We have updated Elcomsoft Cloud Explorer, our Google Account extraction tool, with Google Dashboard support. The Google Dashboard service is little known among computer forensic specialists since Dashboard data cannot be downloaded from Google or obtained by serving a legal request. Yet, Dashboard aggregates massive amounts of data collected and stored in the user’s Google Account, offering an essential overview of the user’s activities. In this article, we’ll demonstrate how to obtain Dashboard data directly from the user’s Google account.

What’s it all about

Google Dashboard is a Google service allowing users to have a summary view of their Android devices and their usage history, searches, location history, Web history, Google Play apps, YouTube and much more. The service summarizes data for each Google product the user uses.

While Google allows signed-in users downloading the data it keeps in the Dashboard, some categories are missing from the provided set of data. Some of these categories include Connected Apps and Device Activity. By using Elcomsoft Cloud Explorer, experts can quickly and easily obtain the entire set of data available in Google Dashboard including categories that are generally not provided by Google during the takeout process.

Google Dashboard contains aggregated statistical data on the user’s activities. As a result, Dashboard data can be downloaded very quickly, literally in a matter of seconds. Downloading and analyzing Dashboard data prior to acquiring the entire set of Google-collected information allows saving time and starting the investigation faster.

How Google Dashboard collects information

Google Dashboard is based on other data stored in the user’s Google account. Dashboard is an artificial category in a sense that it does not contain any ‘new’ information. Instead, the Dashboard contains the results of Google processing existing data. The category contains statistical information on the user’s interactions with their devices, apps, and Google services.

Google Dashboard data extracted from the user’s Google Account returns massive amounts of precise location points, allowing to pinpoint the user’s location with ultimate precision and granularity. Access to comprehensive location history and other critical real-time evidence can be vital for investigating crime.

Accessing Google Dashboard data

In order to extract Google Dashboard data from the user’s Google Account, you will need Elcomsoft Cloud Explorer 2.31 or newer.

1. Launch Elcomsoft Cloud Explorer and create a new snapshot. Authenticate with the user’s login and password (Google Account) or use an authentication token. The screen shot below demonstrates token-based authentication.
2. Select the “Google Dashboard” check box. Note: if you are in a rush, you may leave other check boxes empty; by downloading and analyzing Dashboard data, you might be able to better realize what other categories you will need to obtain first.
3. The data will be downloaded in several seconds to several minutes.
4. After the processing, you can access Google Dashboard data from the main window.

Analyzing Google Dashboard data

Google Dashboard data is broken into categories. The categories include Devices, Maps, Calendar, Disk, Alerts, Analytics, Books, Groups, News, Package tracking, Payments, Photos, Google Play Music, Google Play, Tasks, Blogger, AdSense, Brand Accounts, FeedBurner, Search, and Keep, as well as several others.

To give an idea on what’s inside, we prepared a number of screen shots.

The Devices category gives an overview of the user’s registered Android devices. If a device has a cloud backup stored in Google Drive, information about that backup will be listed as well.

The Photos category, while not displaying any images per se, contains information about the number of pictures, the latest interaction, the number of public photos etc.

The Maps category contains the user’s home and work addresses, their last known place (location POI), and the information about their last review.

The Gmail category contains statistical information about the user’s use of Gmail such as the total number of messages, number of sent messages and so on.

The Device activity section contains information about the user’s devices (not necessarily Android smartphones) where the user signed in to use one or more Google services.

The Connected apps section contains information about the apps authorized to use the user’s Google credentials.

There are numerous other categories that may be interesting for the investigation.

Conclusion

Google Dashboard may not present any ‘new’ data per se. However, this important category allows to jump-start the investigation by revealing the user’s interactions with Google devices and services in a matter of seconds. Obtaining and analyzing the user’s Dashboard data prior to acquiring the potentially large set of Google-collected information is a huge time saver.