As we all know, Google collects and processes an awful lot of data about pretty much everyone who is using the company’s cloud services or owns a smartphone running the Android OS (or, to be precise, is using a device with Google Mobile Services). Just how much data is available was described in our previous article, What Google Knows about You, and Why It Matters. Today, we’ll discuss something slightly different. Meet Google Timeline, a relatively new feature extending the company’s Maps service.

Google Timeline

Google Timeline is a cloud service based off user’s location history reported by GMS-enabled Android devices. In essence, Timeline is nothing more than a front end that allows users visualizing their location history. Google employs some tricks to try to guess activities such as driving, parking, walking, or patronizing known establishments.

When using Google Timeline for the first time, users are greeted with an intro that tells about the service. Mind the note saying “Only you can see your timeline”:

The company explains how the data got there:

Google allows disabling and/or clearing Location History for any particular device or for all devices registered with a certain Google Account. Each individual location can be modified or deleted by the user.

Once inside, comprehensive analysis of the user’s location history becomes possible. For example, the following screenshot details a cross-border travel that occurred on December 28, 2015. Note that the service is detailed enough to record a visit to “Villa La Cas” restaurant between 2:17pm and 3:31pm:

Note the blue “CONFIRM” button on the above screen shot. This demonstrates that Google doesn’t actually “know” what the user was doing; instead, the service makes an educated guess, suggesting that a certain time spent at a certain location was spent at a restaurant (note the icon on the left hand side).

A more detailed route is available once we zoom into the map:

Note that the map is approximate, as location is only reported every few minutes. The location is not exactly precise, as it is normally obtained via the cellular network as opposed to using the battery-hogging (yet much more precise) GPS receiver.

Let’s fast-forward to January 4, 2016. On that day, the user didn’t go far outside the home area:

Limitations of Google Timeline

From the forensic standpoint, the value of Google Timeline may be limited by that service’s inability to display data covering more than a single day. This, for example, is what we were able to extract regarding my vacation trip:

We were unable to find a way to extract data covering the entire trip using Google Timeout. However, using Elcomsoft Cloud Explorer, we were able to download and visualize the entire trip by specifying the date range:

Therefore, Elcomsoft Cloud Explorer offers broader coverage of the user’s timeline compared to Google’s own service.

Google Acquisition

Google collecting geolocation data and maintaining location history is nothing new. Previously it was only possible to go back some 6 month of location history. Apparently, this limitation is now lifted, and users (and law enforcement armed with court warrants) can now access more than 6 months of location data. In some cases, the data can go back all the way to 2009.

According to Google, a subpoena is not sufficient to request these and other records. The company requires a warrant to provide this information. Google discloses information about the number of government requests it has served in the official Transparency Report.

It is important to note that while Google hands out data to law enforcement once served a warrant, the company does not provide any additional assistance on deciphering the data. Since various bits of data can be provided in a variety of obscure formats, it is not always easy to investigate. One solution to this would be using our new tool, Elcomsoft Could Explorer. The tool can automatically download, display and help analyze information from the suspect’s Google Account without a sweat.

Some data can be downloaded from Google via the company’s Takeout service. Google Timeline data is not directly accessible via Google Takeout; however, full location history is. One can download location history from Google Takeout by selecting the corresponding setting:

The data will be provided as a JSON file. Note, however, that acquiring information via Google Takeout results in an email alert being delivered to the user’s mailbox:

Obtaining Timeline Data

A court warrant is required to request data available in Timeline directly from Google. However, if the suspect’s Google ID and password are known, an expert can obtain raw geolocation data that can be used to reconstruct the Timeline by using Elcomsoft Cloud Explorer.

In order to obtain the data, download and install Elcomsoft Cloud Explorer (the evaluation version can be downloaded free of charge). When running the tool, make sure that the “Location” check box is selected as shown on the screen shot below:

Wait until the download finishes. The acquired snapshot will automatically open. From the window below, select “Locations”:

You’ll be able to switch between the list view and map view as shown on screenshots below.

List view:

Map view:

Elcomsoft Cloud Explorer

The evaluation version of Elcomsoft Cloud Explorer can be downloaded free of charge from https://www.elcomsoft.com/ecx.html