Elcomsoft Cloud Explorer

Wider range of Google Dashboard data

Dashboard is a Google service for storing and managing personal data collected by Google about users. Elcomsoft Cloud Explorer extracts more categories from Google Dashboard, including Maps, Calendars, Disks, Alerts, Analytics, Books, Groups, News, Package Tracking, Payments, Photos, Google Play Music, Google Play, Tasks, Blogger, AdSense, Brand Accounts, FeedBurner and much more.

Google Dashboard contains aggregated statistical data about user activity. This allows the dashboard data to be downloaded very quickly. Downloading and analyzing dashboard data before gathering the entire set of information collected by Google can save time and start the investigation faster.

Google Fit Extraction: Activity and Location Data

Extract health and activity information collected by Google Fit directly from the user's Google account! Google Fit collects important activity data such as number of steps and stairs, heart rate and much more. Most importantly, access massive amounts of location data collected by Google Fit.

Forensic access to Google accounts

Access Google accounts with an all-in-one tool and get all the information! Elcomsoft Cloud EXplorer combs through all the information associated with a Google account, extracts it, displays it and compiles it for download. EXplorer also gets information that is hidden even from the logged-in user. This includes search history, Chrome browser history, Android contacts, Hangout messages, photos from Google Photos and much more.

The information associated with a Google account usually comes from a variety of sources, as a Google account is usually used to access a variety of Google services. Once logged in with your Google account, Elcomsoft Cloud Explorer collects the information, data and files from all sources and presents them in a readable and clear manner.

Data stored by Google from a forensic perspective

IT forensics nowadays is increasingly focusing on the cloud and the data stored in it. Ever since it became common practice to use online services that store personal data in the cloud, investigators have also started to keep an eye on this data. The knowledge gained and the possibility of profiling that this data allows cannot be overestimated.

Online services are also often used by criminals, not least because of their supposed anonymity. Big players with numerous online services such as Google collect extensive and very precise data on their users. However, this flood of data is initially a problem for investigators, as obtaining this data and then filtering it places considerable technical and personnel demands on the authorities.

This is exactly where Elcomsoft Cloud EXplorer comes in. Once logged in, EXplorer automatically extracts all data from all sources and prepares it immediately. Even without any special prior knowledge, this data is immediately available to investigators.

What data is collected

Elcomsoft Cloud EXplorer accesses Google's cloud storage directly online and extracts the following data:

• General user data and account information
• Messages (Hangouts)
• Text messaging (SMS) (Android 8.0 Oreo and later for all smartphones; Android 7 or later for Google Pixel and Pixel XL)
• Call list
• Saved WLAN access data (SSID and passwords)
• Email messages (Gmail) via Gmail API
• Contacts (including synchronized contacts from mobile devices)
• Notes (Google Keep)
• Search history (including clicked search results)
• All data from Chrome[1](synchronized bookmarks, form entries, logins and passwords, browser history)
• Google Fit data: health and activity tracking, steps, stairs and other activities (depending on companion devices), location tracking
• Media files (e.g. images and videos from Google Photos)
• Calendar entries
• Google Dashboard
• Geoinformation, including routes and locations
• Files and documents from Google Account

In summary: A complete overview of all the user's activities is extracted. Even if the person in question uses other browsers, the search activities are recorded and assigned to the account as long as the user is logged in to Google.

1. Some of the data obtained may also be encrypted with a password. If the correct password is entered, Elcomsoft Cloud Explorer can display this data as well.

Passwordless authentication

Password and two-factor authentication are the biggest challenges in cloud data collection. Elcomsoft Cloud Explorer provides passwordless authentication based on the use of binary authentication tokens extracted from the user's computer. Passwordless authentication allows access to the following data categories: Chrome (including browsing history, bookmarks and passwords), Calendar, Dashboards, History, Google Drive and Hangouts.

Passwordless Google Account authentication is available when Google Chrome is installed on the user's computer and the user has signed in to at least one Google service through the browser. The new Google Token Extractor (GTEX) tool automatically scans the user's computer for authentication tokens stored by the Google Chrome browser. Once the user signs in to their Google Account in a browsing session, these tokens allow seamless access to Google services without having to re-enter the password.

Support for two-factor authentication

To gain access to the data collected by Google, the user must log in with a Google ID and associated password. If two-factor authentication has been activated for the account, this additional login information must also be entered.

Thus, Elcomsoft Cloud EXplorer supports two-factor authentication implemented by Google, including six-digit codes generated by the authenticator app or sent as a text message, backup codes, Google Prompt and FIDO keys.

View, filter and search the data obtained

Elcomsoft Cloud eXplorer is not primarily about simply downloading all the data obtained. Rather, it provides investigators with a clear, live representation of all the data found online. Filter and search options help them quickly find the information they need.

The viewer integrated into EXplorer supports the display of all common data formats that are stored in the Google cloud. Quick filters and full-text searches are very straightforward. All types of data can be searched - from contacts to website information.

Forensic access to Gmail

Elcomsoft Cloud EXplorer provides investigators with quick access to Gmail accounts. The tool can download all or just specific email messages from the user's Gmail account, allowing investigators to determine exactly which time period they want to access. Message access is provided through Google's own Gmail API, which allows to achieve an unprecedented collection speed of about 3000 emails per minute (depending on message size and connection speed). Selective access to messages at the collection stage and unbeatable collection speed make Elcomsoft Cloud EXplorer one of the fastest Gmail analysis toolkits on the market.

Built-in Gmail analytics provides detailed search and filtering for all downloaded messages, providing valuable insights about them. Users can automatically filter messages that contain media attachments such as images, videos, or documents. Complete message threads are instantly available when investigators search downloaded emails.

Extended mapping support for location data

Originally, location data from Google could be obtained in JSON format. Although this is a standard data format, it actually offers little insight into the places users had visited. A JSON file contains little more information than geo-coordinates with a time stamp. Even if such coordinates are displayed on a map, further verification is still required to determine which places users had actually visited.

Google makes well-founded estimates when it comes to where a user has been. Thanks to big data analyses, Google knows (or at least estimates very well) when someone stays in a hotel, visits a restaurant or goes shopping. This information is also stored in the Google account - provided that you have activated location history.

Elcomsoft Cloud eXplorer can process locations and routes from Google and correctly identify, extract and process navigation routes and visited places of users (based on Google's points of interest). It significantly improves the readability of location data by outputting a list of places (such as restaurants, shops, etc.) instead of a set of pure location coordinates.

The data collected by Google

One of Google's great strengths is the variety of services it offers. Starting with the search engine alone, over the years many other business areas have been added, including email services, cloud storage, its own web browser and Android. This gives investigators a very comprehensive picture of the person in question. Above all, however, due to the variety of services offered, there is hardly a person who completely evades Google. Google literally stores data on billions of customers.

Google does offer all of its services without logging in. However, there is usually considerable added value for logged-in users, even if it is just that the services can be personalized. Once the user is logged in, Google immediately starts collecting data about online and offline activities. Google does not just collect data blindly, but also analyzes this data. Communication, places visited, favorite literature, search queries, bookmarks and a complete browser history, tickets purchased, selected payment methods, notes and contacts, images and photos and much more data provide a complete picture of the user in question.

But not all data collected by Google is stored centrally in one place. Depending on which service Google uses to collect data, it is stored in different places, accessible via different protocols and in different formats. They only have one thing in common: the user can log in to all services with the same access data. This is exactly where Elcomsoft Cloud EXplorer comes in: If these access data are available, EXplorer automatically searches for all types of data in all places and prepares them. Even pure binary data or database queries are extracted and displayed in a readable manner.

Google Fit: Fitness, activities and location tracking

Extract health and activity information collected by Google Fit directly from the user's Google account!Google Fit data contains detailed information about the user's location and physical conditions, including the number of steps, type of activity, heart rate, altitude, and more with external fitness devices. External devices can provide data on the user's blood pressure, altitude, exact step count, and additional location data collected by the GPS sensor built into the smartwatch or tracker to determine the user's location with the highest precision.The Google Fit app itself often retrieves location information from the smartphone by syncing large amounts of location data with the user's Google account, making it a major contributor of location data.

Analyzing the vast amounts of Google Fit data can be invaluable in finding evidence and investigating crimes. The detailed, high-frequency location data collected by Google's fitness app, along with information about the user's physical condition, can provide insight into the user's activities over a specific period of time.

User Notification

Although Google offers its own service, Takeout, which can be used to extract Google data, it has a major flaw, especially for investigators. The user is immediately informed about every query via Google Takeout. In most cases, Elcomsoft Cloud EXplorer works silently. This is because Google cannot recognize which software is requesting the data and for what purpose if the program in question does not communicate this. Passwordless authentication with a binary authentication token does not currently trigger a notification. Nevertheless, in individual cases, after an update or with certain settings, Google may send such an alert when certain data is requested.

Reporting and exporting

A wide range of HTML reports are offered, including User Data, History, Chrome, Dashboard, Media, Locations, Calendar, Notes, Chats, Google Keep and Contacts. HTML reports can be easily printed or viewed in any web browser.