Product Features

Google Warrant Returns in Magnet AXIOM

Did you know AXIOM has built in support for Google Warrant Returns as part of our Cloud Warrant Returns feature. If you have received a return from Google in a .zip format, you can load it into AXIOM and process that evidence alongside other evidence in your case. Google Warrant Returns can be highly valuable as the content may be from multiple devices including from an Android phone, Gmail, or a Chromebook. 

Google Warrant Returns include a variety of data including chats, login history, search history, pictures – including saved screenshots, documents, and emails. One of the interesting issues with parsing Warrant Returns is that we are not able to create test accounts and get the data back. Therefore, sometimes there are artifacts we are unclear on. For example, we are unsure if the Chats artifact is always for Google Hangouts. In one instance, I see that the chats are also in screencaps of Hangout messages, showing that the chat can be that content. However, in another sample return, there are chat messages, but the user hasn’t signed up for Hangouts. This is where we need to work with the community to learn from what we are each seeing to more clearly understand the content parsed from these returns.

Figure: Some artifacts from a Google Warrant Return

What if you have account details and don’t know about an associated device? As part of the Google Warrant Return Devices artifact, you may be able to identify additional devices associated with the account that may be of interest. The example below shows the parsed result of the devices information from a Google Warrant Return that may assist in knowing about additional devices. In addition, the Cloud Google Account Information Artifact lists the services that the user signed up for such as Hangouts, Gmail, and YouTube for example.

Figure: Redacted Cloud Google Devices artifact from a Warrant Return

Magnet AXIOM also supports other cloud content from Google including Takeouts and our own cloud acquisition process. Our cloud acquisit via signing in with credentials, token, or external browser authentication. Google Takeouts contain data that can be acquired by doing a self-archive of the account with credentials. Do you have a Warrant Return on a case where you have the ability (legally and technically) to also perform a cloud acquisition and a Google Takeout? The community would love to know what differences you find between the different methods and what content is available in each.

If you have any comments or questions feel free to reach out to me at Jessica.hyde@magnetforensics.com. Has something changed in a Google return you have received? Is there more data available you would like us to support? Have you compared the results between different Google cloud acquisitions? Please, drop us a line and let us know.