Product Features

Google G Suite in Magnet AXIOM Cyber

Google accounts with Workspace administrator privileges often have access to more data than typical user accounts. With an Administrator account, not only can you access user account Gmail and Drive contents but also audit lots providing more in-depth analysis into your Workspace environment. When utilizing Workspace administrator privileges, you can choose to access data from both the admin and user accounts or the admin account only.

In this blog, we’ll walk through the initial setup required for using Magnet AXIOM Cyber in your Google Workspace investigations.

Along with the ability to collect from cloud sources like Google Workspace, O365, and Slack, AXIOM Cyber enables examiners to remotely collect evidence from an endpoint with the use of a covertly deployed remote collection agent.

Request a free trial of Magnet AXIOM Cyber today.

To allow AXIOM Cyber access to the data from user accounts under an administrator’s Google Workspace account, you will need to open the Google Admin console and configure the administrator account to give read-only access to user data in the domain.

When you log in to the Google Workspace admin account through AXIOM Process, these settings authenticate automatically. If you don’t want Magnet AXIOM to continue to have access to the user accounts after acquiring your evidence, you can remove these API settings from the Google Admin console at any time.

To configure the Google Admin console, complete the following steps:

  1. Browse to admin.google.com and log in to the administrator’s account.
  2. Click Security > Access & Data Control > API Controls> Domain Wide Delegation
  3. Under Domain Wide Delegation, click Manage Domain Wide Delegation.
  4. Click Add New, enter 100819563017996123187 as the client ID.
  5. Enter the scopes below:

https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/drive.photos.readonly,https://www.googleapis.com/auth/drive.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/calendar.readonly,https://www.googleapis.com/auth/calendar.events.readonly,https://www.googleapis.com/auth/drive.activity.readonly,https://www.googleapis.com/auth/contacts.readonly,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email

  1. In the One or More API Scopes field, paste the copied text. API scopes must be separated by commas, with no spaces.
  2. Click Authorize.

This screen shows correctly configured Client ID and API scopes:

After you’ve updated the settings in the Google Admin console, it might take some time for AXIOM Cyber to authenticate the settings. In AXIOM Process, click Access admin and user accounts. AXIOM Process authenticates the updated settings and takes you to the Select Google services screen. If you have any questions, please don’t hesitate to reach out to either support@magnetforensics.com or myself at trey.amick@magnetforensics.com

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top