Embed Size (px)
Citation preview
Google Drive ForensicsAshley Holtz
Topics
G Suite Admin Console
Manual “Forensics”
Interesting API’s
Cloud Backup Solutions
From: https://gsuite.google.com/
G Suite Admin Console - Drive Usage
https://gsuiteupdates.googleblog.com/
Drive Usage Report Caveats
Download events don’t always mean the user clicked download. They could be
related to a desktop application that downloads files automatically.
If this is the case, you must conduct disk forensics to determine view and edit activity on-disk.
Based on observation, it seems events are logged at intervals, so there will be
multiple events for the same activity.
See previous slide for multiple download events; these do not mean the file was downloaded
several times - they are part of the same action.
Based on the currently available fields it’s difficult to tell which events are part of a group and
which are not.
Events only go back so far.
G Suite Admin
Console - Email
Usage
https://gsuiteupdates.googleblog.com/
Email Usage Report Caveats
Can’t search or view email contents; this is better for examining headers
Manual “Forensics”
Generally you want to answer who “knew” what when
View logs
Document edits
Download logs
Permission changes
Saving or screenshotting the revision history page can help get you to this goal
for individual documents
Less technical consumers of your report will appreciate the color-coded outlines around changes
for each revision
File > See revision history
Revision History Difficulties
It would be great to export this thumbnail view on the
right panel.
You’d think the “print” icon would do this...
...this is not the case.
But these are SVG’s so...
Printing a Marked Up Revision
Write code that:
Copies rendered HTML with SVG’s
Extracts just thumbnail strip SVG
Resizes “slides”
Saves as PDF
https://github.com/h45h
Automating Non-Marked-Up Exports
Known issues since at least November 2014:
https://issuetracker.google.com/issues/36759589.
Automating Non-Marked-Up Exports: Drive API
Easy Python code
V2 and V3 API’s
V2 is the best for iterating and downloading revisions
Code sample on Github
Must be an editor on the document to fully use API
Write code that:
Iterates revisions for a file ID (should be in the URL of file)
Gets the link to the "application/vnd.openxmlformats-
officedocument.wordprocessingml.document" mime type
Saves to a file named for revision ID
This is a word processing doc type, remember that the PDF export seems to be broken and
returns the head revision!
Drive API JSON Structure
Interacting with the Apps Activity API Code Snippet
Sample auth code: https://developers.google.com/google-apps/activity/v1/quickstart/python
Apps Activity API Permission Change Events
Apps Activity API Edit Events JSON Structure
Cloud Backup Solutions
Good to ask if customers have a backup or DLP solution.
Removes the need to be a collaborator on documents - more stealthy.
Limits visibility into IR activities.
Nicely-formatted historical versions ready for export; some solutions have an
API.
I see Syscloud, Google Vault, etc. frequently.
Forensic Uses
Because of the 180-day or less limit on
the G Suite reports, backup solutions
can provide more metadata and
revisions at different intervals (not
necessarily more frequent, and may
not track editors).
Some solutions let you search historical
versions of documents, some let you
search only the most recent version.
Pictured: Syscloud https://www.syscloud.com/security-compliance-g-
suite/?anti-ransomware
Questions?
`M ,\#w @,. ^#M, %M,^M %#M, `@#w
^#s *##s ^@##M,*#M, `%#s %######Ms,
`%#s, ^h @###########Mw,`*5w `w %###############M
`k \################. @##############
^Ws, `e, `@############,^%5###s `w ^%M#############M
^* `@#############sQ5##w%###########*^`` \#7######^`
*5#M##M^^\p% Art by Jeff Geiger
