Gmails That Have Been Read Show as Unread Again and Again
The need to decide whether a specific message was read by an end-user comes upwards often in email forensics. The question is ofttimes twofold:
- How can we preserve the "read" status of messages during forensic email acquisitions?
- Tin can we get beyond that and determine if a user had read a message and afterwards marked it as unread? Can nosotros find out when this happened?
While supporting Forensic Email Collector, I have answered a few queries along these lines very recently. I wanted to write this quick mail to lay out some of the possibilities in this surface area when targeting Gmail or Google Workspace—formerly known as G Suite.
Preserving the "read" condition of messages during forensic email preservation is part of virtually whatever forensic email preservation workflow. In the context of Gmail / Google Workspace, FEC, Google Vault, Google Takeout, and IMAP all support this in different ways. Then, I won't go into the details here. Instead, we'll get correct into the more than exciting stuff!
Investigating Historical Message Read Status Activity
Capturing whether a message is marked as "read" or "unread" during forensic preservation is certainly useful. But, could we determine what happened in the past? For case, did the end-user read a message and so mark it as "unread"? What else did they practice? When?
The answers to these questions depend on whether yous are targeting Gmail or Google Workspace, and how far back the activity occurred. Let's accept a await at some of the strategies nosotros can use.
Email Log Search in Google Workspace (aka K Suite)
The first place yous would want to look at when investigating message action in Google Workspace is Email Log Search. Specifically, the post-delivery message details for your target bulletin.
Let's look at the post-delivery message details for five letters in Google Workspace. The end-user took the following actions on these letters:
Bulletin #one: The end-user encountered this message in their mailbox when they logged into Gmail's spider web interface, simply never opened it.
Message #ii: The stop-user opened this message.
Message #3: The end-user opened this message, and so marked it as "unread".
Message #4: The end-user marked this bulletin as "read" without opening it.
Message #v: The cease-user never encountered this message. That is, it was never included in the listing of letters presented to the finish-user when they logged into Gmail'due south spider web interface.
We will now go over the results of an email log search. Google Workspace admins can perform these searches hither.
Message #1
State: Unopened and unread, Seen, Marked unimportant
Here, the Seen postal service-delivery bulletin status indicates that the message was listed in the user's view when they opened Gmail. Unopened and unread indicates that the cease-user did not open or read the bulletin. Consistent with what we wait for this bulletin. The Marked unimportant post-delivery message status is self-explanatory. Information technology indicates that the message is marked unimportant—in this instance, this was a system action, not a user action.
Below is a screenshot of what this looks like on the Google Admin user interface.
Bulletin #1 Results in Email Log Search
Message #2
State: Opened and read, Seen, Marked unimportant
Opened and read indicates that the end-user opened and read the message. Consequent with what we would wait for this bulletin—the cease-user was presented with the bulletin, they opened information technology, and information technology was marked "read".
Message #three
State: Opened and marked as unread, Seen, Marked unimportant
Now things are getting interesting! Opened and marked as unreadindicates that the user opened this bulletin, and so afterwards marked it as "unread".
Bulletin #4
State: Unopened and marked as read, Seen, Marked unimportant
As expected, the Unopened and marked as read post-delivery message status reflects precisely what the end-user did. That is, they were presented with the message. But, they marked it as "read" without opening the bulletin. One manner to attain this in Gmail's user interface is to bank check the checkbox adjacent to the message, and then to mark information technology equally "read" using the "Marking equally read" carte du jour item in the toolbar.
Message #5
State: Unopened and unread, Unseen, Marked unimportant
The Unseen post-commitment message status indicates that the user never encountered this message in Gmail.
To accept this a pace further, I created an additional message (Bulletin #6) and waited for the message to go far while the terminate-user's Gmail was open in a browser tab without any user interaction. That is, Gmail'due south web interface refreshed automatically to list the new message without whatsoever explicit user activity to navigate or refresh the page. This all the same resulted in the Seen post-delivery message status.
How Far Back Does Email Log Search Go?
When you try to specify a date range within the Electronic mail Log Search user interface, you lot can go back for nigh one month. However, Electronic mail Log Search allows yous to search for letters older than xxx days by using the "Older than 30 days" pick from the dropdown shown below.
This is with the caveat that you only go the mail-delivery message status information for these older messages, not the other details included in the screenshot to a higher place. Additionally, y'all are required to provide the exact recipient address as well as the Bulletin ID for your target bulletin. Despite these restrictions, this is still extremely useful when y'all are investigating a specific message!
History Records in Gmail and Google Workspace
Another investigative technique we tin can use to reply some of these questions is Gmail History Records. This approach has a few advantages:
- Information technology applies to both costless Gmail accounts and paid Google Workspace accounts
- Information technology can be used to engagement user actions such every bit when a bulletin was marked as unread
- History records as well include messages that are added and deleted
Since we covered Gmail History Records in the past, I will not become into total detail hither. Yet, let's take a look at an example to see if we tin can determine when the terminate-user likely read a message, and when they subsequently marked the previously-read message as "unread".
In this example, the cease-user opens a bulletin with the subject area "Sisyphus and Boulder" on 4/1/2021 at thirteen:11 PM (PDT). A few minutes later, at 13:16 PM (PDT), they mark the bulletin as "unread". Relevant history records announced as follows—this is after Forensic Electronic mail Collector correlated history records with message metadata:
------ HISTORY Record ID: 290038 ------ Letters Added: ID: 1788efef7e6e16e4 Folder Path: All Postal service Subject: Message vi From: LMISF Examination <lmisf01@gmail.com> To: agungor@forensicemailcollector.com Message ID: <CAMvYnDMYmh6T_3QFYY2RFO_tziROfC+ePgPKv7igOjWii5c6dw@post.gmail.com> Date: 2021-04-01 xix:52:58Z ------ HISTORY Tape ID: 290073 ------ Labels Removed: Removed Label ID: UNREAD From Message: ID: 178607f63d53dedc Folder Path: All Mail Discipline: Sisyphus and Boulder From: NextDraft <dave@davenetics.com> To: <lmisf01@gmail.com> Message ID: <ed102783e87fee61c1a534a9d.9de9262d5b.20210323183101.93a7fe8fb2.3b340ea0@mail1.davenetics.com> Date: 2021-03-23 18:31:08Z ------ HISTORY RECORD ID: 290120 ------ Messages Added: ID: 1788f1441e8167fe Folder Path: All Mail Bailiwick: Confirm Your Subscription From: PLAE <hello@plae.co> To: lmisf01@gmail.com Message ID: <PiaWpZGKStO5fN8qu14Shg@ismtpd0177p1mdw1.sendgrid.net> Date: 2021-04-01 20:sixteen:11Z ------ HISTORY Record ID: 290189 ------ Labels Added: Added Label ID: UNREAD To Message: ID: 178607f63d53dedc Folder Path: All Postal service Subject: Sisyphus and Boulder From: NextDraft <dave@davenetics.com> To: <lmisf01@gmail.com> Message ID: <ed102783e87fee61c1a534a9d.9de9262d5b.20210323183101.93a7fe8fb2.3b340ea0@mail1.davenetics.com> Date: 2021-03-23 18:31:08Z ------ HISTORY RECORD ID: 290257 ------ Messages Added: ID: 1788f16dbca40e33 Folder Path: All Mail Subject: x% off at PLAE - Welcome! From: PLAE <hello@plae.co> To: "lmisf01@gmail.com" <lmisf01@gmail.com> Message ID: <G1aUtePOQJifSN5Q_RQARg@ismtpd0128p1iad2.sendgrid.net> Date: 2021-04-01 xx:19:02Z
The acquired history records show that the "UNREAD" characterization was removed from our target bulletin between two events: when a new message arrived on 4/1/2021 at 12:52:58 PM (PDT), and another new message arrived on 4/i/2021 at thirteen:16:11 PM (PDT). This helps narrow the message read event down to an approximately 23-infinitesimal window.
Similarly, history records testify that the "UNREAD" label was applied to our target message—in effect, marking information technology equally "unread"—betwixt two events: when a new message arrived on four/1/2021 at xiii:xvi:xi PM (PDT), and some other new message arrived on 4/1/2021 at xiii:xix:02 PM (PDT). This helps narrow the message marked as unread consequence downwardly to an approximately 3-minute window.
As I mentioned in our Gmail History Records article, information technology is important to forensically preserve and cosign the messages you lot are using as anchor points in this type of analysis. Additionally, Gmail History Records typically do non go dorsum more than a month.
Opened Label in Google Vault and Takeout & Message Read Status
Another data point that tin can be helpful when investigating post-delivery message status is the Openedlabel included in Google Takeout and Vault exports. Here is how this looks in a Google Takeout mbox export:
Ten-Gmail-Labels: Sent,Inbox,Opened,Category personal
and in a Vault metadata XML:
<Tag TagName='Labels' TagDataType='Text' TagValue='^INBOX,^OPENED'/>
The interesting thing is that the Opened label is not accessible via Gmail API, information technology is not listed as office of the mutual Gmail system labels, nor tin it be used to query letters via Gmail'southward search feature (i.e., characterization:<labelname>). Although listed as a Gmail characterization in Takeout and Vault exports, the Openedlabel behaves like a special value rather than a regular Gmail label.
The Opened and Unread labels are populated as follows for the five sample letters we discussed above:
Message #one
INBOX,UNREAD
Message #2
INBOX,OPENED
Message #iii
INBOX,OPENED,UNREAD
Bulletin #four
INBOX
Message #v
INBOX,UNREAD
As expected, the OPENED,UNREADcombination in Message #3 reveals that the bulletin was marked every bit "unread" after it had been opened and read. Similarly, the fact that both the OPENED and UNREAD labels are missing from Message #4 shows that it was marked as "read" without being opened.
Conclusions
Using a combination of Email Log Search, Gmail History Records, and the Opened pseudo-characterization in Gmail and Google Workspace exports, forensic email examiners tin answer questions such as:
- Has the end-user ever encountered the target bulletin?
- Did they open it?
- When did they read it?
- Did they mark information technology equally "read" without opening it?
- Did they marker it as "unread" after having read it?
- When?
Gmail History Records are particularly useful for showing both label and message deletion events and putting upper and lower time bounds on user activity.
It is important to keep in listen that time is of the essence, and Gmail History Records should be preserved equally presently as possible. Additionally, any messages relied upon as anchor points for timing information should be authenticated.
Arman Gungor is a certified calculator forensic examiner (CCE) and software developer. He has been appointed past courts as a neutral computer forensics expert equally well as a neutral eDiscovery consultant. Arman is passionate about doing digital forensics research, developing new investigative techniques, and creating software to support them.
simmonscappillemper.blogspot.com
Source: https://www.metaspike.com/message-read-status-gmail-google-workspace/
Belum ada Komentar untuk "Gmails That Have Been Read Show as Unread Again and Again"
Posting Komentar