Important: Before you can view sensitive message content, a Super Admin will need to adjust the investigation tool settings to provide access to administrators in your organization. For details and instructions, see Configure settings for your investigations.
Your access to the security investigation tool
- Supported editions for the security investigation tool include Enterprise Plus and Education Plus.
- Admins with Cloud Identity Premium, Enterprise Standard, and Education Standard can also use the investigation tool for a subset of data sources.
- Your ability to run a search in the investigation tool depends on your Google edition, your administrative privileges, and the data source. If you're unable to run a search in the investigation tool for a specific data source, you can generally use the audit and investigation page instead.
Before you begin
You need the View Detailed Content privilege to view sensitive message content. For details, see Admin privileges for the investigation tool.
View sensitive email contentStep 1: Get started with your investigation
- Sign in to use the investigation tool.
- From the Data source list, select Gmail messages or Gmail logs.
Note: Gmail data sources are not available with Cloud Identity Premium or Enterprise Standard editions. For details see Data sources in the investigation tool.
- Click Add Condition.
- Using the menus, search for the email you want to see. For details, see Customize searches within the investigation tool.
- Click Search.
- In the search results, for the Gmail message you want to investigate, click the subject or message ID.
You’ll see the message header. To view contents of the message, you need to provide justification (see step 2).
- At the top of the message header, click Message.
- Enter the reason why you need to view the message contents. The reason you enter is recorded in the Admin audit log.
Tip: Remember to include important information, such as a ticket number or if legal counsel gave approval to view the message.
- Click Confirm.
After you provide justification to view the message, you’ll see the contents of the message. Then, you can take the following actions on the message:
- Delete message
- Mark as spam
- Mark as phishing
- Send to inbox
- Send to quarantine
From the Message tab or Thread tab, you can also view VirusTotal reports related to email attachments. For details and instructions, see View VirusTotal reports from the investigation tool.