A brief forensic consideration of Gmail.
The configuration settings are found by clicking on the gear icon in the top right corner of the viewport and selecting Mail Settings.
FORENSICALLY INVESTIGATING A GMAIL ACCOUNT YOU HAVE ACCESS TO
Some useful configuration settings are:
- Accounts and Import – Change account settings – Other Google Account settings – Web History: enable.
- Filters: To select outgoing messages, enter this account’s Gmail address in the From: field. Useful for handling particular messages; to handle all messages, use “Forwarding and POP/IMAP”. Be aware, however, that Gmail will prominently display a forwarding filter notice for a week after setting up a forwarding filter.
- Forwarding and POP/IMAP – Forwarding or POP: Handles incoming messages only without synchronization with Gmail. If enabled, Gmail’s copy can be left in the inbox, marked as read, archived, or deleted. Useful for handling all incoming messages; to select particular incoming messages, use Filters.
- Forwarding and POP/IMAP – IMAP: Handles all messages in all folders and synchronizes with Gmail.
- Chat – Save chat history: Enable.
USING GMAIL TO ASSIST IN A FORENSIC INVESTIGATION
Being powerful, a Gmail account of your own can be useful to receive messages for investigation. Aside from the settings listed above, some additional settings relevant to this use are:
- General – Browser Connection: Enable “Always use https”.
- Accounts and Import – Check mail using POP3: Periodically fetches mail from other accounts using POP3. This is invisible from the account under investigation, unlike configuring the account under investigation to forward mail to your Gmail account. Be sure to enable “Leave a copy of retrieved message on the server”. If the password of the account under investigation changes, an error message will appear here.