Join Us!

Notifications
Clear all

Webmail forensics  

Page 1 / 2
  RSS
CFEx
 CFEx
(@cfex)
Member

Has anyone been successful with converting webmail, found in the cache, into a more readable format?

In Windows XP, C\Documents and Settings\username\Temporary Internet Files\Content.IE5 may contain several folders which may have webmail that was cached by the browser - for example, "mail[1]" and "mail[1].htm".

Even EnCase Forensics can't convert the encodings (had a demo from them about two weeks ago and asked the question).

Quote
Posted : 11/02/2010 11:42 pm
Patrick4n6
(@patrick4n6)
Senior Member

Have you tried carving out the files and looking at them in various web browsers? Between MSIE and Firefox I can view most things. I've had some deleted file recovery stuff where I got a partial file and had to manually add in some HTML tags to get it to display. If you're missing the start of the file, simply adding and can get you started. Otherwise you need to manually inspect the close tags and insert the appropriate opening tags.

ReplyQuote
Posted : 12/02/2010 12:22 am
CFEx
 CFEx
(@cfex)
Member

I haven't tried carving out the files. The use of JSON to format Gmail has existed for quite a while, that I was hoping for a more automated way to read the cached webmail.

I'll give that a try.

By the way, did several searches before my posting, and there is not much out there.

ReplyQuote
Posted : 12/02/2010 2:12 am
woany
(@woany)
Junior Member

Not entirely sure of the format of the files you have identified, but you could try my gmailparser tool, its command line (requires .Net 3.5) but works on all files within a directory.

http//www.woanware.co.uk/gmailparser/

ReplyQuote
Posted : 12/02/2010 2:24 pm
binarybod
(@binarybod)
Active Member

CFEx,

Check out Cacheback which is turning out to be an excellent investigative tool. Even better than Netanalysis now as it can parse most major browsers and crucially (in your case) can reconstruct pages from the cache and provide thumbnails of those pages. It seems it can do this even in cases where EnCase and Netanalysis can't.

Paul

ReplyQuote
Posted : 12/02/2010 4:33 pm
digintel
(@digintel)
Member

Yep, another happy Cacheback user here. A good example of an application that only does one thing, but does it well. It cannot reconstruct all pages, but I have yet to find an application that performs better than cacheback.

Roland

CFEx,

Check out Cacheback which is turning out to be an excellent investigative tool. Even better than Netanalysis now as it can parse most major browsers and crucially (in your case) can reconstruct pages from the cache and provide thumbnails of those pages. It seems it can do this even in cases where EnCase and Netanalysis can't.

Paul

ReplyQuote
Posted : 12/02/2010 11:02 pm
KPryor
(@kpryor)
Member

Add me to the happy users of Cacheback. It's expensive, but does a fantastic job and is quite easy to use too.
KP

ReplyQuote
Posted : 16/02/2010 4:08 am
Jonathan
(@jonathan)
Senior Member

Slightly off-topic, but what is Cacheback's justification for a two-tier pricing system? I see this a lot in digital forensics, and it really punishes freelancers like myself. Am I meant to have more resources than the US or UK government? roll

ReplyQuote
Posted : 16/02/2010 2:36 pm
Patrick4n6
(@patrick4n6)
Senior Member

I guess it's not wanting to take as much money from the taxpayer, but what surprised me more is that they publish the LEO rate, but don't publish the private rate.

I offer a consulting discount to government whether it's for a LEO or the public defender's office because I think that the taxpayer deserves a break. There seems to be too many people/companies who rort the taxpayer as though it's manna from heaven. I've yet to find a single forensic tool that doesn't pay for itself in the first job when I work private.

As a small consultancy I feel your pain - it hasn't been cheap for me to set up shop - but having seen the waste that happens both in a LEO and the military first hand, I think the taxpayer deserves a better deal.

My gripe is more with people who only offer their tools to LEOs, as if there is somehow still some secrets that the general forensic community don't know. As the coffee debacle showed, there wasn't anything great in that toolset and no real reason to keep it away from the general public.

ReplyQuote
Posted : 16/02/2010 9:17 pm
Jonathan
(@jonathan)
Senior Member

Hi Tony, agee with you on the restriction of availability of tools. I too wonder why Cacheback aren't upfront exactly what they charge non-LE agencies.

With the two-tier pricing system, perhaps you're right on companies wanting to give the 'taxpayer a break' but I'm not sure…why not give us all a break, people who work for private organisations are taxpayers too! Surely it is more complex, time-consuming and ultimately more expensive for companies like Cacheback to administer two different pricing schemes for the same product? Plus I wouldn't have thought it a good PR ploy to alienate so much of your potential market. If I were offering discounts I'd offer them universally, but maybe that's just me. wink

ReplyQuote
Posted : 16/02/2010 9:40 pm
Rich2005
(@rich2005)
Active Member

If you offer a discount universally, its not really a discount is it, more 'the price' P

ReplyQuote
Posted : 16/02/2010 9:51 pm
seanmcl
(@seanmcl)
Senior Member

I guess it's not wanting to take as much money from the taxpayer, but what surprised me more is that they publish the LEO rate, but don't publish the private rate.

Which often means "it depends" though I can't say it does in this case. I have seen a couple of firms adjust prices on the basis of the size of the purchasing business.

I offer a consulting discount to government whether it's for a LEO or the public defender's office because I think that the taxpayer deserves a break.

Then you might be interested to know that according to the Bureau of Economic Analysis, benefits are roughly 34% of the total budget for Federal salaries. From 2002 to 2008, average Federal compensation went up 57% in contrast to the 31% gains in the private sector.

I agree that the taxpayer needs a break. But from whom, is my question.
It seems to me that small business is taking it on the chin right now.

I also note that GSA schedules for some major digital forensics firms are, in some cases, way below their private sector rates so I guess that this is a common practice.

Note that I am not criticizing the decision to offer discounts to specific classes of clients, but there is a risk. In a case that I had, recently, the opposing counsel asked not only my rates on the case at hand, but also what I had charged other clients. He was attempting to suggest that I had discounted my rates for my client because of bias.

ReplyQuote
Posted : 16/02/2010 10:17 pm
CFEx
 CFEx
(@cfex)
Member

CFEx,

Check out Cacheback which is turning out to be an excellent investigative tool. Even better than Netanalysis now as it can parse most major browsers and crucially (in your case) can reconstruct pages from the cache and provide thumbnails of those pages. It seems it can do this even in cases where EnCase and Netanalysis can't.

Paul

I checked both gmailparser and Cacheback. Cacheback seems to be excellent for reconstructing regular web pages. The best it could do with gmail was to parse it and give me the "text" version of the webmail, which is not bad. Although I can right click on the mail[n].htm file and read the message (without carving out). I also noticed that even though Cacheback disables scripts (in web pages), after trying to rebuild the gmail, it attempts to launch "gmail", the application, specifically, the gmail login page. Somehow, that scripts is not disabled by Cacheback (reason why gmailparser may not have worked).

Thank you all for your input.

ReplyQuote
Posted : 17/02/2010 11:11 pm
bshavers
(@bshavers)
Active Member

I'll be attending a CacheBack training in Seattle this April and will probably write up a little something on it afterward. If anyone else is interested, here is the link

https://fortress.wa.gov/cjtc/www/classes/Advanced_Internet_Forensics_Seattle_040610.pdf

I'm using CacheBack now, like it lots, but I'm sure there are features I'm missing. Definitely worth the price, even without the training.

ReplyQuote
Posted : 18/02/2010 9:47 am
forensicakb
(@forensicakb)
Active Member

I'm scared to even think of what a "non LE" person would have to pay for the training.

The training is so high that the link you provided quit working in protest and just says "stopped" now.

ReplyQuote
Posted : 18/02/2010 10:01 am
Page 1 / 2
Share: