Join Us!

Gmail Forensics - H...
 
Notifications
Clear all

Gmail Forensics - Help !  

  RSS
Webbie
(@webbie)
Junior Member

I am currently examining a drive (Windows XP) where the user is a google mail subscriber. Does anyone know where (if anywhere) the username/password is cached if saved by the user (Registry?, if so where?) . Also are there files cached to the local machine (except for the pagefile.sys/hybernation files etc) similar to hotmails 'getmsg','compose' etc and yahoos 'showletter',compose etc so I can reconstruct the emails sent/recieved as you can in other web based clients? . Any help on Gmail would be greatly appreciated.

Quote
Posted : 09/04/2006 4:59 pm
keydet89
(@keydet89)
Community Legend

"Does anyone know where (if anywhere) the username/password is cached if saved by the user (Registry?, if so where?)"

Sure. If the suspect used IE to connect to GMail, and had AutoCompletion enabled, this information is stored in Protected Storage. This is an area of the Registry maintained in the NTUSER.DAT file for that user.

"Also are there files cached to the local machineā€¦"

Not that I've seen. I've been using GMail recently and haven't seen anything like this.

Is there any evidence that this person is using the GMail Drive?

Harlan

ReplyQuote
Posted : 09/04/2006 5:21 pm
Webbie
(@webbie)
Junior Member

Thanks for the prompt reply, the suspect is using IE and I will go looking in the protected storage. Thankyou.

I do not believe the user is using the Gmail Drive, but not sure of this, How would I find out? As I understand the Gmail Drive, its a virtual drive or volume. Does it actually exist on the data on the HDD?

ReplyQuote
Posted : 09/04/2006 5:54 pm
keydet89
(@keydet89)
Community Legend

"How would I find out? As I understand the Gmail Drive, its a virtual drive or volume. Does it actually exist on the data on the HDD?"

That's what Google is for, my friendā€¦

http//windowsir.blogspot.com/2005/04/gmail-drive-footprints.html

ReplyQuote
Posted : 09/04/2006 6:50 pm
Webbie
(@webbie)
Junior Member

Point taken, oops

I followed your link, very helpful, I shall try this myself, I actually use as a refrence your registry spreadsheet and the info supplied in your blog will be added to my own little list of 'cheat sheets' !!
Thankyou very much for all your help.

ReplyQuote
Posted : 09/04/2006 8:02 pm
Share: