Data Recovery

Forensic Acquisition of Google Accounts

Google collects and retains massive amounts of data about everyone who uses their services. Gaining access to that data is essential for solving many types of crimes. Learning what Google knows about the suspect can be a matter of utter importance for investigators and forensic experts.

Unfortunately, standard means of accessing this information lack transparency while offering incomplete acquisition. For this reason, we started investigating Google accounts on a lower level than provided by Google tools.

What kinds of data are available? Let’s first consider that almost everyone these days has a Gmail account, effectively handing access to their communication and contacts to Google. According to Site Point, usage of Google Chrome exceeds 50%. Whoever uses synchronization features in Chrome hands their bookmarks, search and navigation history to Google along with stored Web forms and passwords. Google Drive offers highly competitive cloud storage options for pretty much everything from photos and videos to documents, email and Android backups.

Speaking of Android, this is the most popular mobile platform over the world. Some 82% of mobile devices are running the Android OS. The total number of active Android devices is about 1.4 billion (although not all of these are Google devices). Since Android 5.0 Lollipop, Google offers an option to back up application data from Android devices into their cloud service. Learning what Google knows about us and what kinds of personal information it keeps in the cloud is very important.

The Research

We first attempted using Google Takeout, which is Google’s default tool for exporting data. Using Google Takeout, we tried exporting everything stored in the Google cloud. Google Takeout is available at https://takeout.google.com/settings/takeout

Google Takeout

While Google Takeout appears to export a whole lot of data, we discovered that Takeout was not providing some important data (more on that below). Law enforcement and forensic experts must use Google Takeout with caution as it leaves traces in the user’s account. The user will be notified that their data was acquired with Google Takeout. In addition, the resulting file produced by Google Takeout is not immediately ready for analysis, as the data is stored in a bunch of different formats and cannot be used for fast searching or crosschecking information.

After playing with Google Takeout, we started researching HTTPS requests and responses originated by Android devices, Google Chrome and other applications. We found that Google generally stores all of the following information:

  • User profile
  • All connected devices
  • Devices, browsers and applications that requested access
  • Google Advertising settings (including age, interests etc.)
  • Contacts
  • Calendars
  • Notes (Google Keep)
  • Email messages (Gmail)
  • Albums (photos, pictures, videos)
  • Hangouts conversations
  • Comprehensive location history
  • Google Fit data (sports activity tracking)

In addition, Google Chrome stores the following data:

  • Browsing history
  • Bookmarks
  • Synced passwords
  • Form autofill data
  • Bookmarks
  • Search history from Google and YouTube

Search and browsing history itself contains plenty of important information. Every record has the following attributes:

  • Browser or mobile application
  • Actions of search results (opened or not)
  • Actions on Ads (clicks and purchases)
  • IP address
  • Browser information

Search and browsing history is not exported by Google Takeout.

When it comes to Android backups, Google backs up the following data:

  • Google Calendar settings
  • Wi-Fi networks and passwords
  • Home screen wallpapers
  • Gmail settings
  • List of applications installed through Google Play
  • Display settings
  • Language and input settings
  • Date and time
  • Data for third-party applications

Automatic backup of third-party application data was only announced in Android 6.0 “Marshmallow”.

Android Backups

Pre-release versions of Android 6.0 employed the “opt-out” way of handling third-party app data backups, meaning that the data would be saved and restored by default unless the developer opted out of this feature through the app’s manifest file. The release version of Android 6 reversed this behavior, using the “opt-in” method instead. In order to have their data automatically backed up and restored, application developers now must explicitly allow data backup in the app’s manifest. So far, just a handful of apps actually use the feature, so in real life third-party data backups don’t happen just yet.

Interestingly, Google’s own Android apps do not use the new backup feature of Android 6.0, relying on Google Drive instead.

More information on this subject is available in Ars Technica’s excellent write-up: Android 6.0 has a great auto backup system that no one is using (yet).

Naturally, all Google Photos (aka Picasa, aka Google+ photos) are also stored in the cloud. The following information is available:

  • Albums and events
  • Comments
  • Geo tags
  • Subscriptions
  • View counters
  • People tagged in the photos

During the research, we discovered that some pieces of data (at least location history, dashboard items and Hangout conversations) can be acquired without triggering an email alert or leaving any traces in the user’s Google Account, so the user will not be notified about the acquisition.

We used discoveries made during this research to produce a forensic tool for acquiring and analyzing data from Google. Elcomsoft Cloud eXplorer enables investigators to gain access to Google accounts and acquire all available information. Please follow the news on https://www.elcomsoft.com

The first version of the tool can acquire all of the following information:

Acquired Google Data

The tool integrates a built-in viewer for all of the data formats supported by Google, including a built-in viewer for stored passwords:

Chrome Passwords

About ElcomSoft

ElcomSoft develops computer forensics tools for Windows and Mac OS X, provides computer forensics training and computer evidence consulting services. Since 1997, ElcomSoft has been providing support to businesses, law enforcement, military, and intelligence agencies. ElcomSoft tools are used by most of the Fortune 500 corporations, multiple branches of the military all over the world, foreign governments, and all major accounting firms. More information at https://www.elcomsoft.com

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 959 other followers

%d bloggers like this: