Hello Reader,
               I was working a case recently where an ex-employee was believed to have retained a companies data. They informed me that they found evidence the ex-employee had downloaded their Google mail, calendar and drive but couldn’t at the time explain how they knew that. So like any investigator would/should I requested and received access to their Google Suite administrator account so I could download the associated logs.

What struck me as odd was in all of the logging I reviewed I couldn’t find any that showed this user had done some kind of mass download or even mass access. Confused we went back to the company asking to speak to the person who first noticed this event. When we did she was able to inform us that she hadn’t looked at the logs, rather she looked through the ex-employees email account.

Downloading the email account we found as she did an email from Google stating that the ex-employee had taken advantage of the Google TakeOut feature. The email stated as she said that it exported his Calendar, Email and Google Drive to an archive he could download from Google.

Luckily we asked and confirmed this but it did strike us as odd that the companies own GSuite logs wouldn’t reflect this! So Reader I would ask you to comment below, have you seen this? Is there  alog we were missing? Or if the ex-employee had deleted that email would no one have been the wiser that he absconded with all of his company data? So far we’ve found no evidence other than the one email!