Gmail forensics

A brief forensic consideration of Gmail.

The configuration settings are found by clicking on the gear icon in the top right corner of the viewport and selecting Mail Settings.

FORENSICALLY INVESTIGATING A GMAIL ACCOUNT YOU HAVE ACCESS TO
Some useful configuration settings are:

  • Accounts and Import – Change account settings – Other Google Account settings – Web History: enable.
  • Filters: To select outgoing messages, enter this account’s Gmail address in the From: field. Useful for handling particular messages; to handle all messages, use “Forwarding and POP/IMAP”. Be aware, however, that Gmail will prominently display a forwarding filter notice for a week after setting up a forwarding filter.
  • Forwarding and POP/IMAP – Forwarding or POP: Handles incoming messages only without synchronization with Gmail. If enabled, Gmail’s copy can be left in the inbox, marked as read, archived, or deleted. Useful for handling all incoming messages; to select particular incoming messages, use Filters.
  • Forwarding and POP/IMAP – IMAP: Handles all messages in all folders and synchronizes with Gmail.
  • Chat – Save chat history: Enable.

USING GMAIL TO ASSIST IN A FORENSIC INVESTIGATION
Being powerful, a Gmail account of your own can be useful to receive messages for investigation. Aside from the settings listed above, some additional settings relevant to this use are:

  • General – Browser Connection: Enable “Always use https”.
  • Accounts and Import – Check mail using POP3: Periodically fetches mail from other accounts using POP3. This is invisible from the account under investigation, unlike configuring the account under investigation to forward mail to your Gmail account. Be sure to enable “Leave a copy of retrieved message on the server”. If the password of the account under investigation changes, an error message will appear here.

REFERENCES
Accessing Gmail with IMAP
POP and IMAP client forensics

Advertisements

About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

One Response to Gmail forensics

  1. Pingback: POP and IMAP client forensics | A maze of twisty little passages

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s