Posts Tagged ‘Google’

Android 8.0 Oreo: Your Text Messages Are in the Cloud Now

Thursday, September 21st, 2017

In each major Android update, Google improves security on the one hand, and moves a few more things to the cloud on the other. The recently finalized and finally released Android 8.0 Oreo adds one important thing to all devices running the newest build of Google’s OS: the ability to back up SMS text messages into the user’s Google Account.

If you follow our blog, you may recall we’ve already talked about the issue a few months ago. Back in April, we were excited to introduce a new feature to Elcomsoft Cloud Explorer, enabling cloud acquisition of text messages from Google Account. Back then, the feature was limited strictly to Google Pixel and Pixel XL devices running Android 7 Nougat.

The release of Android 8.0 Oreo has finally brought the feature to all devices regardless of make and model, allowing any device to back up and restore SMS text message via the user’s Google Account.

We updated Elcomsoft Cloud Explorer accordingly, enabling support for cloud-based SMS extraction for devices running Android 8. There aren’t many of those yet aside of Google Pixel and Pixel XL devices, but many users of Nexus 5x and 6p have already received the update. More devices will follow. Let’s have a look at how this new feature works. Before we begin, let us first clear the confusion that arises between Android data sync and data backups. (more…)

The New Google Authentication Engine in Elcomsoft Cloud Explorer 1.31

Thursday, June 15th, 2017

As you may know, we have recently updated Elcomsoft Cloud Explorer, bumping the version number from 1.30 to 1.31. A very minor update? A bunch of unnamed bug fixes and performance improvements? Not really. Under the hood, the new release has major changes that will greatly affect usage experience. What exactly has changed and why, and what are the forensic implications of these changes? Bear with us to find out.

(more…)

Extracting Text Messages from Google Accounts

Wednesday, April 26th, 2017

Elcomsoft Cloud Explorer 1.30 can now pull SMS (text) messages straight off the cloud, and offers enhanced location processing with support for Routes and Places. In this article, we’ll have a close look at the new features and get detailed instructions on how to use them. The first article will discuss the text messages, while enhanced location data will be covered in the one that follows.

Text Messages: Part of Android Backups (sort of)

Before we begin extracting text messages, let us check where they come from. As you may know, Android 6.0 has finally brought automated data backups. While Android backups are not nearly as complete or as comprehensive as iOS backups, they still manage to save the most important things such as device settings, the list of installed apps and app data into the cloud. Being a Google OS, Android makes use of the user’s Google Account to store backups. Unlike Apple, Google does not count the space taken by these backups towards your Google Drive allotment. At the same time, Google allows for a very limited data set to be saved into the cloud, so you can forget about multi-gigabyte backups you have probably seen in iOS.

(more…)

Routes and Places: Obtaining Enhanced Location Data from Google Accounts

Wednesday, April 26th, 2017

Even before we released Elcomsoft Cloud Explorer, you’ve been able to download users’ location data from Google. What you would get then was a JSON file containing timestamped geolocation coordinates. While this is an industry-standard open data format, it provides little insight on which places the user actually visits. A full JSON journal filled with location data hardly provides anything more than timestamped geographic coordinates. Even if you pin those coordinates to a map, you’ll still have to scrutinize the history to find out which place the user has actually gone to.

Google has changed that by introducing several mapping services running on top of location history. With its multi-million user base and an extremely comprehensive set of POI, Google can easily make educated guesses on which place the user has actually visited. Google knows (or makes a very good guess) when you eat or drink, stay at a hotel, go shopping or do other activities based on your exact location and the time you spent there. This extra information is also stored in your Google account – at least if you use an Android handset and have Location History turned on.

Elcomsoft Cloud Explorer 1.30 can now process Google’s enhanced location data, which means we can now correctly identify, extract and process user’s routes and display places they visited (based on Google’s POI). This significantly improves readability of location data, providing a list of places (such as restaurants, landmarks or shops) instead of plain numbers representing geolocation coordinates. In this article, we’ll figure out how to obtain that data and how to analyze it. (more…)

Government Request Reports: Google, Apple and Microsoft

Monday, January 16th, 2017

Every once in a while, hi-tech companies release reports on government requests that they received and served (or not). The different companies receive a different number of requests. They don’t treat them the same way, and they don’t report them the same way, which makes the comparison difficult. In this article, we’ll try to analyze and compare government request reports published by Apple, Google and Microsoft.

Since all three companies report on different things, and the sheer number of data is way too big for analyzing in a blog article, we’ll try to only compare data related to the North American region and Germany (as a single European country). (more…)

Elcomsoft Cloud Explorer: Extracting Call Logs and Wi-Fi Passwords

Monday, October 3rd, 2016

Google is pushing Android to make it a truly secure mobile OS. Mandatory encryption and secure boot make physical acquisition of new Android devices a dead end.

While securing physical devices against all types of attacks, Google continues moving stuff into the cloud. Interestingly, these activities no longer coincide with Android releases; Google can add cloud features later in the production cycle by updating Google Services on the user’s Android device. One such updated added the ability to sync call logs between Android devices by uploading data into the user’s Google Drive account. We researched the protocol and added the ability to extract synced call logs to Elcomsoft Cloud Explorer 1.20. This cloud acquisition could be the only way to extract call logs since all Android devices since Android 6.0 are shipped with full-disk encryption out of the box.

(more…)

Using Gmail API: The Forensic Way to Acquire Email

Wednesday, August 3rd, 2016

Just now, we’ve updated Elcomsoft Cloud Explorer to version 1.10. This new release adds the ability to download email messages from the user’s Gmail account for offline analysis. In order to do that, we had to develop a highly specialized email client. We opted to use Google’s proprietary Gmail API to download mail. In this article, we’ll explain our decision and detail the benefits you’ll be getting by choosing a tool that can talk to Gmail in Gmail language. 

The Gmail API

The Gmail API is a set of publicly available APIs that can be used by third-party developers to access Gmail mailboxes. Google cites the Gmail API as the best choice for authorized access to a user’s Gmail data. According to Google, the Gmail API is an ideal solution for read-only mail extraction, indexing and backup, as well as for migrating email accounts (https://developers.google.com/gmail/api/guides/overview). Elcomsoft Cloud Explorer does exactly that: it offers read-only mail extraction to create an offline backup of messages from the user’s online account.

gmail-api-1

Unlike universal email protocols such as POP3 and IMAP, Google’s new API offers flexible access to the user’s Gmail account. By using the proprietary API, developers gain access to the user’s inbox complete with threads, messages, labels, drafts and history.

Most importantly, the Gmail API is blazing fast compared to legacy email protocols, and offers the ability to selectively download specific messages and threads (such as those falling within a certain time period).

(more…)

Forensic Acquisition: Android

Friday, January 29th, 2016

While here at ElcomSoft we offer a limited range of tools for acquiring Android devices that’s pretty much limited to over-the-air acquisition, we are still often approached with questions when one should use cloud extraction, and when other acquisition methods should be used. In this article, we decided to sum up our experience in acquiring the various Android devices, explaining why we decided to go for a cloud acquisition tool instead of implementing the many physical and logical extraction methods. This article is a general summary of available acquisition methods for the various makes, models, chipsets and OS versions of Android smartphones. The article is not intended to be a technical guide; instead, it’s supposed to give you a heads-up on approaching Android acquisition.

(more…)

Google Timeline: How Law Enforcement Can Use Google Data

Monday, January 25th, 2016

As we all know, Google collects and processes an awful lot of data about pretty much everyone who is using the company’s cloud services or owns a smartphone running the Android OS (or, to be precise, is using a device with Google Mobile Services). Just how much data is available was described in our previous article, What Google Knows about You, and Why It Matters. Today, we’ll discuss something slightly different. Meet Google Timeline, a relatively new feature extending the company’s Maps service.

(more…)