Google Takeout

[Lids]

Morning all,

Has anyone used Google Takeout for email acquisition? I remember colleagues in the past loved it and preferred it over other acquisition tools, but I was curious as to the community's thoughts. Also, if you have used it - does it recover deleted emails when it creates the MBox Archive?

- Sean

 

[JLowery]

I've used it a few times as a supplement with other tools (aid4mail, Forensic Email Collector, Outlook, etc..) just to have another reference or data set. I haven't really noticed any "extra" deleted messages but really haven't paid too much attention to those since it isn't normally necessary for ediscovery collections. The downside is that if you just get "All Mail" you won't have the folder structure other than tags unless you go in and select every single option. But overall it is nice to have and you can also toss in Contacts/Hangouts/Calendar/etc.. that aren't usually included when just getting webmail.

TLDR; I wouldn't use it as the main collection tool but it is good to have as a supplement and source for non mail data.

 

[twicesafe]

Hey @Lids

Although I can't answer you specific question on the recovery of deleted emails, I have used the "Takeout" feature a couple times on account takeovers during warrants. So here are a couple things to keep in mind.

As with anything in DFIR, you want to test this feature prior to needing it and have detailed instructions with you at the scene. When using Takeout, you have several options on where to download the data, including:
- Send download via link (emailed to the account holders email account)
- GDrive (for the logged in account)
- Dropbox
- OneDrive

Since Google gives generous amounts of space, especially business accounts, you will have to be sure you have enough storage to use DropBox or OneDrive. This is why GDrive is often you best option. You can store everything on the accounts Gdrive and then download when completed.

For large accounts, remember that it can take a long time to process if you select ALL the items that Takeout offers like Email, Documents, Calendar, Locations, etc. This can easily take hours for large accounts.

TLDR; I wouldn't use it as the main collection tool but it is good to have as a supplement and source for non mail data.

@JLowery : What are your concerns with using Takeout as the main collection tool?
What do the other software products you mentioned offer to make their purchase worth the investment?

 

[Lids]

Hey @Lids

Although I can't answer you specific question on the recovery of deleted emails, I have used the "Takeout" feature a couple times on account takeovers during warrants. So here are a couple things to keep in mind.

As with anything in DFIR, you want to test this feature prior to needing it and have detailed instructions with you at the scene. When using Takeout, you have several options on where to download the data, including:
- Send download via link (emailed to the account holders email account)
- GDrive (for the logged in account)
- Dropbox
- OneDrive

Since Google gives generous amounts of space, especially business accounts, you will have to be sure you have enough storage to use DropBox or OneDrive. This is why GDrive is often you best option. You can store everything on the accounts Gdrive and then download when completed.

For large accounts, remember that it can take a long time to process if you select ALL the items that Takeout offers like Email, Documents, Calendar, Locations, etc. This can easily take hours for large accounts.

@JLowery : What are your concerns with using Takeout as the main collection tool?
What do the other software products you mentioned offer to make their purchase worth the investment?

Thanks @twicesafe, really appreciate your response -- do you know, if a company is using Google Business Suite would the "administrator" have access to perform Takeout's on any emails within their purview or do you have to access each account individually, create the Takeout, then download, etc?

I might set up a dummy Gmail account over the next few days and test the features - then see how they process.

- Sean

 

[twicesafe]

Thanks, if a company is using Google Business Suite would the "administrator" have access to perform Takeout's on any emails within their purview or do you have to access each account individually, create the Takeout, then download, etc?

The administrator account will have access to download ALL accounts. For a large business, I am not sure how you could do this as the size of the final download would be gigantic depending on what items you selected. So you will want to only select the items you need.

I do not think you can pick specific users or select date ranges. All or nothing when you select a category (I think).

I did some testing with my own business account which has minimal users (4) and only 50+ GB of data. It took a total of 12+ hours to complete. By chunking the download into 1GB files (an option when setting up Takeout), I could start downloading the files as they completed.

If doing a business takeover (legal authority to take over the accounts due to criminal/civil activity), you will want to create your own admin account, then disable ALL accounts except for your newly created account. This way, you lock out all users from changing data or logging in to lock you out of the system remotely. This also ensures you are not capturing new live data/conversations, but instead stored data at the time of warrant execution.

You then have the only account that can access the Admin panel in Google if you need to stop the business from continuing to operate.

If doing this for a large business, I would test using Dropbox or OneDrive will lots of storage. I haven't had a chance to test using either, so if you do, please post back here your experiences.

DISCLAIMER: As with any information on this site, always check with your legal team prior to ensure the process is legal in your area.

 

[JLowery]

To be completely honest, its kind of a personal preference but also because if you want to ensure that it is done correctly, you need to go through and do extra steps (modifying the Mail option to include all of the tags/folders instead of using just All Mail) which could get cumbersome if you are doing a lot of them at one time. If you just use the default option for Mail it will place everything in a single folder and only have a tag/category reference as to what folder the email was from. This could cause complications for processing or review.

Also, I have run into accounts where Takeouts aren't possible or its a combined account and you may only get one account and not realize it. There have also been times where an account was a member of an organization's paid plan and the admin had disabled Takeouts but they did not have Vault set up and they didn't want to go through the trouble of enabling Takeout for that person so using Takeout in that situation wasn't possible.

One of the things the tools I mentioned do that Takeout doesn't provide is more exhaustive logging of the collection process. For the most part they also do not send emails/notifications that are added to the account and would need to be explained afterward.

Another benefit of using a separate tool is that you can specify the email output type instead of defaulting to MBOX which some processing tools do not support. Most processing teams that I've worked with will almost always request the data in PST files (<20GB) which means that you would have to convert the MBOX to PST which is an extra step and could be complicated if only "All Mail" folder was used.

Again, most of the reasoning is based on personal preference but I would much rather use the Takeout as a supplement to another tool's collection due to the various reasons. That being said, the options other than Mail for Takeout are definitely worth using a Takeout for. I don't know many other tools off the top of my head that would do some of the options.

Thanks for the question though, it really made me think about why I prefer the method I use and also going back to see if there had been any significant changes to the Takeout format since I last really looked at the output.

Hey @Lids

Although I can't answer you specific question on the recovery of deleted emails, I have used the "Takeout" feature a couple times on account takeovers during warrants. So here are a couple things to keep in mind.

As with anything in DFIR, you want to test this feature prior to needing it and have detailed instructions with you at the scene. When using Takeout, you have several options on where to download the data, including:
- Send download via link (emailed to the account holders email account)
- GDrive (for the logged in account)
- Dropbox
- OneDrive

Since Google gives generous amounts of space, especially business accounts, you will have to be sure you have enough storage to use DropBox or OneDrive. This is why GDrive is often you best option. You can store everything on the accounts Gdrive and then download when completed.

For large accounts, remember that it can take a long time to process if you select ALL the items that Takeout offers like Email, Documents, Calendar, Locations, etc. This can easily take hours for large accounts.


@JLowery : What are your concerns with using Takeout as the main collection tool?
What do the other software products you mentioned offer to make their purchase worth the investment?

 

[Lids]

Appreciate the well thought out and considered response, @JLowery

In this instance, we were subject to collections from a third party which arrived in MBox format -- fortunately, Nuix can process without issue.