Notifications
Clear all

Webmail forensics

20 Posts
14 Users
0 Likes
1,416 Views
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
Topic starter
 

Has anyone been successful with converting webmail, found in the cache, into a more readable format?

In Windows XP, C\Documents and Settings\username\Temporary Internet Files\Content.IE5 may contain several folders which may have webmail that was cached by the browser - for example, "mail[1]" and "mail[1].htm".

Even EnCase Forensics can't convert the encodings (had a demo from them about two weeks ago and asked the question).

 
Posted : 11/02/2010 11:42 pm
(@patrick4n6)
Posts: 650
Honorable Member
 

Have you tried carving out the files and looking at them in various web browsers? Between MSIE and Firefox I can view most things. I've had some deleted file recovery stuff where I got a partial file and had to manually add in some HTML tags to get it to display. If you're missing the start of the file, simply adding <html> and <body> can get you started. Otherwise you need to manually inspect the close tags and insert the appropriate opening tags.

 
Posted : 12/02/2010 12:22 am
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
Topic starter
 

I haven't tried carving out the files. The use of JSON to format Gmail has existed for quite a while, that I was hoping for a more automated way to read the cached webmail.

I'll give that a try.

By the way, did several searches before my posting, and there is not much out there.

 
Posted : 12/02/2010 2:12 am
(@woany)
Posts: 28
Eminent Member
 

Not entirely sure of the format of the files you have identified, but you could try my gmailparser tool, its command line (requires .Net 3.5) but works on all files within a directory.

http//www.woanware.co.uk/gmailparser/

 
Posted : 12/02/2010 2:24 pm
binarybod
(@binarybod)
Posts: 272
Reputable Member
 

CFEx,

Check out Cacheback which is turning out to be an excellent investigative tool. Even better than Netanalysis now as it can parse most major browsers and crucially (in your case) can reconstruct pages from the cache and provide thumbnails of those pages. It seems it can do this even in cases where EnCase and Netanalysis can't.

Paul

 
Posted : 12/02/2010 4:33 pm
digintel
(@digintel)
Posts: 51
Trusted Member
 

Yep, another happy Cacheback user here. A good example of an application that only does one thing, but does it well. It cannot reconstruct all pages, but I have yet to find an application that performs better than cacheback.

Roland

CFEx,

Check out Cacheback which is turning out to be an excellent investigative tool. Even better than Netanalysis now as it can parse most major browsers and crucially (in your case) can reconstruct pages from the cache and provide thumbnails of those pages. It seems it can do this even in cases where EnCase and Netanalysis can't.

Paul

 
Posted : 12/02/2010 11:02 pm
(@kpryor)
Posts: 68
Trusted Member
 

Add me to the happy users of Cacheback. It's expensive, but does a fantastic job and is quite easy to use too.
KP

 
Posted : 16/02/2010 4:08 am
(@jonathan)
Posts: 878
Prominent Member
 

Slightly off-topic, but what is Cacheback's justification for a two-tier pricing system? I see this a lot in digital forensics, and it really punishes freelancers like myself. Am I meant to have more resources than the US or UK government? roll

 
Posted : 16/02/2010 2:36 pm
(@patrick4n6)
Posts: 650
Honorable Member
 

I guess it's not wanting to take as much money from the taxpayer, but what surprised me more is that they publish the LEO rate, but don't publish the private rate.

I offer a consulting discount to government whether it's for a LEO or the public defender's office because I think that the taxpayer deserves a break. There seems to be too many people/companies who rort the taxpayer as though it's manna from heaven. I've yet to find a single forensic tool that doesn't pay for itself in the first job when I work private.

As a small consultancy I feel your pain - it hasn't been cheap for me to set up shop - but having seen the waste that happens both in a LEO and the military first hand, I think the taxpayer deserves a better deal.

My gripe is more with people who only offer their tools to LEOs, as if there is somehow still some secrets that the general forensic community don't know. As the coffee debacle showed, there wasn't anything great in that toolset and no real reason to keep it away from the general public.

 
Posted : 16/02/2010 9:17 pm
(@jonathan)
Posts: 878
Prominent Member
 

Hi Tony, agee with you on the restriction of availability of tools. I too wonder why Cacheback aren't upfront exactly what they charge non-LE agencies.

With the two-tier pricing system, perhaps you're right on companies wanting to give the 'taxpayer a break' but I'm not sure…why not give us all a break, people who work for private organisations are taxpayers too! Surely it is more complex, time-consuming and ultimately more expensive for companies like Cacheback to administer two different pricing schemes for the same product? Plus I wouldn't have thought it a good PR ploy to alienate so much of your potential market. If I were offering discounts I'd offer them universally, but maybe that's just me. wink

 
Posted : 16/02/2010 9:40 pm
Page 1 / 2
Share: