Home » Email Forensics » Google Apps Email Forensics — Intro

Google Apps Email Forensics — Intro

Anuraag Singh | Modified: 2017-09-29T09:37:54+00:00|Email Forensics | 6 Minutes Reading

Google believes in simplifying the technology, thus they always introduce something new. Similarly, for the user convenience, Google gives us an easy way to login into various Gmail associated accounts like Google+, Blogspot, G Drive, YouTube, Hangouts, Calendars, etc. But, still there are many loopholes which can affect the user data in many ways and we are here to perform Google Apps forensic using the Google Takeout. Online hacking attacks or attempts raise the security question over your entire Google database (which is managed by a single email address).

So, Should I Still Prefer Gmail Account For My Most of Online Tasks?

Yes, because Google takes care of user data and provides a unique specialized method to archive entire database (including every account which is associated with a Gmail account). This method is known as Google Takeout (Google Takeaway).

Google Takeout – A Helpful Utility to Implement Google Apps Forensics

Google Takeout is a newly advanced medium to create a backup of all the Outlook sub-products. This is the new rollout technology of Google, which is really helpful, especially for the users who want to utilize their database on other platforms.

Google Data Liberation is a unique and initiative approach of Google Corp. to protect data from being hacked from various cyber attacks. After analyzing the growing cybercrime rates and email hacking cases, Google started a project with the name of “Google Data Liberation Front”. This project helps users to download their complete Google database in a single compact zip format. In simple terms, it gives authentication or liberty to users to back up their data after abandoning their services.

Somewhere, these backups also help to analyze the email and relevant database of victimized person. There are also some freeware utilities available in the market through which a user can view these download emails to examine the core structure of those Gmail emails.

How to Backup Google Data?

Follow simple set of instructions and create an archive of Google Database:


  • Choose the Google products which you want to save as a backup.


  • Now, make a click on “Create Archive” option to begin the archiving.

data-toolNote: The archiving process entirely depends on the size of the database. If it’s huge in size, then surely it will take more time to download selected PST database.

  • Finally, click on “Download” button and take a backup of the complete database.


How to Examine the Google Apps Forensic?

Google Takeout plays a significant role to investigate or examine various crucial evidence from the backup data. These data always unfold the prime and real core sources behind any crime investigation but can be a cumbersome task if you don’t have right instructions or utility to explore the email fingerprints.

Let us consider some scenarios, where we have to find out the depth structure of emails which have used while the execution of email crime.

Understand the File Format of Google Backup Data (Emails)
Before analyzing the archived data, understanding such data and their file structure are most important part while performing Google Apps forensics. In simple terms, you should familiar with the file format of the data which Google Takeout creates within their zip file.

Know about Downloaded Gmail’s Emails:

  • Double click on the downloaded “Zipped” file.

zip folder

  • Again, make a click on the extracted folder to move to the next step.

file folder


  • Now, you can see the individual folder for each particular Google products like Hangouts, YouTube, Calendars, Google Photos, etc.

mail folder

  • At last, open the “Mail” folder from where a user can get a single MBOX file.

mbox file

Finally, we solved a major part of our investigation (which were majorly revolving around the file structure of Gmail Backup Data) but there are still some imperative data and their forensic analysis are remaining.

Read the Archived Google MBOX Data File (MBOX File Viewer 2.0)

As a cyber forensic technocrat, you should have technologies to read such digital evidences. Discovering the various attributes of emails such as headers, properties, hex values, etc. are really a complicated task and cross-matching various crime frames are even more problematic.

This tool, which is a free utility to track or read the data of MBOX Files simplify these tasks.


MBOX File (Mail Box File) Format: It’s a file structure which belongs from the library of file formats and nothing more than a text file which contains all the messages and embedded attachment.

The purpose of an email investigative tool is to provide an examination of email artifacts required for E-Discovery, forensic analysis and Compliance. And further serve the complete email investigation stage that includes:

Backup of Complete Google Apps Data

Google provides a “Google Takeout”  tool to create a backup of the suspect’s file, but it creates a backup only in MBOX file format. The user can create a backup of Google Apps Account like; emails, contacts, calendars, and documents in multiple file formats such as PST, EML, VCF, etc.

Create Backup of Single or Multiple Accounts

During the investigation process, users can create a backup of Single User, Multiple User, and Domain User by using a username and password.

Manage Your Cloud Storage

If your Cloud data storage limit has been reached to maximum then you can manage your storage or reduce the amount of storage by creating a backup, so that during the analysis of data all information should be available.

There are multiple tools that are used for investigation of email artifacts. Google Apps Email Backup converts emails into multiple file formats and also provide some other features which prove to be a milestone in the investigation process.

Google Takeout becomes a key source for performing the various online crimes which usually a Gmail user can encounter. Email spoofing, forgery, and fake emails can be analyzed if they are done by using a Gmail account (By using the Google Takeout Sources – MBOX file). At last, I would like to say “Don’t worry” because Gmail 2-step verification provides a high-level security to your Gmail account and correlated database. Also, make continuous changes in the login credentials.