I have been doing some research into Gmail collections and it looks like it is possible to collect from Gmail using IMAP or Google’s own API. Does anyone have a comparison of these options? Why would you choose one over the other?
You can add Takeout as an option there, but in essence, Takeout output is largely the same as that of a Gmail API acquisition, just with less flexibility.
I will try to compare Google APIs to Gmail over IMAP based on my experience:
|Google APIs||Gmail via IMAP|
|Duplication||Using Gmail API, you can collect each message once without causing additional duplication.||Each message is collected multiple times under its labels.|
|Data Types||Using Google’s APIs, you can access Calendar and Drive data in addition to Gmail. It is possible to acquire Drive attachments/revisions of messages.||IMAP acquisitions are limited to emails only.|
|In-place Search||Powerful in-place search capabilities.||In-place search is possible but not nearly as robust as API.|
|Forensic Value||Access to raw MIME messages that are identical to Gmail’s copies as well as Internal Date and Thread ID server metadata.||Access to raw MIME messages that are identical to Gmail’s copies as well as Internal Date and IMAP Unique Identifier (UID) server metadata.|
|Performance||Slightly better performance than IMAP at the message level; much improved performance overall due to lack of duplication.||Single message acquisition performance comparable to API. Duplication due to labels causes longer acquisition times and higher chances of throttling.|
|Authentication||Support for OAuth, Remote Authentication, and domain-wide delegation.||Support for OAuth, legacy authentication, and Remote Authentication.|
|Permissions||Mailboxes can be acquired with read-only Gmail permissions.||Full mailbox access is required for acquisition.|
In summary, I recommend using Google’s APIs over IMAP when possible. The only tangible benefit you get with IMAP is sequence information (i.e., IMAP UIDs). I would recommend capturing that separately when needed as it can be very valuable in email investigations/authentication.
Arman, you suggest that is valuable to capture the IMAP UIDs separately when needed. To avoid capturing the emails via API as well as using IMAP. Once we capture the mailbox via API is there a way to capture the IMAP UIDs without capturing the entire mailbox again via IMAP?
Yes! When you kick off an IMAP acquisition, FEC starts by acquiring a snapshot of the mailbox which includes the UIDs. This usually takes only a minute or two. At this point, you could stop the acquisition and you would have the UIDs in the IMAP Acquisition log as well as in FEC’s Downloaded/Remaining Items logs.
That said, at this stage, the UIDs are not presented nicely next to the Internal Dates, which is where the investigative value comes in. Perhaps we can add a metadata-only acquisition option to FEC to offer a more elegant solution.