Morning or Evening depending where you are in the world!
I have been trying to get any IP Addresses I can from gmail / hotmail. Howver, as all the activity is web based I'm kinda stuck and wondering if anybody knows of any tools (free if possible) that can help find this information, if its available.
I basically need to try and put the user in a country they claims they were not in (but we know they were! 8) )
I've currently done the following
IEF 6.1 - Recovered Gmail / Webmail snippets (but I can see there is more via EnCase, but involve an epic session of manually carving it out!)
RegRipper - Recovered connection history, got the the last connected dates, access type / SSID, MAC address, ran maclookup.pl (but that just references back to the equipment home, e.g. NETGEARs Home for the router, etc)
Did get an ibhan SSID, but that only shows its a hotel (possibly) and ibahn cover over 3000 hotels across the world according to their website and again, locates back to their head office.
Couple of spurious IPAddresses checked with whatsmyipaddress. One comes to a UK location, but not sure if its the broadband home or an actual location used.
After searching here, woanwear gmailparser seems like a good tool, but its gone from their site and I can't find a copy anywhere.
I've currently running the built in EnCase IPAddress GREP search, with a day to go, 20,000 hits so far and shed loads of false positives (version numbers)
Does anybody know where else I could look for this info thats blindingly obvious and I'm missing it, or any tools as mentioned above that may help (gmail still needs to be carved out at some stage also, so a tool to ease the pain would be nice!) )
Thanks.
My understanding is that Google does not insert the originating IP address in the header of Gmail emails.
If you can get the BSSID of the routers the device has connected to, you can try mapping it. https://
Thanks Bulldawg, kinda suspected as much, but was hoping for some glimmer of light.
I will look into the BSSID route, however there are a lot of connctioning to the internet happening via 3G dongles, so not sure if this will eliminate some of that.
thanks again.
Similar to Bulldawg's suggestion, there is also wigle.net for Wifi Wardriving.
Aside from the keyword search for IP addresses (Using RegEx) - Is or was Skype installed on the hard drive? If so, check the shared.xml file for IP addresses. See the following page for more info, and a possible keyword to search for
http//
Kind Regards,
Minesh
As stated above, Gmail (and contrary to most other mailservers) does not include the origin IP address in its header.
Which, for some people, is very useful….
A good tool for email header analysis can be found here http//
Hi 4Rensics,
Here is a keyword you can use to find a Gmail artifact containing the user's public IP address
["la",
(just those 6 characters, Unicode checked if using Encase, case sensitive)
If you can send any samples of the Gmail snippets IEF did not recover, I'd be happy to take a look at them and see if it's a new format that we don't yet support.
Good luck!
Jad