Gmail as a Forensic Tool

In my previous post on Gmail, i mentioned using it as a forensic tool. You may be forgiven if you think that there is absolutely nothing about Gmail that can be used as a forensic tool.

But if you are like us, where we need to sift through a lot of log files daily…..(almost .5 million incidents in a single day), you will by now have noticed that gmail has 2 things going for it:

1. Large storage capacity
2. Fast index and retrieval

So what we did here is to send all the log reports (routers syslog, Windows event logs, firewall logs etc) via email to our gmail account. These reports are stored there. Now, I dont have to worry about a hacker being able to ‘own’ my system, and deleting all the log files….because the logs are already sent to my gmail account.

I also dont have to worry about backing and archiving the damn thing! I have yet to see data being lost in the gmail system.

Finally, lets say that our system detects unusual activity in a particular IP (say xxx.yyy.zzz.www). We simply log into our gmail system, and ‘search’ for all instances where the log report contained xxx.yyy.zzz.www

This is even easier to use than Microsoft’s logparser! (sql like reporting tool that works with either event log files, system file etc….

Im interested in what you think about this novel way of using gmail. Leave me some comments okay?