This article discusses how to perform forensic investigations of Web-based email clients. While many organizations use Desktop based email clients for their employees, it is not uncommon to use web based clients using browsers to access emails. We will go through the process of acquiring and analyzing emails from web based clients.
What is the end goal of an email investigation? This depends on what the investigation is targeting. Following are the some of the common scenarios:
Recovering deleted emails Searching for specific keywords in the emails Reading through the emails
This article focuses on the scenarios 2 and 3.
data acquisition from web mail client (Gmail)
Assuming that the suspect uses Gmail, the following steps show how to perform email acquisition from the account for further analysis. Gmail offers a feature called google Takeout, which is available at the URL: https://takeout.google.com/settings/takeout
Accessing the preceding emails shows the following.
As shown in the preceding figure, select Mail to export emails. Clicking on Multiple formats, shows the Mail formats available for exporting.
As we can notice, Email messages are available only in MBOX format. Click OK and scroll down to see how to receive