Acquiring Google Drive Attachments of Emails
Forensic Email Collector can acquire Google Drive attachments and their revisions during Gmail / Google Workspace acquisitions. You will be presented with the following options on the Gmail API settings page:
1. Fetch Drive Attachments
When this option is selected, FEC will detect Drive attachments in acquired emails and attempt to acquire them. This includes both the Drive items that originated from the target user's own Drive and outside items that were shared with the user. The Drive Attachment is the current version of the Drive item at the time of acquisition.
2. Advanced Drive Options
Opens the Advanced Drive Options page where additional options can be specified.
3. Include Contents of Drive Folders
If you choose this option, FEC will explore the contents of Google Drive folders that are encountered during the acquisition. Children of the Drive folders will be added to the acquisition recursively. We recommend that you use this option with caution as a Drive folder can potentially contain a very large amount of data, increasing total acquisition time significantly.
4. Exclude Duplicates
If this option is selected, FEC will output each Drive item (identified by Drive Service ID) only once. For example, if Drive Item A is referenced by Email 1, Email 2, and Email 3, selecting this option would cause Drive Item A to be output only once, as a Drive attachment of Email 1, but not for Email 2 or Email 3. This option does not have a significant effect on acquisition time—it mainly affects the data amount at the end of the acquisition.
Important Note: The Exclude Duplicates option is a new option and is not the same as the Collapse Duplicates option that was previously available.
5. Fetch Revisions of Drive Attachments
When this option is selected, FEC will also request revision information for each Drive attachment from Drive API. If the item has revisions, they will be acquired along with the parent Drive attachment.
Note 1: Each Drive attachment can potentially have hundreds of revisions. Acquisition of Drive attachment revisions can cause the acquisition to take significantly longer and increase the probability of throttling.
Note 2: Accessing the revisions of a Drive file requires different permissions than accessing the parent Drive file. You may encounter cases where the Drive attachment can be acquired but its revisions cannot due to lack of permissions.
6. Skip Last Revision
When this option is selected, FEC would discard the last item on the list of revisions for a Drive item. The last revision item typically reflects the Drive Attachment itself. Therefore, when acquiring the Drive Attachment, it may be desirable to skip the last revision. This option is not available when the Suppress Acquisition of Drive Attachment option is enabled, as it only makes sense to skip the last revision if the Drive Attachment is being acquired.
7. Fetch Only the Latest Revision Before Parent was Sent
A Drive attachment that was referenced in an email can continue to be modified after the email was sent. When this option is selected, FEC will limit Google Drive revision acquisition to the latest Drive revision before the sent date of the email.
For example, let's look at the following timeline:
1. A file was created on Google Drive on January 1, 2019
2. The file was revised on March 1, 2019
3. The file was revised again on March 15, 2019
4. The file was attached to an email as a Drive attachment and sent on April 1, 2019
5. The file was revised again on May 1, 2019
When the "Fetch Only the Latest Revision Before Parent was Sent" option is selected, the current version of the Drive Attachment (as of May 1, 2019) and the latest Drive revision before the email was sent (as of March 15, 2019) would be acquired.
8. Do not Acquire Any Revisions / Acquire All Revisions Instead (Toggle)
This toggle controls FEC's behavior when the Fetch Only the Latest Revision Before Parent was Sent option is enabled, but no such revision can be found. You can direct FEC to acquire all revisions for that Drive item instead, or not to acquire any revisions for that Drive item.
9. Suppress Acquisition of Drive Attachment
This option is available when the Fetch Only the Latest Revision Before Parent was Sent option is enabled and causes FEC to only acquire the latest revision before the parent was sent, but not the Drive Attachment (i.e., the current version of the Drive Item). If the Drive item has no revisions, no Drive items would be acquired when this option is activated.
How Are the Drive Attachments and Revisions Stored?
You can find the acquired Drive attachments and their revisions inside your output folder under "Items\!-- Drive Attachments --!\" in a folder structure that looks as follows:
Items\ !-- Drive Attachments --!\ <Parent Message ID> <Drive Attachment No> Revision_<revision date>_<revision ID>
Additionally, four log files named "Downloaded_Drive_Attachments", "Remaining_Drive_Attachments", "Downloaded_Drive_Attachment_Revisions", and "Remaining_Drive_Attachment_Revisions" will be created inside the "Logs" folder in your output directory. These logs will contain a list of Drive items as well as their metadata acquired from Google Drive.
Finally, the creation and last modification file system timestamps of the acquired Drive attachments and their revisions will be set to reflect the file metadata acquired from Google Drive.
Quick Tip: Google Drive provides hash values for external files (e.g., PDF, ZIP, etc.) that are stored in Drive, and FEC captures this information during acquisition. The hashes that Drive provides are calculated using the MD5 algorithm. If you set your output hashing setting in FEC to MD5, you can easily compare the hashes that Drive reports to the hashes that FEC calculates for each file side by side.
What is A Permanent Error?
When acquiring Google Drive attachments, FEC pays attention to the status messages from Google Drive. If Drive API indicates that a Drive item is no longer available (i.e., it was deleted, moved, its permissions were changed, etc.), then FEC records that as a permanent error and does not attempt to retry the item multiple times. Such issues would be listed as "Drive Attachments with Permanent Errors" in the Acquisition Summary section of the Acquisition Log.
Drive Acquisition and Domain-wide Delegation
It is important to note that when using domain-wide delegation of authority, the service account impersonates the current target user. In other words, if the target of your acquisition is john.doe@example.com and you are using a service account, the effective permissions for accessing Drive files and their revisions will be what would ordinarily be applicable to john.doe@example.com. Although the service account is authorized at the organization level, it cannot access the data of all users simultaneously—it impersonates one user at a time.
Packaging Drive Attachments and Revisions with Their Parent Messages
FEC provides the option to package Drive attachments and revisions with their parent messages in individual ZIP archives. This is possible for MIME and MSG output, and the packaged files are saved at the following locations:
<project root>\Items\!-- Drive Attachments --!\!Packaged_MIME and
<project root>\Items\!-- Drive Attachments --!\!Packaged_MSG
Drive attachment/revision packaging can be accomplished in two different ways:
1. During Project Configuration
When setting up the output options for a project, you have the option to choose Drive attachment/revision packaging options, as in the screenshot below. These options are only available if the "Fetch Drive Attachments" option was selected.
If the packaging options are selected, FEC checks the acquisition status at the conclusion of the acquisition session. If all Drive items without permanent errors have been acquired, then it proceeds with packaging the Drive attachments and revisions. Otherwise, it asks if you would like to proceed with the packaging, as there are more items that have the potential to be acquired through additional retries. Even if you choose not to proceed with packaging, you can trigger the packaging manually at a later time via a post-acquisition action, as described below.
2. As A Post-Acquisition Action
It is also possible to trigger the packaging of Drive attachments/revisions with their parents via a post-acquisition action. You can accomplish this by opening an existing project and then clicking the " Package Drive Attachments Now..." hyperlink as in the screenshot below:
Note that the post-acquisition action is available even if the "Package w/Drive Attachments" output options were not selected during project setup. Clicking on the hyperlink will cause FEC to do the following:
- Check the output folder to see if Drive attachments/revisions were packaged previously. If so, a new, unique set of folders will be created to house the new set of packaged files.
- Package the Drive attachments/revisions for all applicable output types. That is, both MIME and MSG output options if they had been selected during project setup.
What Are the Conditions for Drive Attachments to be Packaged?
At the end of an acquisition, you may notice that you have more subfolders under the "!-- Drive Attachments --!" folder than you have ZIPs inside the "!Packaged_MIME" or "!Packaged_MSG" folders. This is because a parent message must have at least one successfully acquired Drive attachment or revision for the ZIP package to be created. If the Drive attachment or revision acquisition is unsuccessful (e.g., the file is no longer available), you might have a folder for the attachment but no package ZIP as there is no Drive attachment or revision to include in the package.