Use the investigation tool to view sensitive message content

Security investigation tool
As an administrator, you might need to view sensitive content of a Gmail message, Chat message, or Chat attachment as part of an investigation. Using the investigation tool, you can find the message and view its contents.

Important: Before you can view sensitive message content, a Super Admin will need to adjust the investigation tool settings to provide access to administrators in your organization. For details and instructions, see Configure settings for your investigations.

Your access to the security investigation tool

  • Supported editions for the security investigation tool include Enterprise Plus, Education Standard, Education Plus, and Enterprise Essentials Plus.
  • Admins with Cloud Identity Premium, Frontline Standard, Enterprise Standard, and Education Standard can also use the investigation tool for a subset of data sources.
  • Your ability to run a search in the investigation tool depends on your Google edition, your administrative privileges, and the data source. If you're unable to run a search in the investigation tool for a specific data source, you can use the audit and investigation page instead.
    Note: You can run a search in the investigation tool on all users, regardless of the Google edition they have.

Before you begin

You need the View Detailed Content privilege to view sensitive message content. For details, see Admin privileges for the investigation tool

View sensitive email content

Step 1: Get started with your investigation
  1. Sign in to use the investigation tool.
  2. From the Data source list, select Gmail messages or Gmail logs.

    Note: Gmail data sources are not available with Cloud Identity Premium or Enterprise Standard editions. For details see Data sources in the investigation tool.

  3. Click Add Condition.
  4. Using the menus, search for the email you want to see. For details, see Customize searches within the investigation tool
  5. Click Search.
  6. In the search results, for the Gmail message you want to investigate, click the subject or message ID. 

You’ll see the message header. To view contents of the message, you need to provide justification (see step 2).

Step 2: Provide justification to view messages
  1. At the top of the message header, click Message
  2. Enter the reason why you need to view the message contents. The reason you enter is recorded in the Admin audit log. 
    Tip: Remember to include important information, such as a ticket number or if legal counsel gave approval to view the message. 
  3. Click Confirm.
Step 3: View the email message and take action

After you provide justification to view the message, you’ll see the contents of the message. Then, you can take the following actions on the message:

  • Delete message
  • Mark as spam
  • Mark as phishing
  • Send to inbox
  • Send to quarantine

From the Message tab or Thread tab, you can also view VirusTotal reports related to email attachments. For details and instructions, see View VirusTotal reports from the investigation tool.

Related topics 

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center