One of the most popular email programs used today is Gmail. Kivu initiated a project to determine the most efficient and defensible process to collect Gmail account information. This blog post is the second in a series of articles that evaluate Gmail collection options for computer forensic purposes.
A common email client that can be incorporated into a forensic email collection is (shock horror) Microsoft Outlook. Outlook is included in the Microsoft Office package, and for many years it was king of email clients for the business environment. As the popularity of mobile phones and web-based clients increased, however, Microsoft Outlook’s use has declined.
We will be using the latest version, Outlook 2013, for our collection of forensic data. While not usually seen as a part of the forensic investigator’s tool kit, Microsoft Outlook has some interesting attributes that can be verified in use, and tested as to its output. You just need to know what you’re doing and (as in all forensic work) be able to confirm the veracity of the data.
Outlook has an option for IMAP setup that allows automatic testing of account credentials. Outlook will send an email from the account to the account to ensure that the account credentials are correct. Outlook 2010 has the ability to disable this test, but in Outlook 2013 the option is greyed out, and the test email is sent automatically. If account intrusion needs to to be kept to a minimum, it is good to keep this in mind.
How to Use Microsoft Outlook for Gmail Collection, Step-by-Step
Change Microsoft Outlook Settings
To start your Gmail collection, check that the settings in the target Gmail account are set to IMAP. Then, open up the email account settings, either though Outlook File>Info>Account Settings or though the Control Panel>Mail>Email accounts. Selecting New… in the Email tab will prompt you for the service you wish to set up. Check E-mail Account, click on Next, and then select Manual Setup. Click Next again.
Unlike GM Vault, which we evaluated in the first article on this topic, a bit more work is needed to ensure a smooth email collection. In addition to User Name and Password, Outlook requests both the incoming and outgoing servers for the IMAP account.
Your Name: (Top Level Email Name)
Email Address: (Collection Gmail address)
Account Type: IMAP
Incoming mail server: imap.gmail.com
Outgoing mail server (SMTP): smtp.gmail.com
User Name: (Collection Gmail address)
Password: (Collection Gmail password)
Click on More Settings to open up Internet email settings. Under Outgoing Server check the box for Outgoing sever requires authentication and use the same setting for your incoming mail server. Click on the Advanced tab and change the server port numbers to 993 for incoming and 465 for outgoing. Select SSL for the encryption type for both, and set the server timeout to 5 min. These are Google’s recommended settings for using the Outlook client for Gmail accounts.
Start Gmail Collection
Go to the Send/Receive tab and click on the drop down list for Send/Receive Groups and select Define Send/Receive Groups…. In the pop-up window, select the All Accounts and click Edit on the right hand side of the window. Check all boxes except Send mail items and select Download complete items… If you want to collect only specific folders, use the custom behavior option to select the folders you to collect. Click OK and click OK again. Then you can either select the Group to Send/Receive drop down menu or use the short cut key (F9).
Track Gmail Collection
Once the collection has started, there are a few options and settings that can help minimize intrusion and track the collection – again, crucial steps if you are hoping to achieve a forensically sound collection. Outlook’s default setting marks an email as “Read” – whenever you select a new email, the previous email is marked as read. To change this setting, go into reading pane options either via the File>options>Mail>Outlook panes>Reading Pane… or the View tab and click on the Reading Pane drop down menu. In the options screen uncheck all of the boxes. Now, Outlook will not mark the emails you view as read when you look through them.
For tracking, to ensure that you have reviewed the correct number of emails, you’ll need to tell Outlook to show all items in a folder rather than just the unread items. Unfortunately, this can only be done folder by folder. Right click on a folder and select Properties. Select the option Show Total Numbers of Items then click OK. Repeat with all of the folders that you are collecting. If a folder does not show a number, there are 0 emails in the folder. Compare the folder numbers with the counts you can view online at: www.gmail.google.com. Once all of the folder counts match, the collection is finished.
Working with Offline Email Storage
Outlook uses an Off-line Storage Table (OST) format to store emails from POP, IMAP and other web- based email accounts offline when the Internet is not available. When the sever access is resumed, the accounts are synced to the cloud storage. Outlook also uses Personal Storage Tables (PST) files to back up and transfer email files and accounts. While some forensic processing tools can extract data from OST files, almost all of them can extract the data from PST files. PST files can also be opened up on any computer with Outlook.
To export the collected PST files, select File>Open>Import, Export to File, and then select Outlook Data File (.pst). Browse to where you want the file to be saved. Select Allow duplicate items to be created so all items will be exported. Once the PST has been backed up and you have verified that the item count is correct, you can remove the account from the account settings and undo any options changed in the Gmail account. Then, inform your client that they can now access their email and should consider changing their password.
Following are the Pros and Cons of Using Microsoft Outlook for Forensic Investigation:
• The wide availability of Outlook
• Once all options are set, processing is simple and quick
• Native PST export
• Options are expansive and sometimes unintuitive
• Can be intrusive – Outlook sends test emails during setup and may mark unread mail as read
Kivu is a licensed California private investigations firm, which combines technical and legal expertise to deliver investigative, discovery and forensic solutions worldwide. Author, Thomas Larsen, is a data analyst in Kivu’s San Francisco office. For more information about how to retrieve and store Gmail messages for forensic investigation, please contact Kivu.