google drive forensics - sans institute · drive usage report caveats download events don’t...
TRANSCRIPT
![Page 1: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/1.jpg)
Google Drive ForensicsAshley Holtz
![Page 2: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/2.jpg)
Topics
G Suite Admin Console
Manual “Forensics”
Interesting API’s
Cloud Backup Solutions
![Page 3: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/3.jpg)
From: https://gsuite.google.com/
![Page 4: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/4.jpg)
G Suite Admin Console - Drive Usage
https://gsuiteupdates.googleblog.com/
![Page 5: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/5.jpg)
Drive Usage Report Caveats
Download events don’t always mean the user clicked download. They could be
related to a desktop application that downloads files automatically.
If this is the case, you must conduct disk forensics to determine view and edit activity on-disk.
Based on observation, it seems events are logged at intervals, so there will be
multiple events for the same activity.
See previous slide for multiple download events; these do not mean the file was downloaded
several times - they are part of the same action.
Based on the currently available fields it’s difficult to tell which events are part of a group and
which are not.
Events only go back so far.
![Page 6: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/6.jpg)
G Suite Admin
Console - Email
Usage
https://gsuiteupdates.googleblog.com/
![Page 7: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/7.jpg)
Email Usage Report Caveats
Can’t search or view email contents; this is better for examining headers
![Page 8: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/8.jpg)
Manual “Forensics”
Generally you want to answer who “knew” what when
View logs
Document edits
Download logs
Permission changes
Saving or screenshotting the revision history page can help get you to this goal
for individual documents
Less technical consumers of your report will appreciate the color-coded outlines around changes
for each revision
File > See revision history
![Page 9: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/9.jpg)
![Page 10: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/10.jpg)
Revision History Difficulties
It would be great to export this thumbnail view on the
right panel.
You’d think the “print” icon would do this...
...this is not the case.
But these are SVG’s so...
![Page 11: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/11.jpg)
![Page 12: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/12.jpg)
Printing a Marked Up Revision
Write code that:
Copies rendered HTML with SVG’s
Extracts just thumbnail strip SVG
Resizes “slides”
Saves as PDF
https://github.com/h45h
![Page 13: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/13.jpg)
Automating Non-Marked-Up Exports
Known issues since at least November 2014:
https://issuetracker.google.com/issues/36759589.
![Page 14: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/14.jpg)
![Page 15: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/15.jpg)
Automating Non-Marked-Up Exports: Drive API
Easy Python code
V2 and V3 API’s
V2 is the best for iterating and downloading revisions
Code sample on Github
Must be an editor on the document to fully use API
![Page 16: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/16.jpg)
Write code that:
Iterates revisions for a file ID (should be in the URL of file)
Gets the link to the "application/vnd.openxmlformats-
officedocument.wordprocessingml.document" mime type
Saves to a file named for revision ID
This is a word processing doc type, remember that the PDF export seems to be broken and
returns the head revision!
![Page 17: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/17.jpg)
Drive API JSON Structure
![Page 18: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/18.jpg)
Interacting with the Apps Activity API Code Snippet
Sample auth code: https://developers.google.com/google-apps/activity/v1/quickstart/python
![Page 19: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/19.jpg)
Apps Activity API Permission Change Events
![Page 20: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/20.jpg)
Apps Activity API Edit Events JSON Structure
![Page 21: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/21.jpg)
Cloud Backup Solutions
Good to ask if customers have a backup or DLP solution.
Removes the need to be a collaborator on documents - more stealthy.
Limits visibility into IR activities.
Nicely-formatted historical versions ready for export; some solutions have an
API.
I see Syscloud, Google Vault, etc. frequently.
![Page 22: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/22.jpg)
Forensic Uses
Because of the 180-day or less limit on
the G Suite reports, backup solutions
can provide more metadata and
revisions at different intervals (not
necessarily more frequent, and may
not track editors).
Some solutions let you search historical
versions of documents, some let you
search only the most recent version.
Pictured: Syscloud https://www.syscloud.com/security-compliance-g-
suite/?anti-ransomware
![Page 23: Google Drive Forensics - SANS Institute · Drive Usage Report Caveats Download events don’t always mean the user clicked download. They could be related to a desktop application](https://reader030.vdocument.in/reader030/viewer/2022040510/5e55d218b4fd4554292f3448/html5/thumbnails/23.jpg)
Questions?
`M ,\#w @,. ^#M, %M,^M %#M, `@#w
^#s *##s ^@##M,*#M, `%#s %######Ms,
`%#s, ^h @###########Mw,`*5w `w %###############M
`k \################. @##############
^Ws, `e, `@############,^%5###s `w ^%M#############M
^* `@#############sQ5##w%###########*^`` \#7######^`
*5#M##M^^\p% Art by Jeff Geiger