Acquiring Google Drive Attachments of Emails

Forensic Email Collector can acquire Google Drive attachments of emails during Gmail / G Suite acquisitions. You can accomplish this as follows:

1. Click the Fetch Drive Attachments checkbox on the connection settings page:

2. During the acquisition, FEC will parse Google Drive attachment hyperlinks from messages and attempt to acquire and hash them at the end of the acquisition.

How Are the Drive Attachments Stored?

You can find the acquired Drive attachments inside your output folder under "Items\!-- Drive Attachments --!\" in a folder structure that looks as follows:

   !-- Drive Attachments --!\
      <Parent Message ID>
         <Drive Attachment No>

Additionally, two log files named "Downloaded_Drive_Attachments" and "Remaining_Drive_Attachments" will be created inside the "Logs" folder in your output directory. These logs will contain a list of Drive items as well as their metadata acquired from Google Drive.

Finally, the creation and last modification file system timestamps of the acquired Drive attachments will be set to reflect the file metadata acquired from Google Drive.

What is A Permanent Error?

When acquiring Google Drive attachments, FEC pays attention to the status messages from Google Drive. If Drive API indicates that a Drive item is no longer available (i.e., it was deleted, moved, its permissions were changed, etc.), then FEC records that as a permanent error and does not attempt to retry the item multiple times. Such issues would be listed as "Drive Attachments with Permanent Errors" in the Acquisition Summary section of the Acquisition Log.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.