"
Not that I've seen. I've been using GMail recently and haven't seen anything like this.
Is there any evidence that this person is using the GMail Drive?
Harlan
Thanks for the prompt reply, the suspect is using IE and I will go looking in the protected storage. Thankyou.
I do not believe the user is using the Gmail Drive, but not sure of this, How would I find out? As I understand the Gmail Drive, its a virtual drive or volume. Does it actually exist on the data on the HDD?
"How would I find out? As I understand the Gmail Drive, its a virtual drive or volume. Does it actually exist on the data on the HDD?"
That's what Google is for, my friend…
http//
Point taken, oops
I followed your link, very helpful, I shall try this myself, I actually use as a refrence your registry spreadsheet and the info supplied in your blog will be added to my own little list of 'cheat sheets' !!
Thankyou very much for all your help.