Google Takeout for eDiscovery and Forensic Email Analysis: Pros and Cons

Summary: When email forensic professionals are tasked with electronic discovery (eDiscovery) and collecting and examining emails from Gmail, they often use Google’s export utility, Google Takeout. This is because Google Takeout offers a simple and direct solution for collecting email data from a Gmail account. However, the question that comes up is – can Google Takeout replace a dedicated email forensic software for email collection? Let us find out.

What is Google Takeout?

Google Takeout is a service that allows you to export data of Google products, such as Maps, Drive, Calendar, etc., associated with a particular Google account. You can also use the service to export email data from a Gmail mailbox. However, there are certain limitations of Google Takeout:

• One major limitation of Takeout is that it allows you to export emails in only one file format, MBOX. 
• It offers limited options for filtering emails before exporting. 
• The only way to limit the email numbers and reduce the export file size is by deselecting email labels and folders, such as Drafts, Promotions, Social, etc. [See Figure 1].

Google Takeout has its merits, like simplicity and broad scope for data collection. However, the area where Google Takeout shines is the scope of data collection. The utility allows you to acquire additional information about a user by exporting the data stored in Google products, such as Calendar, Contacts, Photos, etc. You can correlate this data with the collected emails and reconstruct the documented events to verify the facts and identify any discrepancies.

Why is Google Takeout not suitable for Email Forensics?

The following are a few things about Google Takeout that make it unsuitable for email forensics:

1. Issues while Exporting Large Mailboxes

Google Takeout works most of the time seamlessly when you need to export small mailboxes. However, when it comes to exporting a large mailbox that has thousands of emails, you may face some issues. Users have reported many issues and mentioned that the utility fails when they export large data of photos or emails. This could pose a challenge when you need to investigate bulk emails or large mailbox.

One more thing you need to know about Google Takeout is that there is no progress indicator for the export process. So, you won’t know what’s happening after you have initiated the export process.

2. Missing Important Details

Exporting a mailbox with Google Takeout provides you with two files:

• MBOX file that contains emails data.
• HTML file that has a basic description of the data.

The MBOX file contains data from all the emails, and you can scan it to gather evidence. However, you need more data for a comprehensive email forensics investigation. The following are some important details that you don’t get in Google Takeout export:

• Hash values of the exported items are required to maintain data integrity during the investigation.
• Detailed logs that can be used to track and verify events that take place during the investigation.
• Individual attachment files that you can directly open and analyze.
• Exporting email data in different file formats, such as PST, MSG, HTML, PDF, EML, etc.
• Extensive and hassle-free case management during criminal investigations.
• Deleted emails recovery.
• Organizing large mailbox with bulk emails with tagging and bookmarking for a speedy investigation process.

All the above-mentioned features are available in an advanced email forensics investigation tool named Stellar Email Forensic.

3. No Proper Folder Structure

Google Takeout exports all emails in a single MBOX file. It creates a separate file for each folder, such as Drafts, Inbox, but it doesn’t create a folder structure that highlights the Gmail labels. This can make it difficult to organize and filter the emails as you have to identify the labels and categorize the emails manually. Furthermore, you have to export each label to a separate MBOX file. You can use the X-Gmail-Labels header field in emails to manually categorize particular emails. However, this approach is time-consuming and cumbersome. Apart from this, in Google Takeout, you get the attachments in the Base64 code in the MBOX file itself. To open these attachments in their basic format like .jpg, .mp3, etc., you must first convert the Base64 codes.

Google Takeout’s limitations outweigh the advantages when it comes to the rigor of email forensics investigation. So, it is highly recommended that you use a dedicated eDiscovery and Email investigation software, such as Stellar Email Forensic. This software comes with a specifically designed functionality for digital forensic professionals. For example, the tool can give you more control over mailbox filtering with functions such as Boolean Search and Regular Expression Search that helps in forensic analysis of emails.

Conclusion

Google Takeout can come in handy when you have to collect emails for personal use. However, when you are conducting an email forensics investigation, it is strongly recommended that you use dedicated email forensics software only. A specialized email forensics tool, such as Stellar Email Forensic, is equipped with useful functions that can help easily collect and examine Gmail emails for an investigation.

Was this article helpful?

YES1

NO

About The Author

Abhinav Sethi

Abhinav Sethi is a Senior Writer at Stellar. He writes articles, blog posts, knowledge-bases, case studies, etc. for different technologies. He also has a keen interest in digital forensics and helps forward-thinking companies fight different threats with apt solutions.