How to Perform Forensically Sound Gmail Investigation with Proficiency

The modes of communications are changing, so are the methods of crime. With the advancement of electronic communications and their impact on our lives, these have become an integral part of forensic investigation. Gmail being one of the most densely used email clients of present time, investigators are often face the requirement of investigating Gmail. Through this post, readers will learn how to perform forensically sound Gmail investigation. In the very next section, we will discuss the importance of data acquisition from Gmail.

The Need of the Hour: Investigating Gmail and other Email Clients

As mentioned earlier, motives and methods of crimes have changed drastically. Investigators these days need to look for new modes of evidence to keep pace with the criminals. Gmail and other emails play a vital role as forensic evidence. Investigators need to gather evidence from Gmail in a manner that will retain its quality as forensic evidence. Therefore, it is their absolute necessity to learn the techniques of forensically sound Gmail investigation.

How to Perform Gmail Investigation

With the changed course of time, even an email of Gmail client can be a prime evidence of a sensational case. Not many investigators know these methods as it is the latest addition to crime investigation. We will discuss various ways of investigating Gmail.

Gmail Labels and Their Role in Forensic Investigation

Gmail Labels are basically “tags” that are used to keep Gmail mailbox organized. Users can add labels to sent, received or draft emails. Many people confuse between folder and label, though these two are completely different. While an email can be saved in only one folder, many labels can be attached to a single email. As this tagging system is useful for the end users, it can cause issues during Gmail acquisition for investigation. During the discussion about Gmail investigation, readers must keep this in mind. This conversation about Gmail Labels will be useful in the latter part of the discussion.

A) Forensically Preserve Gmail Account using IMAP

IMAP is the protocol used to connect Gmail with other email clients. When connected to an IMAP client, Gmail labels are considered as folders. IMAP email configured Gmail can be extracted for investigation but Gmail labels will create duplication. The reason is that one email can contain multiple labels and therefore, is present is more than one folder. For example, some emails from Inbox can also be present in “Starred” folder.

Contrarily, if users decide to exclude “All Mail” folder and save only the other folders, this will result in missing emails. Consider emails stored in Archived folder. Once you archive an email, it gets removed from the Inbox. If archived emails do not contain any label, these can be found only in “All Mail” folder. Even All Mail folder excludes emails stored in Trash folder.

B) Extract Gmail using Google Takeout for Forensic Purpose

All Gmail items can be saved as evidence by using Google Takeout feature. While using this method, users can choose maximum archive file size and their preferred file format from .zip, .tgz and .tbz. The saved emails can be uploaded to popular cloud storage, or sent using email or download link. Luckily, this method will not facilitate any duplicate emails and also extract labels of the emails.

Google Takeout saves the files in MBOX format, which is a near-native file format of Gmail. MBOX files will contain “X-Gmail-Labels” that are useful to know the folder location of the emails. However, in case of large sized Gmail mailbox, the archiving may take even days. It also adds extra emails to the Inbox, which will ruin the main purpose of investigation by altering the target environment. As some forensic applications cannot process or divide X-Gmail-Labels fields, these may not be available for immediate use.

C) Perform a Sound Gmail Investigation using Gmail Backup Tool

The third option for the investigators is using Google Backup Tool. This application is proficient enough to backup all Gmail data from a single Gmail account for investigative purpose. This tool saves data in MBOX file(which is the near-native format) along with PST, EML, and MSG files. This leaves users with multiple options for resultant file format to choose from. As a result, the extracted data can be viewed using almost all the major email clients.

While downloading Gmail data as forensic evidence, it carefully extracts Gmail labels and saves it for future reference. This program supports 6 languages in total, so the utility has created a universal appeal. We will surely see a surge in its usage in upcoming days because of its effective features.

Summing Up

As Gmail Labels can play a crucial part in the investigations, it should also be a part of Gmail investigation. However, it should be carefully noted that labels must not come between extracting all the emails from a suspected Gmail account. To get rid of this dilemma about Gmail labels for good, expert investigators choose to use Gmail Backup to investigate Gmail account for forensic purpose.

Ashish Ratan Singh

Being a technical blogger, Mr. Ashish Ratan Singh has a sufficient knowledge of different technologies such as Exchange Server, Office 365, SharePoint, but his core expertise lies on Microsoft Outlook. He has been working in an IT industry for more than 3 years and with all these years, he has now become an expert in data recovery and cloud backup. Moreover, he has a keen interest in solving the technical problems and to address the pain points of organizations to make them more productive.

One thought on “How to Perform Forensically Sound Gmail Investigation with Proficiency

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

If you agree to these terms, please click here.

This site uses Akismet to reduce spam. Learn how your comment data is processed.