[ Auditing ] Email Auditing Example

Take note that you must be using a paid version of Google Apps to do an email audit.

Free editions of Google Apps will get several error messages when you attempt this procedure.

If you are using a paid version of Google Apps and you still get error messages make sure that your API provisioning is enabled on your Google CPanel.

Scenario:  You have a employee who you suspect is using company resources ( email, chat, etc ) for their own personal gain

To avoid a awkward situation and a possible lawsuit you decide to gather proof before you confront your suspected employee.

You decide to audit the email and chat-logs of your suspected employee for 30 days, since if they are using company resources for there own personal profit its likely the proof you need will be in the emails they send and receive during this time period.

How to implement this:

To start auditing a "suspect user" click on the user you want to audit.

For this example we have selected "suspect.user@gpanel.info" as our suspect employee.

Next, click on the "Auditing" tab.

You will now see the Auditing module.

Currently there is no monitoring setup for our suspected employee.

To start monitoring our suspect employee we need to click on "Create Monitor".

We will need to select someone to monitor our suspect user, it is suggested that you get a trusted third party involved but this entirely up to you.

For this example we are selecting "The.Monitor@gpanel.info" to be our monitor.

Since we want to see all the incoming, outgoing, drafts, and chats that our suspect employee is receiving we select to monitor the following:

  • Full Outgoing
  • Full Incoming
  • Full Drafts
  • Full Chatlog
We will set the Start and End date for 30 days ( 1 month ) and select start immediately.

To finish up we select "Save".

We will now be able to see that our suspect employee has a monitor.

Now that this is in place our monitor will get notifications in their inbox within 24 hours.

These messages will have attachments that will be copies of the emails and chats that our suspected employee is sending out.

To view these files you will need to download a email viewer like Outlook Express, Thunderbird, or our Google Apps Audit Email Veiwer.

To download one of these click on the following links:

For this example we are going to use "Thunderbird".

Once your monitor downloads the attached messages from the notification email they can then use Thunderbird to view them.

You will need to change the .txt extension to .eml.

Start up "Thunderbird", click on "File". Then click on "Open Saved Message".

Locate your new .eml file and open it.

You will now see the header information for the email message.
If you look to the bottom you can see the actual email that was sent / received.

From the message you can see that your suspect employee is selling company property.

You now have your proof and you can act accordingly.