Identifying which files were uploaded to Gmail

Any Autopsy specific discussions, events, module releases, that don't fall into the other categories.

Moderator: carrier

Identifying which files were uploaded to Gmail

Postby incidentresponder » Sun Sep 04, 2016 5:36 pm

Hi,

I have imported a raw Windows 7 image into Autopsy. I can see from the web history that the user was on Gmail in Chrome and I know that some files were sent out via Gmail. Does anyone know if it's possible to see what files were attached to a Gmail message and sent out via the webmail service?

Thanks!
incidentresponder
 
Posts: 1
Joined: Sun Sep 04, 2016 5:16 pm

Re: Identifying which files were uploaded to Gmail

Postby Hoyt » Tue Sep 20, 2016 4:17 pm

Try looking at it via the Timeline feature. Focusing on the transaction dates you found in web history, you may be able to correlate MACC times related to those potential attachments.

Otherwise, here are a couple of links for information (see below). Gmail artifacts are a tricky subject.

https://digital-forensics.sans.org/blog ... t-analysis

http://www.forensicfocus.com/index.php? ... pic&t=2153


Hoyt
Hoyt Harness, CFCE
Hoyt
 
Posts: 74
Joined: Thu Dec 11, 2014 4:02 am
Location: Little Rock, AR


Return to Autopsy General

Who is online

Users browsing this forum: No registered users and 2 guests