Evidence gathering from Internet services

In November 2014 we published the Evidence Gathering in Windowswhose target audience was professionals in the IT sector: IT support technicians, system administrators, network administrators, malware analysts, etc, who despite usually having good computer skills are not familiar with the digital forensic analysis process. The document was intended as a practical guide to the steps to take if an incident occurred, with the aim of gathering the necessary evidence in order to subsequently carry out an analysis which would lead to a solution to the incident itself.

The guide uses RFC 32271 "Guidelines for Evidence Collection and Archiving" as a basis and focuses on local evidence gathering. However, certain incidents require a different sort of evidence to be obtained, mainly related to online services such as social networks, cloud storage services, messaging services, etc. This topic, in some cases, is also directly related to "Open Source Intelligence" (OSINT) and the process of Information Gathering. However, in this case we are focussing on gathering evidence to resolve an incident.

Therefore, this article includes a series of guidelines that may be of use in gathering evidence on different Internet services, if it becomes necessary to do so. It is important to bear in mind that the information we are referring to is accessible when you have physical access to the device, but there could be additional information that is of interest on the server side that evidently cannot be accessed. If it is needed, it has to be requested through the official channels and therefore the requirements the service has established will have to be met, such as putting it in writing, developing a court order, etc.

Information on Google services

Google has more than a billion users and offers a multitude of online services covering a large number of topics, from the search engine itself to Google Earth, Google Play, YouTube, etc. This is why it merits its own section.

As a vital part of their business model, and in an effort to improve users' experience, they gather a host of information which is useful in a good deal of security-related incidents.

Some examples are given below:

Account settings
To view your account settings, follow this link, please: https://myaccount.google.com. You can access useful information on this page, such as: the devices that the account has been accessed from in the last 28 days as well as those currently connected, associated mobile devices, a contact list, etc. You can also export a large quantity of information on the Google services the account holder uses, from the following link: https://www.google.com/settings/takeout?pli=1.

As you can see, the information collected includes files stored in Google Drive, photos uploaded to Google Photos, all the emails in Gmail, etc. Consequently, you should bear in mind that the process can take quite a bit of time, but depending on the type of incident, it can be very useful indeed.
Google Dashboard
This enables you to access similar information to what was mentioned in the previous section, together with the contact list, location history, applications installed on a mobile device associated with the account, the permissions certain applications have for the account, etc. You can access this via the following link: https://www.google.com/settings/dashboard.
Account history
This includes, among other things, the user's search history, places visited, videos searched for or watched on YouTube, etc. and it can be accessed at the following link: https://www.google.com/settings/accounthistory.

Social networks (Facebook, Twitter, etc.)

Social networks

Social networks are one of the most frequently used online services. Due to that trait so inherent to the human condition, the need to socialise, they tend to be used to a greater or lesser extent, sometimes responsibly and sometimes not so responsibly. This is why the information stored in them may be of interest.

To acquire said information, you can use the export tools that are built into certain social networks - if you have access to them, as mentioned in this article's section on the current situation. Alternatively, you can use tools especially designed for the purpose. The OSINT - La información es poder(OSINT - Information is power) article mentions various such tools like Creepy, OSINTStalker, Tinfoleak, etc.

Twitter is a service with over 255 million active users, through which more than 200 billion tweets are posted each year. If you are able to log in to the account, you can access account information at the following link: https://analytics.twitter.com or at https://twitter.com/settings/account and then clicking «Request your archive».

If you do not have access to the account, you can use Twitter's public API. This tool enables you to obtain a large quantity of additional information, as you can see in its documentation, which could be of interest.

By way of example, we have included the following code, from which the last 1,400 tweets posted from an account can be obtained, together with the number of times they have been favourites or retweeted.

To simplify the process, you can use one of the tools like Tinfoleak, but even though it is quite comprehensive, you may need to extract certain information that is not included in the tool and you may need to use the API.

Facebook
Facebook is the most frequently used social network, with over 1.2 billion users, which is what makes it a good source of information. If you have access to the account, you can export all the information from the social network using the following link: https://www.facebook.com/settings?tab=account and selecting the «Download a copy of your Facebook data» option. This copy includes a whole host of account information, such as:
- The user's log-in history, including the date, time, device, IP address and information about the browser and the device's cookies.
- A list of the IP addresses the account has been logged into from.
- Email addresses that have been added to the account (including those that have been deleted).
- The user's Facebook chat conversation history.
- People that have been deleted from the user's friend list.
If you don't have access to the account, you can use one of the aforementioned tools, like OSINTStalker for example.
Twitter

Cloud services (Dropbox, Mega, OneDrive, etc.)

Cloud services

The advantage of cloud services is that they enable information to be accessed from any location from multiple devices. They can be a worthwhile source of information and, consequently, acquiring and analysing them may be useful for certain types of incident. As opposed to social networks, where a large quantity of account information is public and accessible, here you need the appropriate credentials to access it.

Dropbox
If you follow this link: https://www.dropbox.com/account/security, you can view your log-in history and the devices and applications that are linked to your account.
Mega
Via this link, https://mega.io/#fm/account/history, you can see your log-in, purchase and transaction history.
OneDrive
The following page, https://account.microsoft.com/devices?lang=es-es, shows the devices linked to your account and by clicking the link https://account.live.com/Activity?mkt=es-ES you can see your recent activity: the IP address you logged in from, the device / platform used and the date / time you logged in.

Messaging services (Gmail, Outlook, Yahoo, etc.)

Messaging services

Gmail
You can export all the information from your Gmail account (emails, contacts, etc.) by taking the steps set out in the Information on Google services section.
Outlook
You can view your recent account activity using the same process as with OneDrive via the following link: https://account.live.com/Activity?mkt=es-ES. To see your security settings and thus certain relevant aspects such as trusted devices and whether two-step authentication is activated, click the following link: https://account.live.com/proofs/Manage?mkt=es-ES.

You can also export an account's contacts by clicking this link: https://people.live.com/?success=true and selecting "Advanced" and then «Export».
Yahoo
You can view your recent account activity via the following link: https://login.yahoo.com/account/activity.

Tags:

OSINT

Last Posts

ICS’S future is in the space

Posted on 03/20/2023, by INCIBE

There are areas where the deployment of an industrial plant requires satellite communications such as those provided by VSAT (Very-Small-Aperture Terminal) technology. This technology allows the...
Virtual Power Plants: ‘The Internet of Energy’

Posted on 03/16/2023, by INCIBE

Energy efficiency alternatives are nowadays on everyone’s lips given the energy crisis that is plaguing the vast majority of European regions. In Spain, the energetic companies are following...
Tactics and techniques of the bad guys in SCI

Posted on 03/07/2023, by INCIBE

Industrial Control Systems (ICS) were initially designed to work in sealed environments and as stand-alone systems, interconnections between systems were scarce, as were safety protections. The...
System hardening: the case of Linux

Posted on 03/02/2023, by INCIBE

Knowing the resources available when performing tasks of hardening a system, will allow us to optimize the time necessary to obtain a safer system. In addition, we have the possibility of using tools...
The importance of radio frequencies in industry

Posted on 02/23/2023, by INCIBE

In industrial environments there are a multitude of technologies, manufacturers, communications, etc. This article will reflect a small part of the protocols that use radio frequency (RF)...

Corporate access

Evidence gathering from Internet services

Information on Google services

Social networks (Facebook, Twitter, etc.)

Cloud services (Dropbox, Mega, OneDrive, etc.)

Messaging services (Gmail, Outlook, Yahoo, etc.)

ICS’S future is in the space

Virtual Power Plants: ‘The Internet of Energy’

Tactics and techniques of the bad guys in SCI

System hardening: the case of Linux

The importance of radio frequencies in industry