by Arman Gungor
Last week, I came across an interesting post on Forensic Focus. The poster, jahearne, was asking about how one can detect manipulation of an existing email in Gmail. In his hypothetical scenario, the bad actor was using Outlook to edit the message and change its contents after it was received. I wanted to reproduce this setup and examine the results to see what we find out.
I started by performing a baseline acquisition of the target email account over IMAP—which is the same protocol Outlook would use to connect to Gmail. This allowed me to capture the Internal Date Message Attribute as well as the Unique Identifier (UID) Message Attribute for each message before any manipulation took place. I used our Forensic Email Collector to do this, but you can also capture these values by directly interfacing with Gmail’s IMAP server.