Emails That Have Been Read Show as Unread Again and Again
The need to make up one's mind whether a specific message was read by an finish-user comes up often in email forensics. The question is often twofold:
- How can we preserve the "read" status of messages during forensic email acquisitions?
- Tin we become beyond that and make up one's mind if a user had read a bulletin and subsequently marked it every bit unread? Can we find out when this happened?
While supporting Forensic Email Collector, I accept answered a few queries along these lines very recently. I wanted to write this quick post to lay out some of the possibilities in this area when targeting Gmail or Google Workspace—formerly known equally G Suite.
Preserving the "read" status of letters during forensic email preservation is part of virtually whatsoever forensic electronic mail preservation workflow. In the context of Gmail / Google Workspace, FEC, Google Vault, Google Takeout, and IMAP all support this in unlike ways. So, I won't get into the details here. Instead, we'll get right into the more exciting stuff!
Investigating Historical Message Read Status Activity
Capturing whether a message is marked as "read" or "unread" during forensic preservation is certainly useful. But, could we determine what happened in the past? For instance, did the end-user read a bulletin and then mark it equally "unread"? What else did they practise? When?
The answers to these questions depend on whether you are targeting Gmail or Google Workspace, and how far back the action occurred. Let'due south take a look at some of the strategies nosotros can use.
Email Log Search in Google Workspace (aka M Suite)
The first place you would want to look at when investigating message activeness in Google Workspace is Email Log Search. Specifically, the postal service-commitment message details for your target message.
Let's look at the post-delivery message details for five messages in Google Workspace. The stop-user took the following deportment on these messages:
Bulletin #1: The stop-user encountered this message in their mailbox when they logged into Gmail'due south web interface, merely never opened information technology.
Bulletin #2: The cease-user opened this message.
Message #iii: The end-user opened this message, and and so marked it every bit "unread".
Message #4: The end-user marked this message as "read" without opening it.
Message #v: The stop-user never encountered this message. That is, it was never included in the list of letters presented to the end-user when they logged into Gmail'southward spider web interface.
We volition at present go over the results of an email log search. Google Workspace admins tin can perform these searches here.
Message #1
State: Unopened and unread, Seen, Marked unimportant
Here, the Seen post-delivery message condition indicates that the message was listed in the user's view when they opened Gmail. Unopened and unread indicates that the end-user did not open or read the message. Consistent with what nosotros await for this bulletin. The Marked unimportant post-commitment message condition is self-explanatory. It indicates that the message is marked unimportant—in this case, this was a system action, not a user activeness.
Below is a screenshot of what this looks like on the Google Admin user interface.
Message #1 Results in Electronic mail Log Search
Message #ii
State: Opened and read, Seen, Marked unimportant
Opened and read indicates that the cease-user opened and read the message. Consistent with what we would expect for this bulletin—the cease-user was presented with the message, they opened information technology, and it was marked "read".
Bulletin #3
State: Opened and marked as unread, Seen, Marked unimportant
Now things are getting interesting! Opened and marked as unreadindicates that the user opened this bulletin, then afterward marked information technology as "unread".
Message #4
Land: Unopened and marked as read, Seen, Marked unimportant
Every bit expected, the Unopened and marked as read mail service-delivery message status reflects precisely what the end-user did. That is, they were presented with the message. But, they marked information technology as "read" without opening the bulletin. One fashion to accomplish this in Gmail's user interface is to check the checkbox next to the bulletin, and and then to mark it as "read" using the "Mark as read" carte du jour item in the toolbar.
Message #5
State: Unopened and unread, Unseen, Marked unimportant
The Unseen post-delivery message status indicates that the user never encountered this message in Gmail.
To accept this a step farther, I created an boosted message (Message #6) and waited for the message to get in while the end-user's Gmail was open in a browser tab without any user interaction. That is, Gmail's web interface refreshed automatically to list the new message without any explicit user action to navigate or refresh the page. This nonetheless resulted in the Seen post-delivery message status.
How Far Back Does Email Log Search Get?
When y'all effort to specify a date range within the E-mail Log Search user interface, y'all can go back for well-nigh 1 month. However, Email Log Search allows y'all to search for messages older than 30 days by using the "Older than 30 days" pick from the dropdown shown below.
This is with the caveat that you but get the postal service-delivery message condition information for these older messages, not the other details included in the screenshot above. Additionally, you are required to provide the verbal recipient accost as well as the Message ID for your target message. Despite these restrictions, this is nonetheless extremely useful when you are investigating a specific message!
History Records in Gmail and Google Workspace
Another investigative technique we can use to answer some of these questions is Gmail History Records. This approach has a few advantages:
- Information technology applies to both costless Gmail accounts and paid Google Workspace accounts
- It can exist used to engagement user actions such as when a message was marked as unread
- History records also include letters that are added and deleted
Since we covered Gmail History Records in the by, I will not go into full detail here. All the same, permit'southward have a look at an example to see if we can determine when the end-user likely read a message, and when they subsequently marked the previously-read message as "unread".
In this case, the end-user opens a message with the subject "Sisyphus and Boulder" on 4/1/2021 at 13:11 PM (PDT). A few minutes later, at 13:sixteen PM (PDT), they marker the bulletin equally "unread". Relevant history records appear as follows—this is later on Forensic Email Collector correlated history records with message metadata:
------ HISTORY RECORD ID: 290038 ------ Letters Added: ID: 1788efef7e6e16e4 Folder Path: All Postal service Subject area: Message vi From: LMISF Test <lmisf01@gmail.com> To: agungor@forensicemailcollector.com Bulletin ID: <CAMvYnDMYmh6T_3QFYY2RFO_tziROfC+ePgPKv7igOjWii5c6dw@mail.gmail.com> Date: 2021-04-01 19:52:58Z ------ HISTORY RECORD ID: 290073 ------ Labels Removed: Removed Label ID: UNREAD From Bulletin: ID: 178607f63d53dedc Binder Path: All Mail Subject field: Sisyphus and Boulder From: NextDraft <dave@davenetics.com> To: <lmisf01@gmail.com> Message ID: <ed102783e87fee61c1a534a9d.9de9262d5b.20210323183101.93a7fe8fb2.3b340ea0@mail1.davenetics.com> Appointment: 2021-03-23 18:31:08Z ------ HISTORY Tape ID: 290120 ------ Messages Added: ID: 1788f1441e8167fe Folder Path: All Mail Field of study: Confirm Your Subscription From: PLAE <hello@plae.co> To: lmisf01@gmail.com Message ID: <PiaWpZGKStO5fN8qu14Shg@ismtpd0177p1mdw1.sendgrid.net> Date: 2021-04-01 20:16:11Z ------ HISTORY RECORD ID: 290189 ------ Labels Added: Added Label ID: UNREAD To Bulletin: ID: 178607f63d53dedc Folder Path: All Mail Subject: Sisyphus and Bedrock From: NextDraft <dave@davenetics.com> To: <lmisf01@gmail.com> Message ID: <ed102783e87fee61c1a534a9d.9de9262d5b.20210323183101.93a7fe8fb2.3b340ea0@mail1.davenetics.com> Date: 2021-03-23 18:31:08Z ------ HISTORY Tape ID: 290257 ------ Messages Added: ID: 1788f16dbca40e33 Folder Path: All Mail Subject: ten% off at PLAE - Welcome! From: PLAE <hello@plae.co> To: "lmisf01@gmail.com" <lmisf01@gmail.com> Bulletin ID: <G1aUtePOQJifSN5Q_RQARg@ismtpd0128p1iad2.sendgrid.net> Engagement: 2021-04-01 20:nineteen:02Z
The acquired history records show that the "UNREAD" characterization was removed from our target message between two events: when a new message arrived on 4/1/2021 at 12:52:58 PM (PDT), and another new bulletin arrived on 4/1/2021 at thirteen:16:xi PM (PDT). This helps narrow the bulletin read upshot down to an approximately 23-minute window.
Similarly, history records testify that the "UNREAD" characterization was applied to our target message—in effect, marking information technology as "unread"—between 2 events: when a new message arrived on four/1/2021 at thirteen:16:xi PM (PDT), and another new bulletin arrived on four/ane/2021 at thirteen:xix:02 PM (PDT). This helps narrow the message marked as unread result down to an approximately 3-minute window.
As I mentioned in our Gmail History Records commodity, it is important to forensically preserve and authenticate the messages you are using as anchor points in this type of assay. Additionally, Gmail History Records typically do not go back more than a month.
Opened Label in Google Vault and Takeout & Message Read Status
Another data bespeak that can be helpful when investigating mail service-delivery message status is the Openedcharacterization included in Google Takeout and Vault exports. Here is how this looks in a Google Takeout mbox export:
X-Gmail-Labels: Sent,Inbox,Opened,Category personal
and in a Vault metadata XML:
<Tag TagName='Labels' TagDataType='Text' TagValue='^INBOX,^OPENED'/>
The interesting affair is that the Opened characterization is non accessible via Gmail API, it is not listed as part of the common Gmail system labels, nor can it be used to query messages via Gmail's search feature (i.due east., label:<labelname>). Although listed every bit a Gmail label in Takeout and Vault exports, the Openedcharacterization behaves like a special value rather than a regular Gmail characterization.
The Opened and Unread labels are populated as follows for the 5 sample letters we discussed to a higher place:
Message #1
INBOX,UNREAD
Bulletin #2
INBOX,OPENED
Bulletin #3
INBOX,OPENED,UNREAD
Bulletin #4
INBOX
Message #5
INBOX,UNREAD
As expected, the OPENED,UNREADcombination in Message #3 reveals that the bulletin was marked every bit "unread" afterward it had been opened and read. Similarly, the fact that both the OPENED and UNREAD labels are missing from Bulletin #4 shows that information technology was marked every bit "read" without being opened.
Conclusions
Using a combination of Electronic mail Log Search, Gmail History Records, and the Opened pseudo-characterization in Gmail and Google Workspace exports, forensic email examiners can reply questions such as:
- Has the end-user always encountered the target bulletin?
- Did they open it?
- When did they read it?
- Did they marker it equally "read" without opening it?
- Did they mark it as "unread" after having read it?
- When?
Gmail History Records are particularly useful for showing both label and message deletion events and putting upper and lower time bounds on user action.
It is important to go along in mind that time is of the essence, and Gmail History Records should be preserved as soon as possible. Additionally, whatsoever messages relied upon every bit ballast points for timing information should be authenticated.
Arman Gungor is a certified computer forensic examiner (CCE) and software developer. He has been appointed by courts equally a neutral computer forensics adept equally well equally a neutral eDiscovery consultant. Arman is passionate well-nigh doing digital forensics enquiry, developing new investigative techniques, and creating software to back up them.
Source: https://www.metaspike.com/message-read-status-gmail-google-workspace/
0 Response to "Emails That Have Been Read Show as Unread Again and Again"
Post a Comment