How to Examine Gmail Mailboxes for Email Forensics Investigation?

Summary: In this blog, we have examined Gmail mailboxes for Email Forensics Investigation. From data collection in Google Takeout and other Email Clients to forensic analysis of emails, we have discussed the said concepts in great detail. Following this, we discussed analyzing Gmail Mailbox activities.

Collecting and examining email data, from a cloud-based email service such as Gmail, for email forensics investigation can be tricky. This is because there is no direct way to export email data from Gmail. Also, the forensic techniques involved in Gmail mailbox examination go beyond the scope of the mailbox and cover additional sources such as the devices used, mobile apps accessed (if Android devices are used), etc. In this post, we discussed some techniques for collecting and examining Gmail mailboxes that can help you in email forensics investigation. 

Data Collection

The first step in email forensics investigation is the collection of relevant data for analysis. There are two main ways to collect email data from a Gmail account:

1. Google Takeout

Google Takeout, a service provided by Google, allows you to back up all the data of your Google account. It can also create a backup of Google Mail that includes all the messages and attachments in the account. This backup is generated in MBOX file format. 

To use Google Takeout for exporting email data, follow the given steps:

1. Login with your Gmail account’s credentials.

2. Select the checkbox of Mail [See Figure 1].

Figure 1: Google Takeout Page

Note: Clicking All Mail data included button opens more options to select/deselect certain folders in the email database.

3. Click Next Step button at the bottom.

4. Export the data in .zip or .tgz compressed file (both files contain the MBOX file).

2. Email Client

You can use email clients, such as Microsoft Outlook, Opera Mail, Mozilla Thunderbird, etc. to download emails from Gmail.

Gmail supports IMAP and POP3 protocols to synchronize emails in an email client.  

Let us understand the difference between IMAP and POP3 protocols, when using an email client. We are taking Microsoft Outlook as example.

1. IMAP (Internet Message Access Protocol)

In an IMAP account, emails are stored on an on-premises or cloud server. So, you can access your email account on multiple devices and read the messages across those devices. Changes made in the mailbox are also synchronized across all the devices in real-time. 

Outlook with IMAP account uses Offline Storage Table or .OST file to store a synchronized copy of mailbox data on the local system. The location of OST file on your system is:

%AppData%\Local\Microsoft\Outlook

2. POP3 (Post Office Protocol version 3)

In a POP3 account, emails are downloaded and stored locally on your system. It means that emails are accessible only on a single device. Unlike IMAP accounts, there is no provision of synchronizing and accessing emails across multiple devices.

Outlook with POP account uses Personal Storage Table or .PST file to store the mailbox data. The location of this file on your system is:

%UserRoot%\Documents\Outlook Files

Forensic Analysis of Emails

Once you collect the email data file (either directly or with an email client), you can load it into an email forensics software for further analysis.

You can start collecting the relevant emails by performing searches in the mailbox, based on keywords, names of suspected individuals, and event dates and times.

Looking for a reliable, fast, and powerful email forensics software? Try Stellar Email Forensic! It supports more than 25 email file formats like EDB, PSTOSTMBOX, DBX, NSF, and OLM. It also offers deleted email recovery, case management tools, and many advanced search functions! Download it today.

Note: Don’t use email clients like Outlook for performing searches. Use only enterprise-grade eDiscovery email forensic software. Read our blog post Limitations of using Instant Search Outlook for Email Investigations.

After gathering relevant emails, you can inspect them closely by studying their header fields.

Email Header Analysis

Email header contains important details of the message which you can study to gather evidence and draw conclusions. These details include name and IP address of sender, ISP details, Message-ID, time-stamps of different servers that relayed the message, etc. [See Figure 2]

Figure 2: Email header fields in Gmail

To learn more about email headers, read Email Header Analysis and its application in Email Forensics.

Analyzing Gmail Mailbox Activities

Apart from Gmail mailbox, you can focus on other sources to gather additional information. For instance, Google tracks and records all your online activities when you use a Google product, such as Google Search, Gmail, Google Drive, or Android OS. You can review the activities and associated details like time, device used, location, etc. by using a Google’s service called My Activity [See Figure 3]. You can log in to My Activity using the same Gmail account to review associated activities.

Figure 3: Google’s My Activity Page

Examining account activities in Google’s My Activity can provide additional details about the user, such as history of search queries, recent logins and details of the sessions, and devices used. You can correlate this information with the email data to build a timeline of events that are related to the case.

Conclusion

From the techniques shared above, you can collect and examine Gmail mailbox data. Ideally, you should also refer to other data collected by Google such as Google apps data and devices data to correlate with the events that are documented in the case. This can help you to reconstruct the events that led to the investigation and connect the dots for accurate and fast resolution.

Related Post

Exit mobile version