Email forensics: Web-based clients

This article discusses how to perform forensic investigations of Web-based email clients. While many use Desktop based email clients for their employees, it is not uncommon to use web based clients using browsers to access emails. We will go through the process of acquiring and analyzing emails from web based clients.

Our Goal

What is the end goal of an email investigation? This depends on what the investigation is targeting. Following are the some of the common scenarios:

Recovering deleted emails Searching for specific keywords in the emails Reading through the emails

This article focuses on the scenarios 2 and 3. 

acquisition from web mail client (Gmail)

Assuming that the suspect uses Gmail, the following steps show how to perform email acquisition from the account for further . Gmail offers a called Takeout, which is available at the URL: https://takeout.google.com/settings/takeout

Accessing the preceding emails shows the following.

As shown in the preceding figure, select Mail to export emails. Clicking on Multiple formats, shows the Mail formats available for exporting.

As we can notice, Email messages are available only in MBOX format. Click OK and scroll down to see how to receive

Read More: https://resources.infosecinstitute.com/topic/email-forensics-web-based-clients/