SANS Digital Forensics and Incident Response Blog: Tag - webmail

Forensic Gmail Artifact Analysis

I don't know if you've had the pleasure of trying to extract GMail message content from a drive image, but there aren't a lot of references out there. Those that I found helpful, I've listed below.

Gmail uses JavaScript to manage the user experience on the front end, and passes content back and forth between the client and server using ''datapack' files, which are formatted using JavaScript Object Notation (JSON). See Google for details on JSON, but basically a complete datapack file looks something like the following (indentation & newlines added):

while(1);
[
[

...