Transcription
Hackinbo 2018Cloud Forensics: GoogleExtracting Google Account data ElcomSoft Ltd. www.elcomsoft.com1
Google ForensicsIn This Presentation§ Cloud and Over-the-Air Acquisition§ Synchronized data§ Passwords§ Two-Factor Authentication2
Cloud ForensicsCloud Acquisition: Why? Helps dealing with locked and encrypted devices Android 6 and up encrypted by default Google Account may contain more data than the phone itself Last resort: may succeed where all other methods fail Google collects information from all signed-in devices3Page 3
Cloud ForensicsCloud Acquisition Helps Bypass All of This: Secure Lock Screen Locked Bootloader Factory Reset Protection (FRP) Full-Disk Encryption (FDE) and File-BasedEncryption (FBE) Device is broken, wiped, or locked4Page 4
Google ForensicsGoogle: Why Cloud Forensics? Tens of thousand device modelsSeveral thousand manufacturersExtreme platform fragmentationNot every Android device is a GoogledeviceAcquisition approaches varyGoogle Account acquisition Single point of entryUnified approachImpressive amount of information5Page 5
Google ForensicsAndroid Open Source vs. Google Mobile Services Not every Android device is a Google deviceAOSP does not mean GMSGoogle collects data from other sources ifuser signs in to: Chrome browser Google Maps Gmail Google SearchIncluding competing platforms6Page 6
Google ForensicsGoogle Collects Data from Multiple Sources Multiple devices MacWindowsiPhoneiPad and Android 23 moreApps DropboxAuthenticatorChromeRemotedesktopMany more 6 more 76 more7Page 7
Google ForensicsGoogle Account: What’s Inside User dataAll connected devicesDevices/browsers that requested accessApplications that requested accessGoogle ads settings (age, interests etc.)ContactsCalendarsNotesMailsAlbums (photos/puctures/videos)Hangouts conversationsChrome History Synced passwords and autofill data Bookmarks Search history YouTube [search] historyA lot of statistical informationTop 10 Smartphone Apps(source: comScore report, June 2015) FacebookYouTubeFacebook MessengerGoogle SearchGoogle Play8Page 8
Google ForensicsGoogle Takeout Leaves traces Not everything is exported Limited flexibility Numerous awkward formats9Page 9
Google ForensicsGoogle Takeout User alerted via email Example of email alert 10Page 10
Google ForensicsGoogle Dashboard – Account Activity Not available via Google Takeout11Page 11
Google ForensicsGoogle Dashboard – Not Available via Google TakeoutAccount email number of Google API clients (sites and apps) account time: personal, work, both Activities in last 28 days browsers and OSs that had access locations new apps and sitesYouTube number of videos and playlists loaded user name sex last video rating ( video name and date) activities for last 28 days number of views, by day total views searches likes and dislikesSearch history (query date) last Web search last image search last news search last video search last maps search last books search activities for last 28 days top 10 searches percentage of searchesby category (web, image etc.) activity (by day)Google Sync. (non-Android devices) number of bookmarks last sync date number of passwords number of Chrome extensionsProfile info Google name profile URL number of phone numbers number of " 1"Gmail number of mail threads last thread subject number of messages in inbox last incoming message subject number of sent mails last sent mail subjectAndroid make, model first auth date/time last activity date/time apps that backuptheir data (name, date, size)12Page 12
Google ForensicsChrome Sync All signed-in devices Bookmarks Browsing history Open tabs Forms Passwords Page transitions Some data not saved byGoogle Takeout13Page 13
Google ForensicsCalls and Text Messages Call logs Android 6 and newer, recent Google PlayServicesText messages All devices: Android 8.0 Oreo Google Pixel and Pixel XL: Android 7.1.1and newerUser’s Google Account contains call logs andtext messages backed up by all compatibledevices14Page 14
Google ForensicsGoogle Chrome: Search & Browsing History Collected on all signed-in devices Not just Androidhttps://history.google.com/history/ Total searchesSearches by dayTop search clicksMap search historyVoice search historyInfo on devicesLocation historyWhat is saved: Searches in all Google services Browser or mobile application Actions for search results (opened or not) Actions on Ads (clicks/purchases) IP address Browser informationGoogle Takeout does NOT work with history15Page 15
Google ForensicsAndroid Device Backups Google Calendar settings Wi-Fi networks & password Home screen wallpapers Gmail settings Apps installed through Google Play Display settings Language & Input settings Date & Time 3rd party app settings & data (extremely limited)16Page 16
Google ForensicsAndroid Device Backups: Limitations Limited content Nearly useless in real life Developers can disable backups per app Developers must explicitly enable backupsto make use of Android 6.0 features Google not using backups for its own apps Facebook disables backups as well Yes, even in Android 8.017Page 17
Google ForensicsGoogle Photos Albums/events Comments EXIF Geo tags Subscriptions View counters People18Page 18
Google ForensicsGoogle AccountAcquisition:Elcomsoft CloudExplorer Google ID password Credentials can be saved Two-factor authentication19
Google ForensicsTwo-factor authentication Google relies on OATHtokens via GoogleAuthenticator app Generic authenticator appsare compatible Single-use backup codes Must have access to thesecondary authenticationfactor20Page 20
Google ForensicsWhat’s Available via Elcomsoft Cloud Explorer User profile Mail, Messages Contacts Notes (Google Keep) History Chrome data Media Calendars Dashboard Location history Android data21Page 21
Google ForensicsBuilt-in Viewer Explore user’s GoogleAccount Navigate by category Search messages, viewpictures, access calendarevents etc.22Page 22
Google ForensicsPasswords Data from Google Chrome Synced between all signedin devices Not just Android Screenshot: sorry, wemasked the actualusernames and passwords:) Also available: bookmarks,page transitions23Page 23
Google ForensicsPage Transitions Where did the user go afterfiring a search? Data comes from: Google Chrome Google searches on otherbrowsers (if signed-in)24Page 24
Google ForensicsSearch History Combined data Google Chrome Google searches in otherbrowsers (signed-in) All platforms (desktops,laptops, tablets, phones)25Page 25
Google ForensicsBrowsing History Before Android 6.0 Browsing history easily available to“monitoring” appsAndroid 6.0 and up Access to browsing history is limited No “monitoring” app can accessbrowsing history without root This data can still be extracted fromthe cloudAndroid 6 market share: 32.2% (Sep2017), Android 7: s/index.html26Page 26
Google ForensicsBrowsing History Can be viewed as a tree Convenient per-domain grouping Page title and URL (where available)27Page 27
Google ForensicsContacts Convenientlysynchronized Available for extraction Filtering helps findspecific contacts (e.g. allcontacts with phonenumbers, names etc.)28Page 28
Google ForensicsLocation: Google Timeline vs. Elcomsoft Cloud Explorer Comprehensive analysis Single day view only Displays suggested places andactivities (e.g. time spent at acertain establishment)29Page 29
Google ForensicsLocation: Google Timeline vs. Elcomsoft Cloud Explorer Selectable date range Adjustable scale Facts only (location date& time) List and map views30Page 30
Google ForensicsMedia Photos from all user’s devices can beuploaded to Google Photos Can be downloaded with Elcomsoft CloudExplorer or manually via Google Drive Google Photos not the same as GoogleDrive! More information (e.g. tagged faces,location data, street addresses etc.) Elcomsoft Cloud Explorer uses GooglePhotos to access full image metadata31Page 31
Google ForensicsGoogle and Privacy Concerns Users can delete data stored in theirGoogle Account Google offers various options No all-in-one “stop tracking and delete allsaved data” switch Various trackers must be disabledindividually through various Google pages Work in progress: tool for disablingGoogle tracking and clearing collected data32Page 32
Google ForensicsGoogle Cloud Backups: Conclusion Data in Android backups extremely limited Massive amounts of information synced withGoogle Account Browsing history, searches and page transitions,comprehensive location history, mail, notes,pictures and much more can be acquired Google Takeout: free, limited data, sends useralert, leaves traces, data in different cumbersomeformats, analysis very difficult Elcomsoft Phone Breaker: forensically sound,complete acquisition and analysis33Page 33
Google ForensicsTools Mentioned in This Presentation§ Elcomsoft Cloud Explorercloud acquisition of Google Accounts§ Elcomsoft Mobile Forensic Bundlecontains all of the above tools in PC and Mac versions ata 30% discount34
Android Open Source vs. Google Mobile Services Google Forensics Page 6. 7 . 23 more 76 more Multiple devices Mac Windows iPhone iPad and Android Apps Dropbox Authenticator Chrome Remote desktop Many more. 8 User data All connected devices . Google Forensics Page 8 Top 10 .
