Info

Occasionally you will get Gmail artefacts in the web browser cache, so this console application will open each *.htm and *.html file within a given directory (and sub directories) parse out the message thread information e.g.

• Message id
• Email Address
• Subject
• First 50 characters of email
• Attachments
• Message Timestamp

There is a SANS article that explains the Gmail data:  http://sansforensics.wordpress.com/2008/09/19/forensic-gmail-artifact-analysis/. 

Basically the data is stored in the webpage as JSON (JS Object Notation) which is used to transmit data in AJAX web applications. JSON is a less verbose way than XML hence why it is used in high-performance web sites rather than XML to reduce the amount of data being transmitted.

The Gmail JSON uses a character to denote the data stored e.g. "t" = "Message List", "gn" = Account Name. The application uses an open-source JSON library for .NET called...wait for it...JSON.NET (http://www.codeplex.com/Json)

It use the application simply get a command prompt up and give it the pass to the web browser cache and it will output a CSV file called "gmailparser.csv" in the given directory. To change the output path, simply supply the output path as a second parameter e.g.

gmailparser.exe "C:\Internet Cache" "C:\Output\woanware.csv"

Requirements

• Microsoft .Net 3.5 or Mono v2+ (Maybe)