Blog

Perform Gmail Forensics with Gmail Backup Utility

Carl Wilson | October 7th, 2017 | Email Forensics

The majority of scams that have been reported by vast number of business organizations require forensic investigators to search through the email messages. When investigations of such manner are related to web-based email client messages, the process becomes even more challenging. The complexity associated with the web-based emailing applications like Gmail makes accurate rendering of data for extraction of evidence difficult. Let us understand the flow of messages in Gmail before moving out to its detailed analysis.

Understanding the Flow of Gmail to Conduct Gmail Forensics

Gmail follows a web server-client architecture wherein a user logs into Gmail account and the browser loads a java script program. Once this application gets loaded, Gmail gets messages from the server in the form of java script snippets. This data is delivered in typically an undocumented format which is then transmitted by the carrier HTTP.

Behind The Scenes

What generally happens is that the web email are typically not stored on the local computer unless the users requests it to store in that manner. Forensic investigators have to work hard to locate the files on local system. Possibly, it’s not so easy to locate the files. However, there is a way from which you can get access to the emails which has been sent from the user’s side. Let us have a look on it.

Gmail Server

Web-Artifact Forensic Analysis of Gmail

What is more important for forensic examiners is to extract the high level of information from the messages received or sent. While examining the messages, the examiners do not take into account regarding what kind of mail agent was employed for sending or receiving of messages and how they are displayed on the screen of the user.

As we all know that whenever a user checks out an email message, or takes an initiative to compose messages, the Operating System caches those relevant data to the hard drive. So the best place to carve out information is the affected user’s system to know that if are not one who is possibly behind the scam. In such a case, the best place to extract information could be the temporary file area where the file cache area consists of the data that gets cached at intervals and stores in the RAM. Such kind of information extraction needs a lot of time. Reason being forensic investigation require a lot of time to reconstruct pages from the raw data available from these areas.

To deal with such kind of situations, forensic investigators can employ a basic tool known as Gmail Backup utility. Now, the question, why would forensics investigators invest on a backup tool when they have access to messages of users?

Why Gmail Backup Tool?

  • Forensic page rendering of Gmail sessions by employing static parsing is a difficult task as the pages are made up of java script application
  • There are forensic challenges raised by cloud computing regarding the control of the evidence by the user which may affect the investigation procedure to carve out the exact evidence
  • Further, data over cloud are subjected to outages and glitches. So, forensic investigators can hardly rely on it

Download Exchange Database Forensics Tool

How Can Gmail Backup Application Help Forensic Investigators?

Normally, a forensic investigation procedure involves the application of an imaging tool that helps in creating an image of the evidence acquired. Similarly, in this case, we can employ Gmail Backup as an imaging tool to acquire evidence in local form. This would help in exercising control over the acquired evidence rather than the insecurities associated with the data situated on cloud.

In order to help the investigators for carrying out thorough examination of Gmail messages in a more efficient manner, the tool has been equipped with some of the excellent features which has been discussed below

Exploring the Features of Gmail Backup Tool

Gmail Backup Utility

Backup Messages in Multiple File Format

The application helps examiners to create the backup of Gmail messages in multiple file formats such as PST, EML, MSG, MBOX, etc. In this way, the investigators can save the messages in either of the file formats and later import the messages in their supporting email-clients.

Backup Several Accounts At Once

By using the same utility, examiners can create the backup of multiple accounts such or the backup of a single user. They just to need to provide the credentials of the account and all the messages of that particular account will get backed in the form of the chosen file format.

After successfully having a backup of Gmail messages. The next step is to analyze messages. Here, the forensic investigators can take the help of a viewing utility known as PST forensic tool which will assist them to analyze the messages without even installing Outlook on the system.

Looking Through Gmail Messages

Acquiring a tool like PST forensics utility can bring out a turn in investigation procedures. The figure shown below represents a clear picture of how Gmail messages are analyzed in the form of PST file format with the help of a PST forensics tool.switch-view

Some of the highlighted features of this tool are discussed below

  • Environment of Outlook is not required for analyzing the PST messages
  • Thorough analysis of messages along with their corresponding attachments
  • Preview PST items along with their associated details like size, send date, received date, subject, etc.

Wrapping Up

The above content exemplifies how forensic analysis of Gmail messages can be carried out successfully with the help of Gmail backup tool. Further it entrusts upon the use of another tool known as PST Forensics application for further close examination of the messages.