SANS Digital Forensics and Incident Response Blog: Tag - gmail

pdgmail: new tool for gmail memory forensics

I saw John McCash's artical on GMail forensics ... I was hooked and created pdgmail.

I've been messing around with the volatile toolkit for memory forensics and thought I'd try my hands at GMail memory forensics since, as John says, the GMail data isn't supposed to end up on disk anyways, maybe it's in the the browser memory?

Boy is it!

I used the pd dump tool from, available here, and tested against my meager GMail account, Windows XP, 2000, IE 6, IE 7 and Firefox 3. In all cases I was able to retrieve contact data, last login times and IP addresses, basic email headers and email bodies. Even if the browser was 'logged out' of GMail, they all still retained this


Forensic Gmail Artifact Analysis

I don't know if you've had the pleasure of trying to extract GMail message content from a drive image, but there aren't a lot of references out there. Those that I found helpful, I've listed below.

Gmail uses JavaScript to manage the user experience on the front end, and passes content back and forth between the client and server using ''datapack' files, which are formatted using JavaScript Object Notation (JSON). See Google for details on JSON, but basically a complete datapack file looks something like the following (indentation & newlines added):