SANS Digital Forensics and Incident Response Blog: Tag - pd

pdgmail: new tool for gmail memory forensics

I saw John McCash's artical on GMail forensics ... I was hooked and created pdgmail.

I've been messing around with the volatile toolkit for memory forensics and thought I'd try my hands at GMail memory forensics since, as John says, the GMail data isn't supposed to end up on disk anyways, maybe it's in the the browser memory?

Boy is it!

I used the pd dump tool from www.trapkit.de, available here, and tested against my meager GMail account, Windows XP, 2000, IE 6, IE 7 and Firefox 3. In all cases I was able to retrieve contact data, last login times and IP addresses, basic email headers and email bodies. Even if the browser was 'logged out' of GMail, they all still retained this

...