cloud forensics: google - elcomsoft€¦ · 15/5/2018 · cloud forensics page 4. 5 • tens of...
TRANSCRIPT
![Page 1: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/1.jpg)
1
Cloud Forensics: GoogleExtracting Google Account data
© ElcomSoft Ltd. www.elcomsoft.com
Hackinbo 2018
![Page 2: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/2.jpg)
2
§ Cloud and Over-the-Air Acquisition
§ Synchronized data
§ Passwords
§ Two-Factor Authentication
In This Presentation
Google Forensics
![Page 3: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/3.jpg)
3
• Helps dealing with locked and encrypted devices
• Android 6 and up encrypted by default
• Google Account may contain more data than the phone itself
• Last resort: may succeed where all other methods fail
• Google collects information from all signed-in devices
Cloud Acquisition: Why?
Cloud Forensics
Page 3
![Page 4: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/4.jpg)
4
• Secure Lock Screen
• Locked Bootloader
• Factory Reset Protection (FRP)
• Full-Disk Encryption (FDE) and File-Based Encryption (FBE)
• Device is broken, wiped, or locked
Cloud Acquisition Helps Bypass All of This:
Cloud Forensics
Page 4
![Page 5: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/5.jpg)
5
• Tens of thousand device models• Several thousand manufacturers• Extreme platform fragmentation• Not every Android device is a Google
device• Acquisition approaches vary
Google Account acquisition
• Single point of entry• Unified approach• Impressive amount of information
Google: Why Cloud Forensics?
Google Forensics
Page 5
![Page 6: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/6.jpg)
6
• Not every Android device is a Google device• AOSP does not mean GMS• Google collects data from other sources if
user signs in to:• Chrome browser• Google Maps• Gmail• Google Search
• Including competing platforms
Android Open Source vs. Google Mobile Services
Google Forensics
Page 6
![Page 7: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/7.jpg)
7
Google Collects Data from Multiple Sources
Google Forensics
Page 7
+ 6 more
+ 23 more
+ 76 more
• Multiple devices• Mac• Windows• iPhone• iPad• …and Android
• Apps• Dropbox• Authenticator• Chrome• Remote
desktop• Many more
![Page 8: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/8.jpg)
8
• User data• All connected devices• Devices/browsers that requested access• Applications that requested access• Google ads settings (age, interests etc.)• Contacts• Calendars• Notes• Mails• Albums (photos/puctures/videos)• Hangouts conversations• Chrome
• History• Synced passwords and autofill data• Bookmarks• Search history• YouTube [search] history
• A lot of statistical information
Google Account: What’s Inside
Google Forensics
Page 8
Top 10 Smartphone Apps(source: comScore report, June 2015)
• Facebook• YouTube• Facebook Messenger• Google Search• Google Play
![Page 9: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/9.jpg)
9
• Leaves traces
• Not everything is exported
• Limited flexibility
• Numerous awkward formats
Google TakeoutGoogle Forensics
Page 9
![Page 10: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/10.jpg)
10
• User alerted via email
• Example of email alert >>
Google TakeoutGoogle Forensics
Page 10
![Page 11: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/11.jpg)
11
• Not available via Google Takeout
Google Dashboard – Account ActivityGoogle Forensics
Page 11
![Page 12: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/12.jpg)
12
Google Dashboard – Not Available via Google TakeoutGoogle Forensics
Page 12
Account• email• number of Google API clients (sites and apps)• account time: personal, work, both• Activities in last 28 days
• browsers and OSs that had access• locations• new apps and sites
YouTube• number of videos and playlists loaded• user name• sex• last video rating (+video name and date)• activities for last 28 days
• number of views, by day• total views• searches• likes and dislikes
Search history (query + date)• last Web search• last image search• last news search• last video search• last maps search• last books search• activities for last 28 days
• top 10 searches• percentage of searches
by category (web, image etc.)• activity (by day)
Google Sync. (non-Android devices)• number of bookmarks• last sync date• number of passwords• number of Chrome extensions
Profile info• Google+ name• profile URL• number of phone numbers• number of "+1"Gmail • number of mail threads• last thread subject• number of messages in inbox• last incoming message subject• number of sent mails• last sent mail subjectAndroid• make, model• first auth date/time• last activity date/time• apps that backup
their data (name, date, size)
![Page 13: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/13.jpg)
13
• All signed-in devices
• Bookmarks
• Browsing history
• Open tabs
• Forms
• Passwords
• Page transitions
• Some data not saved byGoogle Takeout
Chrome SyncGoogle Forensics
Page 13
![Page 14: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/14.jpg)
14
• Call logs• Android 6 and newer, recent Google Play
Services• Text messages
• All devices: Android 8.0 Oreo• Google Pixel and Pixel XL: Android 7.1.1
and newer
• User’s Google Account contains call logs and text messages backed up by all compatible devices
Calls and Text MessagesGoogle Forensics
Page 14
![Page 15: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/15.jpg)
15
• Collected on all signed-in devices
• Not just Android
https://history.google.com/history/
• Total searches• Searches by day• Top search clicks• Map search history• Voice search history• Info on devices• Location history
Google Chrome: Search & Browsing HistoryGoogle Forensics
Page 15
What is saved:• Searches in all Google services• Browser or mobile application• Actions for search results (opened or not)• Actions on Ads (clicks/purchases)• IP address• Browser information
Google Takeout does NOT work with history
![Page 16: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/16.jpg)
16
• Google Calendar settings
• Wi-Fi networks & password
• Home screen wallpapers
• Gmail settings
• Apps installed through Google Play
• Display settings
• Language & Input settings
• Date & Time
• 3rd party app settings & data (extremely limited)
Android Device BackupsGoogle Forensics
Page 16
![Page 17: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/17.jpg)
17
• Limited content
• Nearly useless in real life
• Developers can disable backups per app
• Developers must explicitly enable backups to make use of Android 6.0 features
• Google not using backups for its own apps
• Facebook disables backups as well
• Yes, even in Android 8.0
Android Device Backups: LimitationsGoogle Forensics
Page 17
![Page 18: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/18.jpg)
18
• Albums/events
• Comments
• EXIF
• Geo tags
• Subscriptions
• View counters
• People
Google PhotosGoogle Forensics
Page 18
![Page 19: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/19.jpg)
19
• Google ID + password
• Credentials can be saved
• Two-factor authentication
Google Account Acquisition:
Elcomsoft Cloud Explorer
Google Forensics
P
![Page 20: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/20.jpg)
20
• Google relies on OATH tokens via Google Authenticator app
• Generic authenticator apps are compatible
• Single-use backup codes
• Must have access to the secondary authentication factor
Two-factor authenticationGoogle Forensics
Page 20
![Page 21: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/21.jpg)
21
• User profile
• Mail, Messages
• Contacts
• Notes (Google Keep)
• History
• Chrome data
• Media
• Calendars
• Dashboard
• Location history
• Android data
What’s Available via Elcomsoft Cloud ExplorerGoogle Forensics
Page 21
![Page 22: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/22.jpg)
22
Built-in ViewerGoogle Forensics
Page 22
• Explore user’s Google Account
• Navigate by category
• Search messages, view pictures, access calendar events etc.
![Page 23: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/23.jpg)
23
PasswordsGoogle Forensics
Page 23
• Data from Google Chrome
• Synced between all signed-in devices
• Not just Android
• Screenshot: sorry, we masked the actual usernames and passwords :)
• Also available: bookmarks, page transitions
![Page 24: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/24.jpg)
24
Page TransitionsGoogle Forensics
Page 24
• Where did the user go after firing a search?
• Data comes from:
• Google Chrome
• Google searches on other browsers (if signed-in)
![Page 25: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/25.jpg)
25
Search HistoryGoogle Forensics
Page 25
• Combined data
• Google Chrome
• Google searches in other browsers (signed-in)
• All platforms (desktops, laptops, tablets, phones)
![Page 26: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/26.jpg)
26
Browsing HistoryGoogle Forensics
Page 26
• Before Android 6.0
• Browsing history easily available to “monitoring” apps
• Android 6.0 and up• Access to browsing history is limited• No “monitoring” app can access
browsing history without root• This data can still be extracted from
the cloud• Android 6 market share: 32.2% (Sep
2017), Android 7: 15.8%https://developer.android.com/about/dashboards/index.html
![Page 27: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/27.jpg)
27
Browsing HistoryGoogle Forensics
Page 27
• Can be viewed as a tree
• Convenient per-domain grouping
• Page title and URL (where available)
![Page 28: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/28.jpg)
28
ContactsGoogle Forensics
Page 28
• Conveniently synchronized
• Available for extraction
• Filtering helps find specific contacts (e.g. all contacts with phone numbers, names etc.)
![Page 29: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/29.jpg)
29
Location: Google Timeline vs. Elcomsoft Cloud ExplorerGoogle Forensics
Page 29
• Comprehensive analysis
• Single day view only
• Displays suggested places and activities (e.g. time spent at a certain establishment)
![Page 30: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/30.jpg)
30
Location: Google Timeline vs. Elcomsoft Cloud ExplorerGoogle Forensics
Page 30
• Selectable date range
• Adjustable scale
• Facts only (location + date & time)
• List and map views
![Page 31: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/31.jpg)
31
MediaGoogle Forensics
Page 31
• Photos from all user’s devices can be uploaded to Google Photos
• Can be downloaded with Elcomsoft Cloud Explorer or manually via Google Drive
• Google Photos not the same as Google Drive!
• More information (e.g. tagged faces, location data, street addresses etc.)
• Elcomsoft Cloud Explorer uses Google Photos to access full image metadata
![Page 32: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/32.jpg)
32
Google and Privacy ConcernsGoogle Forensics
Page 32
• Users can delete data stored in their Google Account
• Google offers various options
• No all-in-one “stop tracking and delete all saved data” switch
• Various trackers must be disabled individually through various Google pages
• Work in progress: tool for disabling Google tracking and clearing collected data
![Page 33: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/33.jpg)
33
Google Cloud Backups: ConclusionGoogle Forensics
Page 33
• Data in Android backups extremely limited• Massive amounts of information synced with
Google Account• Browsing history, searches and page transitions,
comprehensive location history, mail, notes, pictures and much more can be acquired
• Google Takeout: free, limited data, sends user alert, leaves traces, data in different cumbersome formats, analysis very difficult
• Elcomsoft Phone Breaker: forensically sound, complete acquisition and analysis
![Page 34: Cloud Forensics: Google - ElcomSoft€¦ · 15/5/2018 · Cloud Forensics Page 4. 5 • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation](https://reader035.vdocuments.net/reader035/viewer/2022062606/5ffe439c6552d649f448d7a6/html5/thumbnails/34.jpg)
34
§ Elcomsoft Cloud Explorercloud acquisition of Google Accounts
§ Elcomsoft Mobile Forensic Bundlecontains all of the above tools in PC and Mac versions at a 30% discount
Google ForensicsTools Mentioned in This Presentation