Investigating and Capturing Google Data

Written by Amber Schroader

December 2, 2021

There are so few people on the planet now that don’t have something to do with Google. With parents selecting Gmail accounts for their kids prior to being born to the proliferation of Google in the classroom the searching giant is everywhere. With this level of distribution also comes the value of the Google data in an investigation.

The first step with any investigation is for you to look at how your own data should look. If you do not have a Google Account, it is time to make one so you can feel what the playing field of data is like. Establishing a good expectation of data can be valuable for other parties that might be working on the investigation with you.

The first step after getting your account set up is to go to your Google Dashboard

This is where you are going to see what is available in your account. You might be wondering how this would play into an investigation. This is where the power of consent is valuable and based on the value and depth of data you can capture with Google this is one of the first stops in access  with their known keys.

The alternate is to deal with the Google data using cloud keys that can be recovered from smartphones. These still produce data, but the level of data is lower than what can be gathered from a Google Takeout pull. A review of those steps is also included below.

Once you know what you are looking to gather select the “Download your data” option.

You will be offered options on the type of data you want to capture in the download. This is where scope comes into play as you can get everything from the history of your relationship with Google or you can limit to what devices are accessing your Google data.

One of those key items to put the digital evidence in the hands of your suspect is the Access Log Activity. This can be a larger pull, but well worth it when you can review the where and what was accessing the information.

There are a ton of different options to what data you might want to pull in your Takeout request. This list might change as more services are offered by Google, but it gives you a starting point to your scope limitations.

Data Available:

  • Access Log Activities
  • Android Device Configuration Service
  • Arts & Culture
  • Calendar
  • Chrome
  • Contacts
  • Crisis User Reports
  • Data Shared for Research
  • Drive
  • Fit
  • Google Account
  • Google Cloud Search
  • Google Help Communities
  • Google My Business
  • Google Pay
  • Google Play Books
  • Google Play Game Services
  • Google Play Movies & TV
  • Google Play Store
  • Google Shopping
  • Google Translator Toolkit
  • Google Workspace Marketplace
  • Groups
  • Hangouts
  • Home App
  • Keep
  • Location History
  • Mail
  • Maps
  • Maps (your places)
  • My Activity
  • News
  • Pinpoint
  • Profile
  • Purchases & Reservations
  • Question Hub
  • Reminders
  • Saved
  • Search Contributions
  • Street View
  • Tasks
  • YouTube and YouTube Music

Once you have selected the items from your scope you can select the delivery method. If you select the .zip option, the E3 Forensic Platform Trial provides a parser for the data that is included in the export.

The data export process will start, and an email will be sent once the export is completed and a download is available.

Smartphone Collection Option

If you do not have the luck of consent and only have a smartphone or existing credentials, there are alternative methods to be able to process Google data. When processing a smartphone often your processing tools will look for cloud keys. Typically, these cloud keys act as a spare key to your house and can open the data stored in the cloud just like the original typed keys. With Paraben’s E3 Forensic Platform you would see a notice on Authentication Data in the tree view with both iOS and Android. Note with iOS you need to have processed the device with the encrypted backup option active with a known password to collect the cloud keys.

Once you see this data is collected you will want to export the data and import the data back into your case. This extra step is because cloud collected data is technically another evidence source in the case.

All the available keys from the smartphone will show in the import wizard that allows you to decode the cloud keys. It is important to note if the accounts all exist to the suspect you are investigating or if they belong to another party. Once the Authenticate option is selected the cloud will be queried with the cloud keys to determine if they are still valid and a collection option can be selected. The collection option can also limit the scope by date and time.

Collected data can then be reviewed.

With the review of data, a variety of information can be captured however, it is not as long or exhaustive as a list that is available with Google Takeout. You might find prime information from sources such as Gmail and Google Drive.

Google Takeout Import

A review of this source as well as the Google Takeout source gives you the largest perspective on your potential suspect and their related Google data.

Importing the Google Takeout data is a simple process once the export is prepared.

You will receive notification in the primary as well as a secondary backup email that the Google Takeout is being prepared. Once it is completed you will be prompted to download the data. Depending on the options you selected you will have to download 1 to many different files. With the sample, we selected we had 23 different downloads that represented the data. You only have 1 week to download the data before a new request is needed.

Once the data is downloaded it is time to look at the wealth of information you can review. With the Free edition of the E3 Forensic Platform, you can import the Google Takeout. This is an easy way to access all the information and have the analytic capabilities to review it as well.

Step 1. Select Add Evidence and then select Google

Step 2. Select Google Takeout and go to the location you have saved the downloads to.

You will want to make sure you have all the items in the directory. Always confirm they are all added so that no data is missed. If you notice that an archive is not added repeat the process to add that archive manually.

Once completed you can review the information. A lot of the details in the Google Takeout are standard HTML, TXT, JSON, etc. The viewers for those files are part of the E3 Forensic Platform and can be used easily as well as the different search options.

To make the process easier we will focus on just one area of the Google Takeout data to show the value of information that is unique to this data source.

 

Looking at Contacts we can see data that has been synchronized with the Google Account as well as device data associated with an Android device also tied to the same Google account.

All Contacts Example:

All Contacts from Android Smartphone Example:

The complete contact list with details was provided with the Nokia 7.1 smartphone synchronization. As a note, this synchronization was not with the primary account for the user just one that happened when they had logged into Google using the test account. The data that can be found in Google Takeout is comprehensive of all activities done with the account so a mix can be found based on when the account was used on an Android or logged into in Chrome.

The complete contact list with details was provided with the Nokia 7.1 smartphone synchronization. As a note, this synchronization was not with the primary account for the user just one that happened when they had logged into Google using the test account. The data that can be found in Google Takeout is comprehensive of all activities done with the account so a mix can be found based on when the account was used on an Android or logged into in Chrome.

There are lots of other data sources that can be found in Google Takeout that can be beneficial to your investigation. Unique areas that are not found through other data sources are where you can focus your time. An example would be with YouTube. You cannot see this data from a mobile device or desktop beyond what you might see in the internet history. However, some of the unique nuances that are found through activities on YouTube are not recorded. However, since YouTube is associated with your Google Account some of that data can be discovered in the Google Takeout archive.

YouTube Data Search History

YouTube Watch History

No matter how you look at its Google is not only storing a lot of information about the user, but it provides valuable information for a digital investigation. When you look at the scale of data available the information found in Google Takeout surpasses what is available through local acquisitions, device acquisitions, or cloud acquisition no matter what the tool selection is you use. When reviewing Google data make sure you go to each of the available tiers to get the maximum amount of information possible.

There are many great approaches out there to digital forensics. If you are just getting started, you can review some options here. (https://onlinedegrees.unr.edu/blog/digital-forensics/)

Forensic-Impact Articles

Critical Infrastructure and IoT Survivability

Critical Infrastructure and IoT Survivability

Guest Blogger: Luther "Chip" (Chip) HarrisThis content represents a particular viewpoint and may not reflect the views of all individualsHere is what is going to affect the current landscape that we deal with in the Integrating the Internet of Things (IoT) into...

Memory Forensics Tools Overview

Memory Forensics Tools Overview

Guest Blogger: Kokab RasoolMemory forensics is becoming more essential in incident response and threat analysis as new threats and sophistication arise in the changing cybersecurity landscape. Memory forensics, as opposed to traditional approaches that rely on hard...

Unmasking Fake Emails: Essential Techniques for Email Analysis

Unmasking Fake Emails: Essential Techniques for Email Analysis

Guest Blogger: Shatabdi MalikIn today's digital age, emails are a prime target for scammers and cybercriminals. Identifying fake emails is crucial to protect yourself and your organization. Here's a straightforward guide on how to spot suspicious emails and ensure...