Using Gmail API: The Forensic Way to Acquire Email

August 3rd, 2016 by Oleg Afonin
Category: «Elcomsoft News», «Security», «Software»

Just now, we’ve updated Elcomsoft Cloud Explorer to version 1.10. This new release adds the ability to download email messages from the user’s Gmail account for offline analysis. In order to do that, we had to develop a highly specialized email client. We opted to use Google’s proprietary Gmail API to download mail. In this article, we’ll explain our decision and detail the benefits you’ll be getting by choosing a tool that can talk to Gmail in Gmail language. 

The Gmail API

The Gmail API is a set of publicly available APIs that can be used by third-party developers to access Gmail mailboxes. Google cites the Gmail API as the best choice for authorized access to a user’s Gmail data. According to Google, the Gmail API is an ideal solution for read-only mail extraction, indexing and backup, as well as for migrating email accounts (https://developers.google.com/gmail/api/guides/overview). Elcomsoft Cloud Explorer does exactly that: it offers read-only mail extraction to create an offline backup of messages from the user’s online account.

Unlike universal email protocols such as POP3 and IMAP, Google’s new API offers flexible access to the user’s Gmail account. By using the proprietary API, developers gain access to the user’s inbox complete with threads, messages, labels, drafts and history.

Most importantly, the Gmail API is blazing fast compared to legacy email protocols, and offers the ability to selectively download specific messages and threads (such as those falling within a certain time period).

Fetching Google Mail: 

At the time we released the initial build of Elcomsoft Cloud Explorer, we didn’t have the time to implement proper Gmail support. The initial build could extract a lot of data including detailed location history, photos, notes, contacts and whatnot. At the time, we felt that Gmail required a dedicated module, so we decided to spend extra time and effort in order to properly implement the feature.

We believe it was worth the wait. The updated Elcomsoft Cloud Explorer now fully supports Gmail messages. Instead, we built a fully featured client to access everything stored in the user’s Gmail account by using Google’s official Gmail API.

gmail-api-2

Introduced two years back, the Gmail API offers fine-grained access to the user’s Gmail account, allowing Elcomsoft Cloud Explorer to have full control over what exactly is downloaded for offline analysis.

Unlike POP3 or IMAP, the Gmail API allows specifically requesting messages that were sent or received during a certain timeframe. Using the Gmail API allows Elcomsoft Cloud Explorer accessing Gmail elements such as Threads, Labels, Drafts and History. As a result, we can naturally group messages by threads, display corresponding labels, watch unsent messages and review communication history.

gmail3

What does that mean for digital forensics? First and foremost, you’re in for a smooth ride. Once you authorize a Google account, Elcomsoft Cloud Explorer will download Gmail messages at a rate of about 3000 messages per minute (depending on your connection speed and the size of messages being downloaded). Putting things into perspective, this is approximately 5 times faster than Google Takeout, and about 3 times faster compared to a commercial IMAP client on the same Internet connection. You’ll be able to specify whether to download the complete set or concentrate on a certain period of time. Once the messages are downloaded, you’ll be able to browse, search and filter messages, navigate through communication threads, group messages by their respective Gmail labels, and basically do everything else offline.