How to Do an Email Header Search

GAT supports the search of all email headers in all emails for all accounts on your domain. This can be a particularly useful feature for forensic investigations, where for example you want to find all the emails that went to or from a particular IP address.

In your Gmail tab, when you are reading any message, you will see in the top right-hand corner of the message, a drop down menu.

 

In your Gmail tab, when you are reading any message, you will see in the top right-hand corner of the message, a drop down menu.

Selecting that drop-down allows you to select ‘Show original’ which displays the original email in raw format on a new tab.

Doing this exposes all the header information, an example snippet of which you can see on the left.

GAT allows to search this header information based on just two search criteria, the name of the header you want to find (no “:” required) and part of the string in that header.

No extra formatting is required and in the case where the header name is repeated several times, all instances of that name in all emails will be searched for.

In this example, we are searching for email that passed through a particular server identified by IP address.

 

 

The search process takes a long time so you should be prepared to go and have a cup of coffee…

When the results come back you can click on ‘Explore all emails’ to see all the emails in all accounts that match your criteria.

Comments

comments