Home / Blog / Evidence gathering from Internet services

Evidence gathering from Internet services

Posted on 06/23/2015, by Asier Martínez (INCIBE)

In November 2014 we published the Evidence Gathering in Windowswhose target audience was professionals in the IT sector: IT support technicians, system administrators, network administrators, malware analysts, etc, who despite usually having good computer skills are not familiar with the digital forensic analysis process. The document was intended as a practical guide to the steps to take if an incident occurred, with the aim of gathering the necessary evidence in order to subsequently carry out an analysis which would lead to a solution to the incident itself.

The guide uses RFC 32271 "Guidelines for Evidence Collection and Archiving" as a basis and focuses on local evidence gathering. However, certain incidents require a different sort of evidence to be obtained, mainly related to online services such as social networks, cloud storage services, messaging services, etc. This topic, in some cases, is also directly related to "Open Source Intelligence" (OSINT) and the process of Information Gathering. However, in this case we are focussing on gathering evidence to resolve an incident.

Therefore, this article includes a series of guidelines that may be of use in gathering evidence on different Internet services, if it becomes necessary to do so. It is important to bear in mind that the information we are referring to is accessible when you have physical access to the device, but there could be additional information that is of interest on the server side that evidently cannot be accessed. If it is needed, it has to be requested through the official channels and therefore the requirements the service has established will have to be met, such as putting it in writing, developing a court order, etc.

Information on Google services

Google has more than a billion users and offers a multitude of online services covering a large number of topics, from the search engine itself to Google Earth, Google Play, YouTube, etc. This is why it merits its own section.

As a vital part of their business model, and in an effort to improve users' experience, they gather a host of information which is useful in a good deal of security-related incidents.

Some examples are given below:

  • Account settings

    To view your account settings, follow this link, please: https://myaccount.google.com. You can access useful information on this page, such as: the devices that the account has been accessed from in the last 28 days as well as those currently connected, associated mobile devices, a contact list, etc. You can also export a large quantity of information on the Google services the account holder uses, from the following link: https://www.google.com/settings/takeout?pli=1.


    As you can see, the information collected includes files stored in Google Drive, photos uploaded to Google Photos, all the emails in Gmail, etc. Consequently, you should bear in mind that the process can take quite a bit of time, but depending on the type of incident, it can be very useful indeed.

  • Google Dashboard

    This enables you to access similar information to what was mentioned in the previous section, together with the contact list, location history, applications installed on a mobile device associated with the account, the permissions certain applications have for the account, etc. You can access this via the following link: https://www.google.com/settings/dashboard.

  • Account history

    This includes, among other things, the user's search history, places visited, videos searched for or watched on YouTube, etc. and it can be accessed at the following link: https://www.google.com/settings/accounthistory.

Social networks (Facebook, Twitter, etc.)

Social networks

Social networks are one of the most frequently used online services. Due to that trait so inherent to the human condition, the need to socialise, they tend to be used to a greater or lesser extent, sometimes responsibly and sometimes not so responsibly. This is why the information stored in them may be of interest.

To acquire said information, you can use the export tools that are built into certain social networks - if you have access to them, as mentioned in this article's section on the current situation. Alternatively, you can use tools especially designed for the purpose. The OSINT - La información es poder(OSINT - Information is power) article mentions various such tools like Creepy, OSINTStalker, Tinfoleak, etc.

Twitter is a service with over 255 million active users, through which more than 200 billion tweets are posted each year. If you are able to log in to the account, you can access account information at the following link: https://analytics.twitter.com or at https://twitter.com/settings/account and then clicking «Request your archive».

If you do not have access to the account, you can use Twitter's public API. This tool enables you to obtain a large quantity of additional information, as you can see in its documentation, which could be of interest.

By way of example, we have included the following code, from which the last 1,400 tweets posted from an account can be obtained, together with the number of times they have been favourites or retweeted.


To simplify the process, you can use one of the tools like Tinfoleak, but even though it is quite comprehensive, you may need to extract certain information that is not included in the tool and you may need to use the API.

  • Facebook

    Facebook is the most frequently used social network, with over 1.2 billion users, which is what makes it a good source of information. If you have access to the account, you can export all the information from the social network using the following link: https://www.facebook.com/settings?tab=account and selecting the «Download a copy of your Facebook data» option. This copy includes a whole host of account information, such as:

    • The user's log-in history, including the date, time, device, IP address and information about the browser and the device's cookies.
    • A list of the IP addresses the account has been logged into from.
    • Email addresses that have been added to the account (including those that have been deleted).
    • The user's Facebook chat conversation history.
    • People that have been deleted from the user's friend list.

    If you don't have access to the account, you can use one of the aforementioned tools, like OSINTStalker for example.

  • Twitter

Cloud services (Dropbox, Mega, OneDrive, etc.)

Cloud services

The advantage of cloud services is that they enable information to be accessed from any location from multiple devices. They can be a worthwhile source of information and, consequently, acquiring and analysing them may be useful for certain types of incident. As opposed to social networks, where a large quantity of account information is public and accessible, here you need the appropriate credentials to access it.

Messaging services (Gmail, Outlook, Yahoo, etc.)

Messaging services