Google accounts with G Suite administrator privileges often have access to more data than typical user accounts. With an Administrator account, not only can you access user account Gmail and Drive contents but also audit lots providing more in-depth analysis into your G Suite environment. When utilizing G Suite administrator privileges, you can choose to access data from both the admin and user accounts or the admin account only.
In this blog, we’ll walk through the initial setup required for using Magnet AXIOM Cyber in your G Suite investigations.
Along with the ability to collect from cloud sources like G-Suite, O365, and Slack, AXIOM Cyber enables examiners to remotely collect evidence from an endpoint with the use of a covertly deployed remote collection agent.
To allow AXIOM Cyber access to the data from user accounts under an administrator’s G Suite account, you will need to open the Google Admin console and configure the administrator account to give read-only access to user data in the domain.
When you log in to the G Suite admin account through AXIOM Process, these settings authenticate automatically. If you don’t want Magnet AXIOM to continue to have access to the user accounts after acquiring your evidence, you can remove these API settings from the Google Admin console at any time.
To configure the Google Admin console, complete the following steps:
- Browse to admin.google.com and log in to the administrator’s account.
- Click Security > App Access Controls.
- Under Domain Wide Delegation, click Manage Domain Wide Delegation.
- Click Add New, enter 100819563017996123187 as the client ID.
- Enter the scopes below:
- In the One or More API Scopes field, paste the copied text. API scopes must be separated by commas, with no spaces.
- Click Authorize.
This screen shows correctly configured Client ID and API scopes:
After you’ve updated the settings in the Google Admin console, it might take some time for AXIOM Cyber to authenticate the settings. In AXIOM Process, click Access admin and user accounts. AXIOM Process authenticates the updated settings and takes you to the Select Google services screen. If you have any questions, please don’t hesitate to reach out to either firstname.lastname@example.org or myself at email@example.com