Gmail: anti-forensi...
Clear all

Gmail: anti-forensics  

Junior Member

Gmail (via warns you of any non-authorized login on your account, or they tag it as "suspicious".

As far as I know, this is done through detecting a change of your IP-address or a change of your hardware (read your OS) within a certain time-frame; the last 10 logons (IP, OS) are displayed to the alternate email-address.

I do not understand this system completely and struggle with it within our organisation.
We use a single gmail-address (say [email protected]), where a limited number of members were given access by supplying them the credentials. My email is the alternate where Google sends any notifications of so-called "critical warning for your coupled google account."

Not a big problem, but I get these warnings regularly.

- when a member logs on while on vacation, but with the same MAC-address;
- when a member logs on with another OS;
- when a member logs on automatically with his old computer through Windows Live Mail or Outlook or HTTPS (browser);
- when a member logs on with his old GSM (which suddenly awoke due to a new battery or recharge)

Somebody knows the algorithm behind this system?

Posted : 31/07/2019 5:57 pm
Active Member

I don't know the specific algorithm but I believe you already covered the fundamentals. MAC-address is irrelevant as it's not part of TCP transport and never seen by Google. Cookies are almost certainly used. The OS is not directly available, but generally part of the Browser USER-AGENT.

Independent of the above, your usage technique creates problems and violates basic security practices. You should reconsider your approach.

Shared accounts and passwords are fundamentally bad. If you're determined to use Gmail, the accounts are free, everyone should have their own!

If you're looking to have multiple people enabled to access the email, set up an auto-forward from the main account to all the subsidiary accounts.

Set a reply-to the main account in all the subsidiary accounts.

Everyone uses their own account. Everyone sees incoming email from the main account. A "CC' or "BCC" used on the subsidiary accounts lets everyone see each other's mail.

Trying to defeat Google's security algorithm is not the approach to take.

Posted : 31/07/2019 7:47 pm
Senior Member

Have you looked at implementing the Google Authenticator app on employees’ phones?

Also have you looked at Google’s version of the Yubikey to improve Multi Factor Authentication for your organization?

Finally, does Gmail allow for remote wiping of smartphones? I know Echange and Office365 do, which should be a requirement for your employees accessing company gmail using personally owned and company owned phones in the event phones are ever lost or stolen.

Posted : 31/07/2019 8:33 pm
Junior Member

Thank you for your replies gents.
I'll certainly follow-up some of your suggestions.

Posted : 04/08/2019 8:02 am