[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

Use Vault to search Gmail

Google Vault is for administrators and legal personnel. Before you can use Vault, your Google Workspace admin must set up your account. Who is my administrator?

As part of your Google Workspace data eDiscovery projects, you can use Vault to search for Gmail messages, identify accounts of interest, review and print message contents, and view and download attachments.

If your organization uses Google Workspace Client-side encryption (CSE) with Gmail, you can use Vault to search, download, and export client-side encrypted Gmail messages. 

Before you search

Before you search for messages, we recommend you review the Gmail messages supported in Vault and the Vault Search FAQ.

Expand section  |  Collapse all

What data is searched

Searched:

  • The first 1 MB of text and attachments of a message
  • Confidential mode messages sent by users in your organization
  • Headers and subject of confidential mode messages sent by external senders
  • Drafts, including discarded drafts and autosaved versions
  • The header and subject of client-side encrypted emails, which are not encrypted

Not searched:

  • The content of confidential mode messages sent by external senders
  • Linked files
  • Email layouts
  • Messages sent through other Google services, such as Google Calendar or Google Docs, unless comprehensive message storage is turned on
  • Dynamic content in dynamic messages
  • The encrypted body text of client-side encrypted emails
For details, see Supported services and data types.
How can I exclude automatically-saved or discarded drafts in a Vault search?

A user's Gmail data can include 3 types of draft messages. You can exclude all or only certain types of draft messages in search results and exports:

  • To exclude all draft types, check the Exclude drafts box before you search. Previews still include automatically saved versions of draft messages, but these aren’t included when you export.
  • To exclude automatically saved drafts, add the following operator to your search terms: ‑label:^r_ad.
  • To exclude discarded drafts and automatically saved versions, and include only unsent drafts, add ‑(label:^deleted AND label:drafts) to your search terms. Preview will still include automatically saved versions of draft messages, but these aren’t included when you export.
How can I exclude messages that have been quarantined?

Add the following operator to your search terms: ‑label:^admin_quarantine.

Learn more about admin quarantine.

Why search unprocessed data?

To ensure you get all data relevant to a case, you might want to search unprocessed data. Unprocessed data includes:

  • The content in messages and attachments that Gmail is still indexing.
  • For large messages and attachments, where only the first 1 MB is indexed, the content beyond 1 MB.
  • Attachments that couldn’t be converted to text and indexed.
If you search all data or held data and you enter search terms, Vault can’t match terms to the unprocessed data. To be certain that you collect all data that might match your terms, you can search for unprocessed data associated with the accounts or organizational unit of interest, export it, and use another tool to search it for your terms.
About client-side encrypted emails

Vault retains and holds client-side encrypted emails the same as other files.

  • You can preview the unencrypted email metadata, such as subject, sender, and receiver.
  • An email's encrypted content will appear as an smime.p7m or smime.p7s attachment in the search preview. To view the contents, create an export. To decrypt an export in the mbox format, you can use the decrypter utility (beta). To view client-side encrypted emails in the PST format, import each users’ p7m file into Microsoft Outlook.
Important: If you cancel your Google Workspace subscription and want to later decrypt client-side encrypted messages in Vault exports, export your users’ key material using Takeout. Without the users’ key material, you can not decrypt the emails.

Learn more about Client-side encryption.

Examples of searches for Gmail messages

Expand section  |  Collapse all & go to top

Find messages sent or received by a specific account

You can search for messages associated with a specific user, without having to access their account. When you start a search, use the following parameters:

  • For the source data, select All data.
  • For the entity, select Specific accounts and enter the user’s email address.
  • (Optional) Refine your search with terms, such as the following:
    • To find only messages sent by the specific account, enter from:email_address.
    • To find only messages received by the specific account, enter to:email_address. This search returns emails where the specific account was in the to, cc, or bcc fields. It doesn’t return emails sent to groups that the account is subscribed to.
Find messages sent between specific accounts

You can search for messages sent between specific users. The following examples are for 2 users, but you could add more accounts. When you start a search, use the following parameters:

  • For the source data, select All data.
  • For the entity, select Specific accounts and enter one of the users’ email addresses. You don’t need to enter both here.
  • Refine your search with terms:
    • To find messages sent between the 2 accounts, with either account as the sender and receiver, enter from:(email_address_1 OR email_address_2) AND to:(email_address_1 OR email_address_2).
    • To find messages sent by one account to another account, enter from:sender_email_address AND to:receiver_email_address. Note: If the users you’re interested in have many accounts, ensure you match all their emails by following the preceding example and enter all the accounts.
Find messages sent to or from a specific external domain

You can review which accounts have sent or received messages from users in another company. When you start a search, use the following parameters:

  • For the source data, select All data.
  • For the entity, select All accounts.
  • Refine your search with terms:
    • To find messages that were sent to any user in another company, enter to:*@example.com. This search returns emails where any account in the specified domain was in the to, cc, or bcc fields. 
    • To find messages sent to users in your organization from any user in another company, enter from:*@example.com.
Find messages sent to a group

To find Groups messages in a Gmail search, you can’t specify the group email as the account to search. Instead, use the following parameters:

  • For the entity, select All accounts.
  • For terms, enter from:group_address. For example, to find messages sent to the group sales@solarmora.com, enter from:sales@solarmora.com

Note: This approach returns messages only if one or more users subscribed to the group, they get abridged summary or digest emails, and the messages are still available to Vault (not deleted and purged).

Find messages that contain a specific word or file attachment

You can review which accounts have sent or received messages that contain a specific word, phrase, or attachment. When you start a search, use the following parameters:

  • For the source data, select All data.
  • For the entity, select All accounts.
  • Refine your search with terms:
    • To find messages that contain a specific word, enter word. If you enter many words, the search returns only messages that contain all the words. Vault searches over the first ~1MB of message text and any attachments. You can’t restrict your search to only attachment text or message text.
    • To find messages that contain a specific phrase, enter the words in double quotes, such as ”project alpha”. The search isn’t case sensitive so messages that contain Project Alpha, Project alpha, project Alpha, or project alpha are all returned.
    • To find messages that have an attachment, enter has:attachment. To find messages with a file attachment with a keyword in the file name, enter filename:word.

Search for Gmail messages

  1. Sign in to vault.google.com.
  2. Click Matters. You search for data in matters, which are workspaces for your Vault projects. Matters let you group related holds, searches, and exports together. Matters don't restrict what data you can search—all data that you're allowed to access is searchable from any matter.
  3. If the matter you want to run the search query in exists, click it to open it. Otherwise, create a matter:
    1. Click Create.
    2. Enter a name for the matter and, optionally, a description.
    3. Click Create.

    The Search tab opens.

  4. For the service, select Gmail.
  5. Select the source data to search:
    • All data—Search all messages in your organization.
    • Held data—Search only messages on hold for the matter.
    • Unprocessed data—Search only messages that Gmail is still processing or can't index. For details, on this page see Why search unprocessed data?
  6. Select the entity to search:
    • All accounts—Search all accounts in your organization.
    • Specific accounts—Enter up to 500 account email addresses. Vault searches the envelope sender and recipient addresses for the specified accounts. To search by header, sender, or recipient address, enter query terms in the Terms field.
    • Organizational unit—Search accounts in a specific organizational unit. If you choose an organizational unit with child organizational units, accounts in the child organizational units are also searched.
  7. (Optional) Select a time zone.
  8. (Optional) Enter a range for Date sent.
    • If you enter a start date, Vault returns all messages sent on or after that date.
    • If you enter an end date, Vault returns all messages sent on or before that date.
  9. (Optional) In Terms, enter one or more search terms:
    • To search for one or more keywords in the message, enter words separated by spaces. For example, project goals.
    • To search for a phrase, put the words in quotes. For example, "project goals"Note: Search ignores the case and punctuation of phrases in quotation marks.
    • To search by account, date, message properties, or subject, use search operators.

    Search terms can't exceed 2,000 characters.

  10. (Optional) To exclude draft messages from this search, turn on Exclude email drafts. When this option is turned off, Vault returns all draft messages that match your query, including automatically saved drafts.
  11. (Optional) To search only client-side encrypted messages or exclude them from your search, click Advanced optionsand thenunder Client-side encrypted state, select Client-side encrypted.
    Note: This option is only available if Google Workspace Client-side encryption is turned on.
  12. Click one of the following:
    • Search—Run your search and return a list of messages that match your query.
    • Count—Calculate the number of messages that match your query and the number of accounts that have matching messages. To download a CSV file of the query count data, click Download Accounts With Matches. Learn more about assessing the scope of a query.
    • Export—Directly export the search results and skip the search results preview. Learn more about exports
  13. After your search, count, or export completes, you can take the following actions:
    • To edit your search, click Expand.
    • To open a preview of a message and its thread, click the message.
    • To create an export of your search results, click Export. Learn more
    • To save your query, click Save. Learn more
    • To clear all fields and start a new search, click Clear.

Preview messages in search results

After you run a search, you can review and print the messages that matched your query, and view and download attachments.

  1. In the search results list, click the message. A list of messages in the thread opens and automatically displays the content of the most recent message in the thread.
    • Messages with  have one or more attachments. Click the message to download or view the attachment.
    • Messages with  were sent with Gmail confidential mode. You can hide or display their message contents when you preview and print these messages. Learn more
    • Messages with "Encrypted" are Client-side encrypted emails.
    • For long threads, only the most recent 100 messages are available in preview. However, an export of the search results includes all messages that match your query, including messages not in preview.
  2. To show the contents of an individual message, click the message. To show the contents of all messages in the thread, click Expand all .
  3. To view a message and all its header content, click Original.
  4. To print an individual message, click Print. To print all messages in a thread, click Print thread .

Export client-side encrypted emails

After searching for client-side encrypted emails, you can export a copy of the data and download it for further analysis. To decrypt mbox messages, use the decrypter utility (beta).

If the encrypted message contains a link to a Google Drive file, Vault cannot export the linked file, even if you have turned on Export linked Drive files for the export. Vault doesn't have access to the content of the encrypted message.

To export data, you must have the Manage Matters, Manage Searches, and Manage Exports privileges.

  1. Click Export.
  2. Enter a name for your export.
  3. If your organization has a data region policy, select the data region for the export.

    Learn more about Vault exports and data regions.

  4. Choose a format for the downloaded files.
  5. Click Export.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
15414500670680534395
true
Search Help Center
true
true
true
true
true
96539
false
false