Investigation Tool Demo, Tips, and Tricks

The investigation tool is a powerful resource in the Admin console. With it, you can identify, triage, and respond to security and privacy issues in your domain. It is available to admins with Education Standard or Education Plus licenses. 

Caution: The Investigation Tool returns 180 days of data from all logs. Gmail log search does have a limit of 30 days unless you have the message ID and recipient email address. You can export Google Workspace logs and usage reports to Big Query. Over time, this gives you access to data past the 30 day/6 month window. See Export your Google Logs to BigQuery for a Big Win.

Use cases for the Investigation Tool

  • Search Gmail logs and messages to view email content, delete malicious emails, and mark emails as spam or phishing.
  • Access Drive log data to change ownership, add/remove users, change permissions, and view who has accessed a file.
  • Determine users who have not logged in recently and clean up accounts that should be inactive.
  • Verify when a user last changed their password.

View Office Hours recording of some use cases for the investigation tool

Video: Office Hours for the Investigation Tool

View this Office Hours recording of some investigation tool tips, tricks, and advanced cases

Video: Office Hours for the Investigation Tool Tips, Tricks and Advanced Classes


Document Version Date Description of Change
1.0 1/8/2024 Updated caution text, Verified Article


Articles in this section