Acquiring Google Drive Attachments of Emails

Forensic Email Collector can acquire Google Drive attachments and their revisions during Gmail / Google Workspace acquisitions. You will be presented with five options on the Gmail API settings page:

1. Fetch Drive Attachments

When this option is selected, FEC will detect Drive attachments in acquired emails and attempt to acquire them. This includes both the Drive items that originated from the target user's own Drive and outside items that were shared with the user.

2. Collapse Duplicates

If this option is selected, FEC collapses multiple copies of the same Drive attachment or revision to one item by ID and requests it from Google Drive API only once. The item is then output multiple times at each location where it is needed. This minimizes Drive API requests and can speed up the acquisition significantly if the same Drive folders or files are referenced multiple times in the target mailbox.

3. Include Contents of Drive Folders

If you choose this option, FEC will explore the contents of Google Drive folders that are encountered during the acquisition. Children of the Drive folders will be added to the acquisition recursively. We recommend that you use this option with caution as a Drive folder can potentially contain a very large amount of data, increasing total acquisition time significantly.

4. Fetch Revisions of Drive Attachments

When this option is selected, FEC will also request revision information for each Drive attachment from Drive API. If the item has revisions, they will be acquired along with the parent Drive attachment.

Note 1: Each Drive attachment can potentially have hundreds of revisions. Acquisition of Drive attachment revisions can cause the acquisition to take significantly longer and increase the probability of throttling.

Note 2: Accessing the revisions of a Drive file requires different permissions than accessing the parent Drive file. You may encounter cases where the Drive attachment can be acquired but its revisions cannot due to lack of permissions.

5. Fetch Only the Latest Revision Before Parent was Sent

A Drive attachment that was referenced in an email can continue to be modified after the email was sent. When this option is selected, FEC will limit Google Drive revision acquisition to the latest Drive revision before the sent date of the email.

For example, let's look at the following timeline:

1. A file was created on Google Drive on January 1, 2019

2. The file was revised on March 1, 2019

3. The file was revised again on March 15, 2019

4. The file was attached to an email as a Drive attachment and sent on April 1, 2019

5. The file was revised again on May 1, 2019

When the "Fetch Only the Latest Revision Before Parent was Sent" option is selected, the current version of the Drive attachment (as of May 1, 2019) and the latest Drive revision before the email was sent (as of March 15, 2019) would be acquired.

How Are the Drive Attachments and Revisions Stored?

You can find the acquired Drive attachments and their revisions inside your output folder under "Items\!-- Drive Attachments --!\" in a folder structure that looks as follows:

Items\
   !-- Drive Attachments --!\
      <Parent Message ID>
         <Drive Attachment No>
              Revision_<revision date>_<revision ID>

Additionally, four log files named "Downloaded_Drive_Attachments", "Remaining_Drive_Attachments", "Downloaded_Drive_Attachment_Revisions", and "Remaining_Drive_Attachment_Revisions" will be created inside the "Logs" folder in your output directory. These logs will contain a list of Drive items as well as their metadata acquired from Google Drive.

Finally, the creation and last modification file system timestamps of the acquired Drive attachments and their revisions will be set to reflect the file metadata acquired from Google Drive.

Quick Tip: Google Drive provides hash values for external files (e.g., PDF, ZIP, etc.) that are stored in Drive, and FEC captures this information during acquisition. The hashes that Drive provides are calculated using the MD5 algorithm. If you set your output hashing setting in FEC to MD5, you can easily compare the hashes that Drive reports to the hashes that FEC calculates for each file side by side.

What is A Permanent Error?

When acquiring Google Drive attachments, FEC pays attention to the status messages from Google Drive. If Drive API indicates that a Drive item is no longer available (i.e., it was deleted, moved, its permissions were changed, etc.), then FEC records that as a permanent error and does not attempt to retry the item multiple times. Such issues would be listed as "Drive Attachments with Permanent Errors" in the Acquisition Summary section of the Acquisition Log.

Packaging Drive Attachments and Revisions with Their Parent Messages

FEC provides the option to package Drive attachments and revisions with their parent messages in individual ZIP archives. This is possible for MIME and MSG output and the packaged files are saved at the following locations:

<project root>\Items\!-- Drive Attachments --!\!Packaged_MIME and 
<project root>\Items\!-- Drive Attachments --!\!Packaged_MSG

Drive attachment/revision packaging can be accomplished in two different ways:

1. During Project Configuration

When setting up the output options for a project, you have the option to choose Drive attachment/revision packaging options as in the screenshot below. These options are only available if the "Fetch Drive Attachments" option was selected.

If the packaging options are selected, FEC checks the acquisition status at the conclusion of the acquisition session. If all Drive items without permanent errors have been acquired, then it proceeds with packaging the Drive attachments and revisions. Otherwise, it asks if you would like to proceed with the packaging as there are more items that have the potential to be acquired through additional retries. Even if you choose to not proceed with packaging, you can trigger the packaging manually at a later time via a post-acquisition action as described below.

2. As A Post-Acquisition Action

It is also possible to trigger the packaging of Drive attachments/revisions with their parents via a post-acquisition action. You can accomplish this by opening an existing project, and then clicking the " Package Drive Attachments Now..." hyperlink as in the screenshot below:

Note that the post-acquisition action is available even if the "Package w/Drive Attachments" output options were not selected during project setup. Clicking on the hyperlink will cause FEC to do the following:

  • Check the output folder to see if Drive attachments/revisions were packaged previously. If so, a new, unique set of folders will be created to house the new set of packaged files.
  • Package the Drive attachments/revisions for all applicable output types. That is, both MIME and MSG output options if they had been selected during project setup.

What Are the Conditions for Drive Attachments to be Packaged?

At the end of an acquisition, you may notice that you have more subfolders under the "!-- Drive Attachments --!" folder than you have ZIPs inside the "!Packaged_MIME" or "!Packaged_MSG" folders. This is because a parent message must have at least one successfully acquired Drive attachment or revision for the ZIP package to be created. If the Drive attachment or revision acquisition is unsuccessful (e.g., the file is no longer available), you might have a folder for the attachment but no package ZIP as there is no Drive attachment or revision to include in the package.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.