GSuite extract emails and save copy of mbox as Admin without knowing users password?

nnn · February 13, 2020, 7:51pm

Is it possible?

agungor · February 13, 2020, 8:18pm

You can do this with FEC using domain-wide delegation. That said, the output would be in EML, MSG, and PST formats rather than mbox.

If you must have mbox output, and if the G Suite organization is on a plan with Vault, you can use Vault to export in mbox format. We have a writeup on the cons and pros of each method here: https://www.metaspike.com/google-takeout-vault-email-forensics/

nnn · February 13, 2020, 8:34pm

so with [domain-wide delegation] I will be able to collect 30 PST for each user?

agungor · February 13, 2020, 8:47pm

If you have 30 users in the organization, you can authenticate using a service account and collect each mailbox as a PST.

nnn · February 13, 2020, 8:53pm

you can authenticate using a service account and collect each mailbox as a PST. - please explain more detail…

nnn · February 13, 2020, 9:04pm

Figure it out. FEC ROCKS!!!

agungor · February 13, 2020, 9:14pm

Great! Just in case, we have a video walkthrough here—delegation discussion starts around 43:30.

marcflores · March 26, 2020, 10:11am

If we have access to a service account, is there a way to automate exports for a large number of mailboxes via this method e.g. input csv with target mailboxes?

agungor · March 26, 2020, 2:08pm

Yes! Once you set up domain-wide delegation, you can add a list of mailboxes as additional targets and batch-create their acquisition projects. You can then start/resume those using the supplied batch file, or split them up and run them on multiple computers in parallel.

We have some more info on this here:

This also applies to regular acquisitions without delegation (e.g., Yahoo). In that case, you would need to include passwords for each additional target in your target list file.

We also have a quick walkthrough of this in the last webinar recording here (minute 43):

inflabs · September 15, 2021, 11:33am

I seem to be having challenges with collecting all users on the gsuite domain. I am logged in as a super admin and added the delegation permissions as outlined. I added a properly formatted text file of the additional user accounts to be collected and allowed time for the delegation permissions to take effect, however, I am still only being presented with the single user I am logged in as for data collection.

Has Google made any changes that would affect this? I ask because I tried with another tool and had the same results. So my thinking is that I am really, truly doing something wrong (and unable to follow directions) or something has hampered the ability to perform a domain-wide collection.

Thanks in advance for any feedback.

agungor · September 15, 2021, 1:50pm

Hi there,

Could it be that you are not pressing the “Create Additional Projects” button?

The workflow is as follows:

Configure domain-wide delegation of authority and load the JSON file into FEC for authentication
Create a list of your targets and load the list into FEC as additional targets
Configure your in-place search query if needed
Click the “Create Additional Projects” button so that FEC creates an acquisition project for each target
Use the supplied batch file to run the acquisitions in series or parallel in unattended mode

inflabs · September 15, 2021, 2:05pm

That looks to be EXACTLY what I wasn’t doing. Doh!

I don’t know how I missed that. Thank you!