Wednesday, April 27, 2005

GMail Drive footprints

I hope someone finds the following information useful...

As a follow-up to my Registry key spreadsheet, Iwanted to take a look at the 'footprints' created on asystem by installing the GMail drive shell extension. This is a nifty little tool that lets folks w/ GMail accounts install a shell extension and use their storage space like a drive. This could have some interesting repercussions in cases.

The exemplar system in my testing is WinXP Pro, and the testing tool is InControl5.

During installation of this shell extension, several files are added to %WINDIR%\system32\ShellExt (ie,GMailFS.*).

Registry entries that are added or updated include (but are not limited to):

-> HKCU\Software\Niko Mak Computing\WinZip\filemenu(if user has WinZip and uses it to open the archive)

->HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.zip

-> HKLM\Software\Classes\.GMailFS (and GMailFS, w/othe preceeding '.') (CLSID ={2B3453E4-49DF-11D3-8229-0080BE509050} and maps to theappropriate HKEY_CLASSES_ROOT subkeys on a livesystem, as well as underHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\andHKLM\Software\Microsoft\Windows\CurrentVersion\ShellExtensions\Approved).

-> The CLSID can be found underHKLM\Software\Classes\CLSID, along with consecutiveCLSIDs (ie, ending in 51, 52, etc.) for variouscomponents.

-> The user's UserAssist (please refer to the spreadsheet for these paths) entries are updated, based on user activity.

Once a user logins into the Gmail drive, theHKCU\Software\Viksoe.dk\GMailFS key is created, with several values. "Auto Login" is set to 1 if the user chooses "auto login" at the initial GUI. Also, several text files (C:\gmail_*.txt) are created.

Approximate installation dates can be determined by retrieving the LastWrite times from the Registry keys listed above.

Please feel free to direct anycomments/questions to the list, or to me directly.

Thanks.

2 comments:

Alvin said...

How would go about finding what was sent to the Gmail drive? (If actually searching for company data sent to someones gmail account). Is there a log file that is stored somewhere on the host computer?

Keydet89 said...

I've installed GMail Drive and copied a file or two up...and haven't found anything in the way of a log.

I've started looking around in forums, etc., to see if there's anything posted along those lines.

Let me know if you find anything.