Home » Email Forensics » Google Apps Email Forensics & mdash; Introduction

Google Apps Email Forensics & mdash; Introduction

Published By Ashwani Tiwari
Aswin Vijayan
Approved By Aswin Vijayan
Published On April 18th, 2022
Reading Time 6 Minutes Reading
Category Email Forensics

Google believes in simplifying the technology, thus they always introduce something new. Similarly, for the user’s convenience. Google gives us an easy way to login into various Gmail associated accounts like Google+, Blogspot, G Drive, YouTube, Hangouts, Calendars, etc. But, still, there are many loopholes that can affect the user data in many ways and we are here to perform Google Apps forensics using Google Takeout. Online hacking attacks or attempts raise the security question over your entire Google database (which a single email address manages).

So, Should I Still Prefer Gmail Account For Most Online Tasks?

Yes, because Google takes care of user data and provides a unique specialised method to archive the entire database (including every account which is associated with a Gmail account). This method is known as Google Takeout (Google Takeaway).

Google Takeout – A Helpful Utility to Implement Google Apps Forensics

Google Takeout is a newly advanced medium to create a backup of all the Outlook sub-products. This is the new rollout technology of Google, which is really helpful, especially for the users who want to utilize their database on other platforms.

Google Data Liberation is a unique and initiative approach of Google Corporation. To protect data from being hacked from various cyber-attacks. After analyzing the growing cybercrime rates and email hacking cases. Google started a project with the name “Google Data Liberation Front”. This project helps users to download their complete Google database in a single compact zip format. In simple terms, it gives authentication or liberty to users to back up their data after abandoning their services.

Somewhere, these backups also help to analyze the email and relevant database of victimized persons. There are also some freeware utilities available in the market through which a user can view these download emails to examine the core structure of those Gmail emails.

How to Backup Google Data?

Follow a simple set of instructions and create an archive of Google Database:


  • Choose the Google products which you want to save as a backup.


  • Now, make a click on the “Create Archive” option to begin the archiving.

data-toolNote: The archiving process entirely depends on the size of the database. If it’s huge in size, then surely it will take more time to download the selected PST database.

  • Finally, click on the “Download” button and take a backup of the complete database.


How to Examine the Google Apps Forensic?

Google Takeout plays a significant role to investigate or examining various crucial pieces of evidence from the backup data. These data always unfold the prime and real core sources behind any crime investigation but can be a cumbersome task. If you don’t have the right instructions or utility to explore the email fingerprints.

Let us consider some scenarios, where we have to find out the depth structure of emails that have been used while the execution of email crime.

Understand the File Format of Google Backup Data (Emails)
Before analyzing the archived data, understanding such data and their file structure is the most important part while performing Google Apps forensics. In simple terms, you should familiar with the file format of the data which Google Takeout creates within their zip file.

Know about Downloaded Gmail Emails:

  • Double click on the downloaded “Zipped” file.

zip folder

  • Again, make a click on the extracted folder to move to the next step.

file folder


  • Now, you can see the individual folder for each particular Google products like Hangouts, YouTube, Calendars, Google Photos, etc.

mail folder

  • At last, open the “Mail” folder from where a user can get a single MBOX file.

mbox file

Finally, we solved a major part of our investigation (which was majorly revolving around the file structure of Gmail Backup Data). But there are still some imperative data and their forensic analysis are remaining.

Read the Archived Google MBOX Data File (MBOX File Viewer 2.0)

As a cyber forensic technocrat, you should have the technologies to read such digital evidence. Discovering the various attributes of emails such as headers, properties, hex values, etc. is really a complicated task and cross-matching various crime frames are even more problematic.

This tool, which is a free utility to track or read the data of MBOX Files simplifies these tasks.


MBOX File (Mail Box File) Format: It’s a file structure that belongs to the library of file formats and is nothing more than a text file that contains all the messages and embedded attachments.

The purpose of an email investigative tool is to provide an examination of email artefacts required for E-Discovery, forensic analysis and Compliance. And further serve the complete email investigation stage that includes:

Backup of Complete Google Apps Data

Google provides a “Google Takeout”  tool to create a backup of the suspect’s file. But, it creates a backup only in MBOX file format. The user can create a backup of Google Apps Account like; emails, contacts, calendars, and documents in multiple file formats such as PST, EML, VCF, etc.

Create Backup of Single or Multiple Accounts

During the investigation process, users can create a backup of Single User, Multiple User, and Domain User by using a username and password.

Manage Your Cloud Storage

If your Cloud data storage limit reaches maximum. Then you can manage your storage or reduce the amount of storage by creating a backup. So that during the analysis of data all information should be available.

There are multiple tools that are used for the investigation of email artefacts. Google Apps Email Backup converts emails into multiple file formats and also provides some other features which prove to be a milestone in the investigation process.


Google Takeout becomes a key source for performing the various online crimes which usually a Gmail user can encounter. Email spoofing, forgery, and fake emails can be analyzed if they are done by using a Gmail account (By using the Google Takeout Sources – MBOX file). At last, I would like to say “Don’t worry” because Gmail 2-step verification provides high-level security to your Gmail account and correlated database. Also, make continuous changes in the login credentials.