BSidesTLV 2023

Google Workspace Forensics – Insights from Real-World Hunts & IR
2023-06-29, 16:40–17:05 (Europe/Oslo), Smolarz

In this talk, we share our knowledge & expertise on how to hunt and perform IR investigation over Google Workspace logs based on real-world threat hunt focused on data exfiltration from Google Drive. In this presentation, we will show the work of forensic investigator in Google Workspace domain.

We believe this knowledge is necessary for those who want to investigate Google Workspace logs.


In this presentation, we will show the work of forensic investigator in Google Workspace domain.

According to Google’s “2021 Year in Review”, 3 billion people use Google Workspace. In order to get visibility on actions performed in your Google application, Google Workspace provides RESTful reports API that can be employed to access information about the Google Workspace activities of your users. 

The first part of the presentation will give a quick introduction to Google Workspace log structure. We will describe the challenges the logs present to forensics investigators, including lack of essential data like file paths and user agent field, and their nontrivial structure. We will describe what we did to facilitate log readability, including changes to the schema and separating the events differently. We will also show our insights from our research involving visibility over actions that are performed by third-party applications.  - 5 minutes

The second part will focus on data exfiltration from Google Drive application. We will present how changes to visibility and access scope appear in the log. We will talk about different scenarios to exfiltrate data and detail about log visibility of special cases: file sharing and mentioning users in a comment. We will also describe the difference between the visibility of permissions change on a folder vs. on a file.  - 10 minutes

In the third part, we will talk about a real-world case we found in threat hunt — an external user that downloaded 15,000 files in a brief time, while nobody in the organization noticed. Who created them? And when? During our real investigation, we wanted to answer the first question investigators usually want to address in such scenarios — What data was exfiltrated? The logs don’t include the file paths, so we will describe how we overcame it using logs only and what investigators can do with more permissions in a client environment.  - 5 minutes

Summary and Q&A – 5

Ariel Szarf works as a Senior Cloud Security Researcher at Mitiga. Prior to that, Ariel was a Cyber Security Specialist Officer in the IDF. In addition, Ariel has a Master’s degree in Computer Science. Today, Ariel researches potential attacks on cloud services and SaaS, and investigates incidents.

Doron Karmi works as a senior Cloud Researcher at Mitiga. Prior to working at Mitiga, Doron worked as a malware analyst and threat hunter for large organizations.
Today, Doron researches potential attacks on cloud services and SaaS, and investigates incidents.