It is no secret that many tech companies, including Google, collect an inordinate amount of data about their users. It make sense, knowing it’s userbase is Google’s core business and allows them to more effectively serve customers and enhance their service offerings. Where then is all of that information and how, as investigators, can we access it? When it comes to preserving Google accounts, most begin and end their investigation with Google’s Takeout feature. While Takeout is indeed a great and useful tool, it isn’t the only option we have when it comes to collecting data associated with Google accounts.
My Activity Timeline
Google’s My Activity stores an incredible amount of information. Better yet, that information can be easily queried and date-filtered with the provided interface. Some of the information may overlap with data in Takeout, however, a good amount of the information is unique to this view which provides a unified timeline view of user activity. The types of information stored here can vary based on the user’s activity control settings and the types of Google (or Android) devices and services they use. Highlights include, recorded audio of a user from interacting with Google Assistant, timing on when apps are opened on a phone, and search and internet history.
Crucially, there does not appear to be any kind of roll-off to the data stored here. This can result in a huge amount of data to sift through and review. Fortunately, the data presented can be searched by keyword and filtered by date, date range, or by various services, including:
- Google Play Movies & TV
- Google Play Store
- Image Search
- Maps Timeline
- Play Music
- Video Search
- Voice & Audio
I recommend using the “Item View”, as opposed to the default “Bundle View”, when reviewing content on this page. This view allows for a more granular review of the data and presents each item on its own card instead of bundling items together. This option will appear on the left-hand side of the page or can be accessed with the following URL: https://myactivity.google.com/item. At the bottom of each Item’s card, a “Details” hyperlink allows you to review further information about the item. For example, if the activity occurred on a mobile device, the make and model of the device may be recorded here. Google’s description of the “My Activity” page can be reviewed here.
Other Google Activity
Beyond the “My Activity” timeline, we can review additional data sources by clicking on the “Other Google activity” button on the “My Activity” timeline or by visiting the following link. Amongst these are links to location history activity, device information activity, and Google Takeout. See the screenshot below for an accounting of these options and their descriptions.
The location history timeline is a fantastic feature for establishing an individuals location at a given time. It tracks a user’s location or, more accurately, the location of devices where their Google account is signed in. In Takeout, this information may also be captured in the Location History JSON file. However, it is easier to query that data through Google’s interface. If you no longer had access to the account, you could parse the JSON file itself and map the points through Google Earth. Refer to my previous article on plotting GPS coordinates to Google Earth KML files as a starting point.
Beyond being able to review activity on a specific date, you can also quickly review most frequently visited places, trips (or what Google believes are trips), and home and work address details.
Google Drive Activity Log
Similar to the “My Activity” timeline, but strictly related to Google Drive, this activity log records many details about the account and does not get downloaded in a Google Takeout. Unlike the content in the “My Activity” timeline, there does not appear to be a way to turn this functionality off or delete specific entries from it. Therefore, this is an invaluable artifact that records information including file upload, deletion, or editing activities. This is doubly true for files which are no longer present on the account as information about the file is not removed from the log when the corresponding file is deleted.
This view can be accessed by clicking on the “i” symbol in the top right of the page. Depending on what folder or file is selected, it will show activity specific to that item. In the screenshot above, we are clicked on the “My Drive” folder and see all activity associated with that folder. Data loads dynamically as you scroll down, like the “My Activity” timeline, and does not appear to roll off after a set amount of time.
We went a little over the 500 world limit in this post, but that’s more of a guideline than a strict rule. Clearly, there is a lot of data we can extract from a Google account. Don’t settle for just what is provided in a Google Takeout.
Next time we will take a look at a method to preserve the data presented in the Activity view for offline review. Comment below if I omitted a useful Google data source you find helpful in your investigations.