My Gmail That Have Been Read Show as Unread Again and Again

The demand to determine whether a specific message was read past an finish-user comes upwards often in email forensics. The question is often twofold:

1. How can we preserve the "read" status of letters during forensic email acquisitions?
2. Can we become across that and determine if a user had read a message and subsequently marked information technology as unread? Tin we find out when this happened?

While supporting Forensic Email Collector, I accept answered a few queries forth these lines very recently. I wanted to write this quick post to lay out some of the possibilities in this area when targeting Gmail or Google Workspace—formerly known every bit Thou Suite.

Preserving the "read" status of letters during forensic e-mail preservation is function of virtually any forensic electronic mail preservation workflow. In the context of Gmail / Google Workspace, FEC, Google Vault, Google Takeout, and IMAP all back up this in unlike ways. Then, I won't go into the details hither. Instead, nosotros'll get right into the more exciting stuff!

Investigating Historical Bulletin Read Status Activity

Capturing whether a message is marked equally "read" or "unread" during forensic preservation is certainly useful. Only, could we determine what happened in the past? For case, did the finish-user read a bulletin and then mark information technology as "unread"? What else did they practise? When?

The answers to these questions depend on whether you are targeting Gmail or Google Workspace, and how far dorsum the activeness occurred. Let's take a look at some of the strategies we can use.

Email Log Search in Google Workspace (aka One thousand Suite)

The offset identify yous would want to look at when investigating bulletin activity in Google Workspace is Email Log Search. Specifically, the post-delivery message details for your target message.

Let'due south look at the mail-commitment message details for five messages in Google Workspace. The end-user took the following deportment on these messages:

Message #1: The stop-user encountered this bulletin in their mailbox when they logged into Gmail's spider web interface, but never opened it.

Message #ii: The end-user opened this message.

Bulletin #3: The cease-user opened this bulletin, and and then marked information technology as "unread".

Message #4: The terminate-user marked this message as "read" without opening it.

Message #5: The finish-user never encountered this message. That is, it was never included in the list of messages presented to the end-user when they logged into Gmail'southward web interface.

We will now become over the results of an electronic mail log search. Google Workspace admins can perform these searches hither.

Message #1
Land: Unopened and unread, Seen, Marked unimportant

Hither, the Seen post-delivery message status indicates that the bulletin was listed in the user's view when they opened Gmail. Unopened and unread indicates that the cease-user did non open up or read the message. Consistent with what we wait for this message. The Marked unimportant post-delivery message status is self-explanatory. It indicates that the message is marked unimportant—in this case, this was a system activity, non a user action.

Beneath is a screenshot of what this looks like on the Google Admin user interface.

Message #1 Results in Email Log Search

Message #2
State: Opened and read, Seen, Marked unimportant

Opened and read indicates that the cease-user opened and read the bulletin. Consistent with what we would wait for this message—the cease-user was presented with the message, they opened it, and it was marked "read".

Message #iii
State: Opened and marked as unread, Seen, Marked unimportant

At present things are getting interesting! Opened and marked as unreadindicates that the user opened this message, and then subsequently marked information technology every bit "unread".

Bulletin #4
State: Unopened and marked every bit read, Seen, Marked unimportant

Every bit expected, the Unopened and marked every bit read mail service-commitment message condition reflects precisely what the finish-user did. That is, they were presented with the message. Merely, they marked it as "read" without opening the message. One fashion to accomplish this in Gmail's user interface is to check the checkbox next to the message, so to marking information technology as "read" using the "Mark as read" carte du jour item in the toolbar.

Message #5
State: Unopened and unread, Unseen, Marked unimportant

The Unseen post-commitment message status indicates that the user never encountered this message in Gmail.

To have this a pace further, I created an additional message (Message #half-dozen) and waited for the message to arrive while the end-user'southward Gmail was open in a browser tab without any user interaction. That is, Gmail's web interface refreshed automatically to list the new message without any explicit user action to navigate or refresh the page. This still resulted in the Seen mail service-commitment bulletin condition.

How Far Dorsum Does Email Log Search Go?

When you effort to specify a engagement range inside the Email Log Search user interface, you can go dorsum for about 1 month. However, Email Log Search allows you to search for messages older than thirty days by using the "Older than 30 days" selection from the dropdown shown below.

This is with the caveat that you simply get the post-delivery message status information for these older messages, not the other details included in the screenshot in a higher place. Additionally, yous are required to provide the exact recipient address as well as the Message ID for your target message. Despite these restrictions, this is nonetheless extremely useful when you are investigating a specific bulletin!

History Records in Gmail and Google Workspace

Another investigative technique we can use to answer some of these questions is Gmail History Records. This approach has a few advantages:

1. Information technology applies to both free Gmail accounts and paid Google Workspace accounts
2. It can exist used to engagement user actions such as when a bulletin was marked as unread
3. History records too include messages that are added and deleted

Since nosotros covered Gmail History Records in the past, I will not go into full item here. However, permit's accept a wait at an instance to see if we can determine when the stop-user probable read a message, and when they subsequently marked the previously-read bulletin as "unread".

In this example, the cease-user opens a message with the subject "Sisyphus and Boulder" on 4/1/2021 at 13:xi PM (PDT). A few minutes later, at 13:16 PM (PDT), they mark the bulletin as "unread". Relevant history records appear as follows—this is after Forensic E-mail Collector correlated history records with bulletin metadata:

------ HISTORY RECORD ID: 290038 ------    Messages Added:       ID: 1788efef7e6e16e4       Binder Path: All Post       Subject: Message 6       From: LMISF Test <lmisf01@gmail.com>       To: agungor@forensicemailcollector.com       Message ID: <CAMvYnDMYmh6T_3QFYY2RFO_tziROfC+ePgPKv7igOjWii5c6dw@mail.gmail.com>       Date: 2021-04-01 nineteen:52:58Z  ------ HISTORY Record ID: 290073 ------    Labels Removed:       Removed Label ID: UNREAD        From Message:          ID: 178607f63d53dedc          Folder Path: All Mail service          Subject: Sisyphus and Boulder          From: NextDraft <dave@davenetics.com>          To: <lmisf01@gmail.com>          Bulletin ID: <ed102783e87fee61c1a534a9d.9de9262d5b.20210323183101.93a7fe8fb2.3b340ea0@mail1.davenetics.com>          Appointment: 2021-03-23 18:31:08Z   ------ HISTORY Tape ID: 290120 ------    Messages Added:       ID: 1788f1441e8167fe       Folder Path: All Postal service       Subject field: Confirm Your Subscription       From: PLAE <hello@plae.co>       To: lmisf01@gmail.com       Message ID: <PiaWpZGKStO5fN8qu14Shg@ismtpd0177p1mdw1.sendgrid.net>       Engagement: 2021-04-01 xx:16:11Z        ------ HISTORY Record ID: 290189 ------    Labels Added:       Added Label ID: UNREAD        To Message:          ID: 178607f63d53dedc          Folder Path: All Mail          Subject: Sisyphus and Boulder          From: NextDraft <dave@davenetics.com>          To: <lmisf01@gmail.com>          Bulletin ID: <ed102783e87fee61c1a534a9d.9de9262d5b.20210323183101.93a7fe8fb2.3b340ea0@mail1.davenetics.com>          Engagement: 2021-03-23 eighteen:31:08Z     ------ HISTORY Tape ID: 290257 ------    Messages Added:       ID: 1788f16dbca40e33       Folder Path: All Mail service       Bailiwick: x% off at PLAE - Welcome!       From: PLAE <hello@plae.co>       To: "lmisf01@gmail.com" <lmisf01@gmail.com>       Message ID: <G1aUtePOQJifSN5Q_RQARg@ismtpd0128p1iad2.sendgrid.internet>       Appointment: 2021-04-01 twenty:19:02Z

The acquired history records show that the "UNREAD" characterization was removed from our target bulletin between two events: when a new message arrived on 4/1/2021 at 12:52:58 PM (PDT), and another new message arrived on 4/i/2021 at 13:xvi:eleven PM (PDT). This helps narrow the message read event down to an approximately 23-minute window.

Similarly, history records show that the "UNREAD" label was applied to our target message—in effect, marking it as "unread"—between two events: when a new message arrived on 4/ane/2021 at 13:16:11 PM (PDT), and another new message arrived on 4/1/2021 at 13:19:02 PM (PDT). This helps narrow the message marked equally unread effect down to an approximately 3-minute window.

As I mentioned in our Gmail History Records commodity, it is important to forensically preserve and authenticate the letters you are using every bit anchor points in this type of analysis. Additionally, Gmail History Records typically do not go back more a month.

Opened Label in Google Vault and Takeout & Message Read Status

Some other data point that can exist helpful when investigating postal service-delivery message condition is the Openedlabel included in Google Takeout and Vault exports. Hither is how this looks in a Google Takeout mbox export:

X-Gmail-Labels: Sent,Inbox,Opened,Category personal

and in a Vault metadata XML:

<Tag TagName='Labels' TagDataType='Text' TagValue='^INBOX,^OPENED'/>

The interesting affair is that the Opened label is not accessible via Gmail API, information technology is not listed as part of the common Gmail system labels, nor can information technology be used to query messages via Gmail's search feature (i.due east., characterization:<labelname>). Although listed as a Gmail characterization in Takeout and Vault exports, the Openedlabel behaves like a special value rather than a regular Gmail label.

The Opened and Unread labels are populated equally follows for the v sample messages we discussed to a higher place:

Message #1
INBOX,UNREAD

Message #two
INBOX,OPENED

Message #3
INBOX,OPENED,UNREAD

Bulletin #four
INBOX

Bulletin #5
INBOX,UNREAD

As expected, the OPENED,UNREADcombination in Message #3 reveals that the message was marked as "unread" later it had been opened and read. Similarly, the fact that both the OPENED and UNREAD labels are missing from Bulletin #4 shows that information technology was marked every bit "read" without being opened.

Conclusions

Using a combination of Email Log Search, Gmail History Records, and the Opened pseudo-label in Gmail and Google Workspace exports, forensic email examiners can respond questions such as:

• Has the terminate-user e'er encountered the target message?
• Did they open information technology?
• When did they read it?
• Did they mark it every bit "read" without opening it?
• Did they mark it as "unread" later on having read it?
• When?

Gmail History Records are peculiarly useful for showing both label and message deletion events and putting upper and lower fourth dimension premises on user activity.

It is important to keep in mind that time is of the essence, and Gmail History Records should exist preserved as soon as possible. Additionally, whatsoever messages relied upon equally anchor points for timing information should exist authenticated.

Arman Gungor is a certified computer forensic examiner (CCE) and software developer. He has been appointed by courts as a neutral computer forensics expert too every bit a neutral eDiscovery consultant. Arman is passionate nigh doing digital forensics inquiry, developing new investigative techniques, and creating software to back up them.

bottomleyfultarly75.blogspot.com

Source: https://www.metaspike.com/message-read-status-gmail-google-workspace/

Share this post