Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

GMail Drive footprints

from [H Carvey] Network Security [Permanent Link]
Subject: GMail Drive footprints
Date: 28 Apr 2005 10:52:11 -0000 


I hope someone finds the following information useful...

As a follow-up to my Registry key spreadsheet (containing autostart and MRU 
locations, archived at http://www.windows-ir.com/regkeys.zip), I wanted to take 
a look at the 'footprints' created on a system by installing the GMail drive 
shell extension.  This is a nifty little tool that lets folks w/ GMail accounts 
install a shell extension and use their storage space like a drive. This could 
have some interesting repercussions in cases (re: CP, theft of corporate data, 
etc.).

The exemplar system in my testing is WinXP Pro, and the testing tool is 
InControl5.

During installation of this shell extension, several files are added to 
%WINDIR%\system32\ShellExt (ie, GMailFS.*).

Registry entries that are added or updated include (but are not limited to):

-> HKCU\Software\Niko Mak Computing\WinZip\filemenu (if user has WinZip and 
uses it to open the archive)

->
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.zip

-> HKLM\Software\Classes\.GMailFS (and GMailFS, w/o
the preceeding '.') (CLSID = {2B3453E4-49DF-11D3-8229-0080BE509050} and maps to 
the appropriate HKEY_CLASSES_ROOT subkeys on a live system, as well as under
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\ 
and
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved).

-> The CLSID can be found under HKLM\Software\Classes\CLSID, along with 
consecutive CLSIDs (ie, ending in 51, 52, etc.) for various components (ie, 
Property Sheet, etc.)

-> The user's UserAssist (please refer to the spreadsheet) entries are updated, 
based on user activity.

Once a user logins into the Gmail drive, the HKCU\Software\Viksoe.dk\GMailFS 
key is created, with several values. "Auto Login" is set to 1 if the user 
chooses autologin at the initial GUI. Also, several text files (C:\gmail_*.txt) 
are created.

Approximate installation dates can be determined by retrieving the LastWrite 
times from the Registry keys listed above.

Thanks. Please feel free to direct any comments/questions to the list, or to me 
directly.

------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
  • GMail Drive footprints, H Carvey <=
Previous by Date:  Re: DCO discovery, subscribe
Previous by Thread:  New version of DCFLDD (v1.2), Nicholas Harbour
Indexes:  [Date] [Thread] [Top] [All Lists]