Acquiring Gmail History Records

Gmail History Records provide activity information associated with a mailbox such as the labels that were added or removed, and the messages that were added or deleted. The records can often be used to make inferences about user activity in the mailbox such as when a message of interest was deleted, if an email was read and subsequently marked as “unread”, etc.

You can read more about History Record analysis here:

Gmail History Records in Forensic Email Investigations

Note

Google’s documentation states that: “History IDs increase chronologically but are not contiguous with random gaps in between valid IDs. A history ID is typically valid for at least a week, but in some rare circumstances may be valid for only a few hours”.

Accessing history records requires a starting history ID. You can acquire history records using Forensic Email Collector (FEC) as follows:

1. Configure a Gmail API acquisition.

2. Enter the In-place Search interface.

3. Run a search preview. Based on Google’s documentation, history records do not last very long. You can, for instance, run a search along the lines of newer_than:1m to pick a starting point within the last month.

4. Right-click on a search result of your choice and choose the Fetch history records starting at this item context menu item.

   

5. FEC will proceed to acquire the History Records and ask you for a folder where the output should be written. Once you select the folder, FEC will export a report that contains the History Records starting at the history ID of the item you selected.