Blog >> Android Gmail

Investigating Android Gmail

24/11/2023 Friday

Gmail is the default email service for many Android devices due to its integration with the Android operating system, both of which are developed by Google. As a result, numerous Android smartphones and tablets come pre-installed with the Gmail application. The Gmail app enables users to effortlessly access their Gmail accounts and manage emails. This application offers a range of features, including an easy-to-use interface, real-time synchronization across multiple devices and accounts, advanced searching and filtering capabilities, and efficient handling of email attachments.

Digital Forensics Value of Android Gmail

The Android Gmail app holds significant digital forensics value due to its central role in managing users' emails on Android devices. Forensic investigators can analyze the artifacts left behind by this app to retrieve crucial information related to email contents, attachments, and contacts. Additionally, timestamps and metadata associated with emails can contribute to establishing timelines and contextual details during forensic investigations.

Location of Android Gmail Artifacts

Android Gmail artifact can be found at the following location:
/data/data/com.google.android.gm

Analyzing Android Gmail Artifacts with ArtiFast

This section will discuss how to use ArtiFast to extract Android Gmail artifact from Android device's files and what kind of digital forensics insights we can gain from the artifact.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Android Gmail artifact:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Android Gmail artifact in ArtiFast.

Gmail Account Information

• Email Address: Account User Email Address.
• Account User ID: Account User ID.
• Is Device Notifications: Indicates whether the user allowed the device notifications for this account or not.
• Is Active: Indicates whether this account is active or not.

Gmail Mails Information

• Sent Date: Sent Date.
• ID: ID.
• Message ID: Message ID.
• Conversation: Conversation.
• RFC ID: RFC ID.
• From Address: From Address.
• To Addresses: To Addresses.
• Cc Addresses: Cc Addresses.
• Bcc Addresses: Bcc Addresses.
• Reply To Addresses: Reply To Addresses.
• Date Received Ms: Date Received Ms.
• Subject: Subject.
• Snippet: Snippet.
• Permalink: Permalink.
• SPF: SPF.
• DKIM: DKIM.
• Attachments Infos: Joined Attachment Infos.
• Ref Message ID: Ref Message ID.
• Forward: Forward.
• Quote Start Pos: Quote Start Pos.
• Query ID: Query ID.
• Clipped: Clipped.
• Encrypted: Encrypted.
• Synced: Synced.
• Sender Email Address: Show Sender's Full Email Address.
• Has MJWs: Has MJWs.
• Has SRS Intent: Has SRS Intent.
• Has Event: Has Event.
• Signed: Signed.
• Sync Blocked: Sync Blocked.
• Body Embeds External Resources: Body Embeds External Resource.
• All Day: All Day.
• Show Forged From Me Warning: Show Forged From Me Warning.
• Client Created: Client Created.
• Include Quoted Text: Include Quoted Text.
• Outbound Encryption Support: Outbound Encryption Support.
• Received With Tls: Received with Tls.
• Spam Displayed Reason Type: Spam Displayed Reason Type.
• Delivery Channel: Delivery Channel.
• Via Domain: Via Domain.
• Ref Ad Event ID: Ref Ad Event ID.
• Enhanced Recipients: Enhanced Recipients.
• Certificate Subject: Certificate Subject.
• Certificate Issuer: Certificate Issuer.
• Certificate Valid Since Sec: Certificate Valid Since Sec.
• Certificate Valid Until Sec: Certificate Valid Until Sec.
• Client Domain: Client Domain.
• Sender Name: Unsubscribe Sender Name.
• Receiver Names: Receiver Names.
• Unsubscribe Sender Identifier: Unsubscribe Sender Identifier.
• Message Server Perm ID: Message Server Perm ID.
• Thread Server Perm ID: Thread Server Perm ID.
• Display Name If Suspicious: Display Name If Suspicious.
• Database Row ID: Database Row ID.
• Stylesheet: Stylesheet.
• Event Title: Event Title.
• Location: Location.
• Organizer: Organizer.
• Attendees: Attendees.
• Ical Method: Ical Method.
• Event ID: Event ID.
• Calendar ID: Calendar ID.
• Responder: Responder.
• Response Status: Response Status.
• Body: Body.
• Error: Error.
• Message Body: Message Body in HTML format.
• Custom From Address: Custom From Address.
• References RFC822 Message IDs: References RFC822 Message IDs.
• Stylesheet Restrictor: Stylesheet Restrictor.
• SRS Time Coords: SRS Time Coords.
• Mail JS Body: Mail JS Body.
• Wallet Attachment ID: Wallet Attachment ID.
• List Info: List Info.
• Untrusted Addresses: Untrusted Addresses.
• Personal Level: Personal Level.
• Start Time: Start Time.
• End Time: End Time.

For more information or suggestions please contact: kalthoum.karkazan@forensafe.com