Acquiring Google Drive Attachments of Emails

Forensic Email Collector can acquire Google Drive attachments and their revisions during Gmail / G Suite acquisitions. You will be presented with two options in the Gmail API settings page:

1. Fetch Drive Attachments

When this option is selected, FEC will detect Drive attachments in acquired emails and attempt to acquire them.

2. Fetch Revisions of Drive Attachments

When this option is selected, FEC will also request revision information for each Drive attachment from Drive API. If the item has revisions, they will be acquired along with the parent Drive attachment.

Note 1: Each Drive attachment can potentially have hundreds of revisions. Acquisition of Drive attachment revisions can cause the acquisition to take significantly longer and increase the probability of throttling.

Note 2: Accessing the revisions of a Drive file requires different permissions than accessing the parent Drive file. You may encounter cases where the Drive attachment can be acquired but its revisions cannot due to lack of permissions.

How Are the Drive Attachments and Revisions Stored?

You can find the acquired Drive attachments and their revisions inside your output folder under "Items\!-- Drive Attachments --!\" in a folder structure that looks as follows:

   !-- Drive Attachments --!\
      <Parent Message ID>
         <Drive Attachment No>
              Revision_<revision date>_<revision ID>

Additionally, four log files named "Downloaded_Drive_Attachments", "Remaining_Drive_Attachments", "Downloaded_Drive_Attachment_Revisions", and "Remaining_Drive_Attachment_Revisions" will be created inside the "Logs" folder in your output directory. These logs will contain a list of Drive items as well as their metadata acquired from Google Drive.

Finally, the creation and last modification file system timestamps of the acquired Drive attachments and their revisions will be set to reflect the file metadata acquired from Google Drive.

Quick Tip: Google Drive provides hash values for external files (e.g., PDF, ZIP, etc.) that are stored in Drive and FEC captures this information during acquisition. The hashes that Drive provides are calculated using the MD5 algorithm. If you set your output hashing setting in FEC to MD5, you can easily compare the hashes that Drive reports to the hashes that FEC calculates for each file side by side.

What is A Permanent Error?

When acquiring Google Drive attachments, FEC pays attention to the status messages from Google Drive. If Drive API indicates that a Drive item is no longer available (i.e., it was deleted, moved, its permissions were changed, etc.), then FEC records that as a permanent error and does not attempt to retry the item multiple times. Such issues would be listed as "Drive Attachments with Permanent Errors" in the Acquisition Summary section of the Acquisition Log.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.