In today’s thoroughly connected world, everyone shares at least some of their personal information with, well, strangers. Voluntarily or not, people using personal computers or mobile devices have some of their information transmitted to, processed, stored and used by multiple online service providers.
Took a selfie shot? Your face (and possibly your friends’ faces) will be marked, and the photo will be uploaded to one or another cloud storage provider on your behalf. Used your phone to look up a place to eat? Your search will be remembered and used later on to push you suggestions next time when you’re around. Emails and messages that you write, persons you communicate with, your comprehensive location history and all the photos you shoot (accompanied with appropriate geotags) are carefully collected, processed and stored. Web sites you visit along with logins and passwords, your complete browsing history and pretty much everything you do with your phone can and probably will be recorded and used on you to “enhance your experience”.
Some service providers collect more information than others. Google appears to be the absolute champion in this regard. Being a major service provider penetrating into every area of our lives, Google collects, stores and processes overwhelming amounts of data.
The Google Account
By simply using one or another Google service under the Google Account umbrella one leaves tracks on Google servers. Since Google offers a diverse range of services ranging from free cloud storage to email, search and Web browser with automatic sync across devices, Google becomes one of the most important sources of information.
Google Account aggregates information about the user’s online behavior and offline activities, analyzes their communication, recommending places to visit and things to read. Comprehensive location history, all Google searches ever launched on all stationary and mobile devices, Chrome bookmarks, passwords and browsing history, credit card data and purchase history, travel data including air tickets, hotel stays and car rentals (even if not booked through Google itself), notes, pictures, contacts and a lot more data can be collected and stored by Google.
The various bits and pieces of data are kept in various places across Google servers. They are accessible via vastly different protocols, sharing one thing: they all require authentication via Google Account.
All Your Data Are Belong To Us
If Google has all this data, can examiners gain access to them for conducting an investigation? While technically Google offers a free service to export data (Google Takeout), using that service has its drawbacks; more on that later.
We made a special tool designed to simplify extracting, viewing and analyzing data from users’ Google accounts. Meet Elcomsoft Cloud Explorer, an all-in-one downloading and analysis tool for Google!
Using Elcomsoft Cloud Explorer is extremely simple. You’ll need to enter the suspect’s Google ID and password followed by two-factor authentication code (if two-factor authentication is enabled in their Google Account). After that, just select which types of data you’d like to download (remember, downloading large amounts of data can take a while), and the tool will automatically connect to appropriate Google services and automatically extract everything that falls under your selection.
That’s it! In a few moments, you’ll be able to see what Google knows about the suspect. It’s really impressive to see all that data in one place!
Let’s start from search requests:
As you see, we have comprehensive search history from all devices accompanied by page transitions.
Let’s see Chrome browsing history:
What about Dashboard? There, you’ll see usage statistics from *all* of the user’s Android devices, complete with IMEI data and application stats!
And media files (all pictures taken from camera, screen shots, pictures sent via Hangouts etc) are there, too:
Including detailed info on every picture:
Location statistics is one of the most impressive. Collected from all mobile and stationary devices registered to a certain Google account (and having Location Services enabled), location data is saved every few minutes. Interestingly, it’s not limited to GPS-enabled mobile devices. Just firing a Google search from any Web browser (even on a desktop!) while being logged in with a Google account updates location data. Here’s how it looks like (note how location data is updated every few minutes!)
Elcomsoft Cloud Explorer vs. Google Takeout
Google services are particularly attractive because of their openness. At any time, users are free to pick up their data and leave to another service provider. Google makes it easy for its users to download all of their contacts, browser bookmarks, map data, photos and documents, notes, groups, emails and other data by providing a service called Google Takeout. From there, users are free to download the data in the appropriate format, which is normally either OPML (RSS) or JSON (GeoJSON for map data). Some data is downloaded in vCard, PDF, or HTML. A few other formats are also used.
While Google Takeout is a viable service, it does not provide full access to some of the most forensically interesting data: stored passwords, search queries on various connected devices, and Chrome page transitions (browsing history). While this data is available elsewhere in Google, extracting information from the many sources is a labor-intensive and time-consuming task. In addition, using Google Takeout leaves traces in the user’s account, and results in an email alert delivered to the user’s mailbox.
Elcomsoft Cloud Explorer automates the job of retrieving data from Google servers and offers convenient presentation of that data in human-readable form. Unlike browser logins and unlike competing tools, Elcomsoft Cloud Explorer leaves no or minimal traces in the account being acquired. No email alert is triggered by using Elcomsoft Cloud Explorer. Moreover, it offers basic analysis by, for example, displaying which link(s) the user clicked on after firing up a search:
One other difference between Elcomsoft Cloud Explorer and Google Takeout is user alerts. In general, Google alerts users when someone logs in to their account from a new system or using a new IP address. This also applies to Google Takeout.
Elcomsoft Cloud Explorer is less affected by this policy compared to other acquisition methods. In most cases, extracting information using Elcomsoft Cloud Explorer does not result in Google sending an alert, and does not leave visible traces in the user’s Google account. However, when accessing certain types of data, the user might still receive a notification from Google alerting about a new system, new browser or new IP address login. At this time, we don’t know what types of data may trigger such alerts. Just be aware that this is possible.