Description
Windows
| $ 1995 |
macOS
| $ 1995 |
New features
Extended Google Dashboard Data
Dashboard is a Google service for storing and managing personal data
collected by Google Inc about its users. Elcomsoft Cloud Explorer
extracts the largest number of Dashboard categories including Maps,
Calendar, Disk, Alerts, Analytics, Books, Groups, News, Package
tracking, Payments, Photos, Google Play Music, Google Play, Tasks,
Blogger, AdSense, Brand Accounts, FeedBurner, Search, Keep and many
more.
Google Dashboard contains aggregated statistical data on the user’s
activities. As a result, Dashboard data can be downloaded very quickly,
literally in a matter of seconds. Downloading and analyzing Dashboard
data prior to acquiring the entire set of Google-collected information
allows saving time and starting the investigation faster.
Google Fit Extraction: Activity and Location Data
Extract health and activity information collected by Google Fit
directly from the user’s Google Account! Google Fit collects essential
activity data such as the number of steps walked and stairs climbed,
heart rate, and a lot more. Most importantly, access massive amounts of
location data collected by Google Fit.
Forensic Acquisition of Google Accounts
Acquire information from users’ Google Account with a simple
all-in-one tool! Elcomsoft Cloud Explorer makes it easier to download,
view and analyze information collected by the search giant, providing
convenient access to users’ search and browsing history, page
transitions, contacts, Google Keep notes, Hangouts messages, as well as
images stored in the user’s Google Photos account.
Google collects massive amounts of information from registered
customers. Elcomsoft Cloud Explorer extracts information from the many
available sources, parses and assembles the data, presenting information
in human-readable form.
Google Data in Digital Forensics
Cloud forensics is an emerging area to forensic experts and IT
security officers. The amount of data generated by consumers using the
many online services is hard to underestimate. This data can become
extremely valuable for an investigation of criminal cases and security
breaches of IT infrastructure.
Online services are increasingly used by consumers, including those
of a criminal kind. Cloud service providers such as Google retain
astonishing amounts of data that literally follow their users’ every
step. Acquiring this evidence from cloud storage services can be a
challenge. Viewing, discovering and analyzing the data may present yet
another challenge if the investigator lacks tools and knowledge.
Elcomsoft Cloud Explorer was designed specifically to address those
limitations. Requiring no special expertise and no prior training,
Elcomsoft Cloud Explorer falls into the category of all-in-one tools
offering one-click downloading and easy viewing of information. The tool
comes with everything you need to investigate information that Google
has about a suspect.
What Is Extracted
Elcomsoft Cloud Explorer offers over-the-air acquisition for a wide range of Google services including all of the following:
- User Profile and other info
- Messages (Google Hangouts)
- Text messages (SMS) (Android 8.0 Oreo and newer for all smartphones; Android 7 or newer for Google Pixel and Pixel XL)
- Call logs
- Saved Wi-Fi credentials (SSID and passwords)
- Email messages (Gmail) via Gmail API
- Contacts (including synced contacts from mobile devices)
- Notes (Google Keep)
- Search History (including Web sites visited after firing up the search)
- Google Chrome data[1] (synced bookmarks, Web forms, logins and passwords, page transitions)
- Google Fit data: health and activity tracking, steps, stairs climbed
and other activities (depending on companion devices), location
tracking
- Media (images and videos from Google Photos) for specified period
- Calendars
- Dashboard
- Location history including enhanced mapping data (Routes and Places)
- Files and documents from Google Account
In other words, what you get is a comprehensive snapshot of user
activities in Google services including searches made in non-Google
browsers while the user was logged in to their Google Account.
-
Some parts of this data may be encrypted with an additional password.
Elcomsoft Cloud Explorer can decrypt information if the correct
password is supplied.
All Features and Benefits
The password and two-factor authentication
are the biggest challenges in cloud extraction. Elcomsoft Cloud
Explorer offers passwordless authentication based on using binary
authentication tokens extracted from the user’s computer. Passwordless
authentication enables access to the following data categories: Chrome
(including browsing history, bookmarks and passwords), Calendars,
Dashboards, History, Google Drive, and Hangouts.
Passwordless authentication into Google Account is available if
Google Chrome is installed on the user’s computer, and the user signed
in to at least one Google service via the browser. The new Google Token
Extractor (GTEX) tool automatically searches the user’s computer for
authentication tokens saved by the Google Chrome browser. Once the user
signs in to their Google Account in a browser session, these tokens
enable seamless access to Google services without the need to re-enter
the password.
In order to access someone’s data,
investigators must supply the correct Google ID and password. Since many
users protect access to their accounts with two-step authentication,
access to the secondary authentication factor is required if two-step
authentication is enabled.
Elcomsoft Cloud Explorer supports most two-factor authentication
methods implemented by Google, including 6-digit codes generated by the
Authenticator app or delivered as text messages to a trusted phone
number; printable backup codes, Google Prompt and FIDO Key
authentication.
Elcomsoft Cloud Explorer is not just about
downloading information. It’s an all-in-one forensic tool allowing to
view and analyze information obtained from the user’s Google Account.
The built-in viewer supports the most popular data formats used in
the Google Account, parsing and displaying them automatically. The
viewer includes instant filtering and quick search functionality.
Finding a certain contact, message or Web site authentication
credentials is easy: you just need to type part of the word you are
looking for into the search box.
Elcomsoft Cloud Explorer offers fast
offline access to Gmail communication history. The tool can download all
or some email messages from the user’s Gmail account, allowing
investigators specifying the exact period to acquire. Access to messages
is implemented via Google’s proprietary Gmail API, which makes it
possible to achieve acquisition speed of about 3000 email messages per
minute (subject to message size and connection speed). Selective access
to messages during the acquisition stage and unbeatable acquisition
speed make Elcomsoft Cloud Explorer one of the fastest Gmail analytic
toolkits on the market.
The built-in Gmail analyzer offers detailed searching and filtering
through all downloaded messages, and provides valuable insight about
downloaded messages. Users can automatically filter messages that
contain media attachments such as pictures, videos or documents.
Complete message threads are instantly available as investigators search
or browse through downloaded mail.
Traditionally, location data could be
obtained from Google in JSON format. While this is an industry-standard
open data format, it provides little insight on which places the user
actually visits. A JSON file hardly gets anything more than timestamped
geographic coordinates. Even if those coordinates are pinned to a map,
one still has to scrutinize the history to find out which places the
user has actually gone to.
Google makes educated guesses on which places the users paid a visit.
Based on big data analysis, Google knows (or makes a very good guess)
when someone stays at a hotel, visits a restaurant or goes shopping.
This information is also stored in the Google Account – at least if one
has Location History turned on.
Elcomsoft Cloud Explorer can process Google’s Places and Routes, and
can correctly identify, extract and process user’s navigation routes and
places they visited (based on Google’s POI). This significantly
improves readability of location data, providing a list of places (such
as restaurants, landmarks or shops) instead of plain numbers
representing geolocation coordinates.
Google offers consumers a diverse range of
services ranging from world’s most popular search engine to free email,
free cloud storage and free Web browser with automatic sync across
devices among other things. Google services run on a large number of
desktop and mobile devices with literally billions of users.
All Google services can be personalized by registering for a Google
Account. Once the user registers an account, Google starts aggregating
information about the user’s online and offline activities. The system
processes and analyzes communications, recommends places to visit and
things to read. Comprehensive location history, Google searches ever
fired on all stationary and mobile devices, Chrome bookmarks, passwords
and browsing history, page transitions, travel data including air
tickets, hotel stays and car rentals (even if not booked through Google
itself), notes, pictures, contacts and a lot more data can be collected
and stored by Google.
The various bits and pieces of data are kept in various places across
Google servers. They are accessible via vastly different protocols,
sharing one thing: they all require authentication via Google Account.
While it is possible to download certain bits of information from
Google, the data is offered in various formats (some of them binary)
that can be difficult to view and hard to analyze in one place.
Elcomsoft Cloud Explorer removes the hassle, not only downloading more
data than provided by Google but offering the ability to view and
analyze information without leaving the tool.
Extract health and activity information
collected by Google Fit directly from the user’s Google Account! Google
Fit data contains detailed information about the user’s location and
physical conditions including the number of steps, types of activity,
heart rate, elevation, and a lot more with external fitness devices.
External devices may provide data on the user’s blood pressure,
elevation, precise step count, and additional location data collected
from the GPS sensor built into the smartwatch or tracker, the latter
allowing to pinpoint the user’s location with ultimate precision and
granularity. The Google Fit app itself frequently obtains location
information from the smartphone, synchronizing massive amounts of
location data to the user’s Google Account and becoming a major
contributor of location data.
Analyzing the massive amounts of Google Fit data can become
invaluable help when searching for evidence and investigating crime. The
detailed, high-frequency location data collected by Google’s fitness
app accompanied with information about the user’s physical condition can
shed light on the user’s activities in a given timeframe.
Elcomsoft Cloud Explorer is a more
forensically sound method of extracting Google data compared to Google’s
own service, Google Takeout. In most cases, extracting information
using Elcomsoft Cloud Explorer does not trigger a user alert message and
does not leave traces in the user’s Google account.
However, when accessing certain types of data, the user might still
receive a notification from Google alerting about a new system, new
browser or new IP address login.
While predicting whether a notification alert will be triggered is
generally not possible, using passwordless authentication with a binary
authentication token currently does not trigger a notification.
A wide range of HTML reports are
available, including User Infо, History, Chrome, Dashboard, Media,
Locations, Calendars, Notes, Chats, Google Keep, and Contacts. HTML
reports can be easily printed or viewed in any Web browser. In addition,
data can be exported into an Excel-compatible XLSX file for further
processing and analysis.
System requirements
Windows
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
Apple macOS
- macOS 10.12
- macOS 10.13
- macOS 10.14
- macOS 10.15
- About 90 MB of free space on hard disk
- Google account email and password
Trial limitations
Trial version shows only last 10 records in Chats and Notes, does not
show the passwords saved in Google Chrome, and does not allow to export
photos and location data.
Release notes
Elcomsoft Cloud eXplorer v.2.31.36554
5 May, 2020
- added support for new Dashboard data: a lot of stats in new categories (connected apps, device activity and more)
- fixed authentication token extraction on Windows: from new Google Chrome and Google “Backup & Sync”
- fixed the problem with media files downloading (Google Photos)
- fixed the problem with data export
- a lot of small fixes and improvements
Uninstallation
procedure: in order to uninstall the product, follow the standard
procedure via Control Panel – Programs and features or use the
corresponding Unistall link from the product’s folder in the Windows
Start menu.
