Password Recovery, System Security & Forensic Software


Elcomsoft Cloud eXplorer

Forensic Acquisition of Google Accounts

Acquire information from users’ Google Account with a simple all-in-one tool! Elcomsoft Cloud Explorer makes it easier to download, view and analyze information collected by the search giant, providing convenient access to users’ search and browsing history, page transitions, contacts, Google Keep notes, Hangouts messages, as well as images stored in the user’s Google Photos account.

Google collects massive amounts of information from registered customers. Elcomsoft Cloud Explorer extracts information from the many available sources, parses and assembles the data, presenting information in human-readable form.

Features and Benefits

  • Downloads all major data categories including calendars, notes, comprehensive location history, Dashboard, text messages (from supported devices) and a lot more
  • Extracts Chrome passwords and synced data including bookmarks, browsing history, Web forms, and page transitions
  • Extracts health and activity data and massive amounts of location points from Google Fit
  • Offers passwordless authentication with binary authentication tokens
  • Includes tool to search and extract authentication tokens from the user's computer
  • Obtains SMS text messages* and call logs from Android backups
  • Downloads photos and videos from Google Photos
  • Extracts enhanced location and POI-based mapping data, routes and places
  • Access to email messages via native Gmail API
  • Supports two-factor authentication and token-based cache of authentication credentials
  • Convenient viewer and browser with searching and filtering
  • Powerful HTML reporting and XLSX exporting
  • Ultra-fast operation
  • Offered as Windows and Mac editions

Note * SMS access is available for smartphones running Android 8.0 Oreo or newer

Google Data in Digital Forensics

Cloud forensics is an emerging area to forensic experts and IT security officers. The amount of data generated by consumers using the many online services is hard to underestimate. This data can become extremely valuable for an investigation of criminal cases and security breaches of IT infrastructure.

Online services are increasingly used by consumers, including those of a criminal kind. Cloud service providers such as Google retain astonishing amounts of data that literally follow their users’ every step. Acquiring this evidence from cloud storage services can be a challenge. Viewing, discovering and analyzing the data may present yet another challenge if the investigator lacks tools and knowledge.

Elcomsoft Cloud Explorer was designed specifically to address those limitations. Requiring no special expertise and no prior training, Elcomsoft Cloud Explorer falls into the category of all-in-one tools offering one-click downloading and easy viewing of information. The tool comes with everything you need to investigate information that Google has about a suspect.

What Is Extracted

Elcomsoft Cloud Explorer offers over-the-air acquisition for a wide range of Google services including all of the following:

  • User Profile and other info
  • Messages (Google Hangouts)
  • Text messages (SMS) (Android 8.0 Oreo and newer for all smartphones; Android 7 or newer for Google Pixel and Pixel XL)
  • Call logs
  • Saved Wi-Fi credentials (SSID and passwords)
  • Email messages (Gmail) via Gmail API
  • Contacts (including synced contacts from mobile devices)
  • Notes (Google Keep)
  • Search History (including Web sites visited after firing up the search)
  • Google Chrome data[1] (synced bookmarks, Web forms, logins and passwords, page transitions)
  • Google Fit data: health and activity tracking, steps, stairs climbed and other activities (depending on companion devices), location tracking
  • Media (images and videos from Google Photos) for specified period
  • Calendars
  • Dashboard
  • Location history including enhanced mapping data (Routes and Places)
  • Files and documents from Google Account

In other words, what you get is a comprehensive snapshot of user activities in Google services including searches made in non-Google browsers while the user was logged in to their Google Account.

Passwordless Authentication

The password and two-factor authentication are the biggest challenges in cloud extraction. Elcomsoft Cloud Explorer offers passwordless authentication based on using binary authentication tokens extracted from the user's computer. Passwordless authentication enables access to the following data categories: Chrome (including browsing history, bookmarks and passwords), Calendars, Dashboards, History, Google Drive, and Hangouts.

Passwordless authentication into Google Account is available if Google Chrome is installed on the user’s computer, and the user signed in to at least one Google service via the browser. The new Google Token Extractor (GTEX) tool automatically searches the user’s computer for authentication tokens saved by the Google Chrome browser. Once the user signs in to their Google Account in a browser session, these tokens enable seamless access to Google services without the need to re-enter the password.

Two-Factor Authentication Support

In order to access someone’s data, investigators must supply the correct Google ID and password. Since many users protect access to their accounts with two-step authentication, access to the secondary authentication factor is required if two-step authentication is enabled.

Elcomsoft Cloud Explorer supports most two-factor authentication methods implemented by Google, including 6-digit codes generated by the Authenticator app or delivered as text messages to a trusted phone number; printable backup codes, Google Prompt and FIDO Key authentication.

Viewing, Searching and Analyzing the Data

Elcomsoft Cloud Explorer is not just about downloading information. It’s an all-in-one forensic tool allowing to view and analyze information obtained from the user’s Google Account.

The built-in viewer supports the most popular data formats used in the Google Account, parsing and displaying them automatically. The viewer includes instant filtering and quick search functionality. Finding a certain contact, message or Web site authentication credentials is easy: you just need to type part of the word you are looking for into the search box.

Forensic Gmail Acquisition

Elcomsoft Cloud Explorer offers fast offline access to Gmail communication history. The tool can download all or some email messages from the user’s Gmail account, allowing investigators specifying the exact period to acquire. Access to messages is implemented via Google’s proprietary Gmail API, which makes it possible to achieve acquisition speed of about 3000 email messages per minute (subject to message size and connection speed). Selective access to messages during the acquisition stage and unbeatable acquisition speed make Elcomsoft Cloud Explorer one of the fastest Gmail analytic toolkits on the market.

The built-in Gmail analyzer offers detailed searching and filtering through all downloaded messages, and provides valuable insight about downloaded messages. Users can automatically filter messages that contain media attachments such as pictures, videos or documents. Complete message threads are instantly available as investigators search or browse through downloaded mail.

Enhanced Mapping Support for Location Data

Traditionally, location data could be obtained from Google in JSON format. While this is an industry-standard open data format, it provides little insight on which places the user actually visits. A JSON file hardly gets anything more than timestamped geographic coordinates. Even if those coordinates are pinned to a map, one still has to scrutinize the history to find out which places the user has actually gone to.

Google makes educated guesses on which places the users paid a visit. Based on big data analysis, Google knows (or makes a very good guess) when someone stays at a hotel, visits a restaurant or goes shopping. This information is also stored in the Google Account – at least if one has Location History turned on.

Elcomsoft Cloud Explorer can process Google’s Places and Routes, and can correctly identify, extract and process user’s navigation routes and places they visited (based on Google’s POI). This significantly improves readability of location data, providing a list of places (such as restaurants, landmarks or shops) instead of plain numbers representing geolocation coordinates.

Information Collected by Google

Google offers consumers a diverse range of services ranging from world’s most popular search engine to free email, free cloud storage and free Web browser with automatic sync across devices among other things. Google services run on a large number of desktop and mobile devices with literally billions of users.

All Google services can be personalized by registering for a Google Account. Once the user registers an account, Google starts aggregating information about the user’s online and offline activities. The system processes and analyzes communications, recommends places to visit and things to read. Comprehensive location history, Google searches ever fired on all stationary and mobile devices, Chrome bookmarks, passwords and browsing history, page transitions, travel data including air tickets, hotel stays and car rentals (even if not booked through Google itself), notes, pictures, contacts and a lot more data can be collected and stored by Google.

The various bits and pieces of data are kept in various places across Google servers. They are accessible via vastly different protocols, sharing one thing: they all require authentication via Google Account. While it is possible to download certain bits of information from Google, the data is offered in various formats (some of them binary) that can be difficult to view and hard to analyze in one place. Elcomsoft Cloud Explorer removes the hassle, not only downloading more data than provided by Google but offering the ability to view and analyze information without leaving the tool.

Google Fit: Fitness, Activities and Location Tracking

Extract health and activity information collected by Google Fit directly from the user’s Google Account! Google Fit data contains detailed information about the user’s location and physical conditions including the number of steps, types of activity, heart rate, elevation, and a lot more with external fitness devices. External devices may provide data on the user's blood pressure, elevation, precise step count, and additional location data collected from the GPS sensor built into the smartwatch or tracker, the latter allowing to pinpoint the user’s location with ultimate precision and granularity. The Google Fit app itself frequently obtains location information from the smartphone, synchronizing massive amounts of location data to the user’s Google Account and becoming a major contributor of location data.

Analyzing the massive amounts of Google Fit data can become invaluable help when searching for evidence and investigating crime. The detailed, high-frequency location data collected by Google’s fitness app accompanied with information about the user’s physical condition can shed light on the user’s activities in a given timeframe.

User Notification

Elcomsoft Cloud Explorer is a more forensically sound method of extracting Google data compared to Google’s own service, Google Takeout. In most cases, extracting information using Elcomsoft Cloud Explorer does not trigger a user alert message and does not leave traces in the user’s Google account.

However, when accessing certain types of data, the user might still receive a notification from Google alerting about a new system, new browser or new IP address login.

While predicting whether a notification alert will be triggered is generally not possible, using passwordless authentication with a binary authentication token currently does not trigger a notification.

Reporting and Exporting

A wide range of HTML reports are available, including User Infо, History, Chrome, Dashboard, Media, Locations, Calendars, Notes, Chats, Google Keep, and Contacts. HTML reports can be easily printed or viewed in any Web browser. In addition, data can be exported into an Excel-compatible XLSX file for further processing and analysis.

  1. Some parts of this data may be encrypted with an additional password. Elcomsoft Cloud Explorer can decrypt information if the correct password is supplied.