Getting Started with Google Vault Investigations

Since its launch in 2012, Google Vault has emerged as a leading information governance and eDiscovery tool. In the last few years, Vault has transformed into a go-to solution for electronic discovery, but its abilities extend far beyond that.

For example, IT and Security teams frequently employ Google Vault for eDiscovery, litigation, and other legal or security investigations. Its search feature is especially useful during compliance reviews and safeguarding against accidental or deliberate data deletion. 

Let’s look at a few examples of how Vault helps with investigations.

An employee is about to be offboarded, and the IT and Security team wants to effectively manage this employee’s data. Using Vault, they can perform a search on the departing user’s account. They can also use Vault to scrutinize any unusual or irregular behavior that may pose a potential security threat. 

In another scenario, a company has a situation where an administrator needs to review a specific employee’s files. Vault can be used to see Drive documents owned by a particular user. A preview of the document contents is available when they are clicked. Similarly, all content from a particular user’s emails or chats can be viewed, making it essential to manage Vault access carefully. 

Companies can also utilize Vault’s eDiscovery features when it comes to legal issues like eDiscovery projects. In situations involving litigation, Vault’s ability to search and export is indispensable, facilitating the necessary retrieval and examination of pertinent data. 

Vault users can conduct thorough searches across services within Google Workspace, spanning across all accounts, to locate a message, document, or chat required for a legal case or to address a company issue. After searching for and identifying relevant data, administrators can then export the data. The export includes information that shows its relevance to the search, along with metadata that proves it’s the same data stored on Google’s servers. 

In this post, we’ll go over the six essential steps for getting started with Google Vault’s search and export capabilities. We’ll also explore some quick tips for better searches to help IT, Legal, and Security teams work together to harness the power of Vault in their organizations. 

Get started with Vault search and export

Through Vault’s eDiscovery features, administrators can search and export their organization’s Google Workspace data, helping make investigations smoother and more streamlined. Here are the six steps to do it: 

Step 1: Sign in to Vault at

Step 2: Create a matter

First, create what’s called a “matter” in the tool. In Vault, a matter provides a place to organize the holds, searches, and exports related to an eDiscovery project. 

  • Click “Matters” and then “Create.” 
  • Enter a name for the matter and a description, if desired. 
  • Click “Create.”

Step 3: Search for data

When administrators created a matter in Step 2, the matter opened to the Search tab. They can now start their search. Once the matter is created, they can choose which service they want to investigate as well as all accounts, specific accounts, or a specific organizational unit. They can also specify certain search terms, for example, the word “confidential.”

  1. Select a Google service to search, such as Gmail.
  2. Enter the search parameters. Choose which accounts to search and the conditions to use. 
  3. For Gmail and Groups, admins have the option to click “Count.” This allows them to see the number of results faster than a full search. They can click “Expand” to refine and edit the search. 
  4. Click “Search.” When the search is complete, Vault will open a table with the results.

Step 4: Preview the results

  1. In the table of results, click a row and a preview will open in a sidebar on the right.
  2. Admins can now preview messages. Vault returns a message’s entire conversation collapsed into a single thread. 
    • To expand a thread, click the message. 
    • To preview individual messages, click them. 
  3. They can also preview Drive items including Docs, Sheets, Slides, and Drawings, as well as files such as .docx, .pdf, and .xlsx.
  4. Please note: Admins might not be able to preview all messages or files. However, when they export the search results, the export will include all matching data.

Step 5: Save the search query

After performing a search, administrators can save the query to run the same search again later. 

  1. Click “Save.” Note: this doesn’t save the search results, only the query parameters.
  2. To save the results, admins must export them, which we’ll cover in step six. 
  3. Admins can open a saved query. Click “View saved queries” and then click “query.” 
    • When they run the search again, the results include data created since the last time they searched.

Step 6: Export and analyze

In this step, administrators can save the results of their query. 

  1. In the Search tab, click “Export.”
  2. Go to the Exports tab to track the export’s progress.
  3. When the export is complete, click “Download.” Please note: administrators have 15 days after the export starts to download the export.
  4. The export will include a compressed file that contains the data returned by the search. It also has a metadata file to correlate the data with associated accounts.

Quick tips for better searches

Google Vault offers a robust set of filters and search operators that empower administrators to locate the precise information they need, regardless of the volume of data or the number of users in Google Workspace. Here are some tips to make searches faster and more efficient. 

Know and use the right search filters

Filters administrators can use to refine their search include: 

  • Data type: If administrators know what kind of data they’re looking for, they can choose the correct service. For example, it helps if they know that they’re looking for a document in Google Drive or a sensitive email in a user’s Gmail account. 
  • Data source: Google Vault allows administrators to customize the scope of data it searches. They have the flexibility to choose the specific types of data that Google Vault scans. This includes all data within their Google Workspace, data placed on hold, and the latest data created that Google hasn’t processed yet. 
  • Accounts: Vault offers the ability to refine search results based on different criteria, such as all accounts, specific accounts, or organizational units. For example, administrators may be searching for data that could reside in any of their employees’ accounts. Or maybe the data is in a specific user’s account. Or they want to search for data related to a department within their company such as Sales. 
  • Sent data: When admins need to find data within a specific period of time, Google Vault will display results that fall within their chosen date range. This feature enables them to swiftly obtain time-sensitive information. 
  • Search terms: Administrators can easily filter data based on a certain search term such as the word “confidential.”.

Narrow the search further with search operators

Operators administrators can use to refine their search include:

  • Gmail Operators: Google Vault offers operators that enhance the ability to perform advanced searches within Gmail accounts. These operators enable admins to refine their search criteria and retrieve specific emails. Some notable Gmail operators include from:, cc:, to:, and in:. A few examples:
    • Using ‘from:username1’ will generate a comprehensive list of emails sent by the specified user.
    • By employing ‘in:draft’, you can retrieve all emails that are currently stored in the draft section.
    • Employing ‘cc:username3’ will display all emails in which username3 is included in the cc field.
  • Drive Operators: Drive operators simplify the process of searching for files within Google Drive. These operators enable admins to perform targeted searches based on various criteria. Let’s explore a few examples of commonly used drive operators:
    • By utilizing ‘owner:username1’, they can effortlessly locate files created by specific individuals.
    • The ‘type:spreadsheet’ operator helps them narrow down their search to specific file formats, such as spreadsheets.
    • If they need to find files created after a specific date, they can employ the ‘after:2019-10-20’ operator to retrieve relevant results.
  • Google Chat Operators: Chat operators provide a convenient way to refine a search and swiftly locate particular conversations. These operators are designed to assist administrators in narrowing down their search criteria. Let’s explore a couple of examples featuring common chat operators:
    • The ‘’ operator allows admins to discover conversations that mention a specific user. By utilizing the ‘at:’ operator, they can easily identify relevant discussions involving that particular user.
    • Another useful operator is ‘has:video’, which enables them to find conversations that include a specific file, in this case, a video. By using the ‘has:’ operator, they can quickly identify conversations that contain the desired file type.

For a complete list of operators, visit here

As organizations embrace cloud collaboration tools like Google Workspace, data security remains a paramount concern. To help, Google Vault has solidified its position as a versatile eDiscovery and information governance tool. 

Google Vault serves as a valuable asset for IT, Legal, and Security teams, simplifying the complexities of eDiscovery projects. Its search and export functionalities facilitate the quick retrieval and analysis of crucial data, freeing up IT and Security time and resources. 

From assisting in investigations and legal matters to ensuring compliance and data security, Vault has been instrumental in managing information governance needs. For further information on using the tool, read our full guide to Google Vault. 

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira