Site icon

Forensic Analysis: Google Home Voice Controller

Google Home

Introduction

The following research is written from the perspective of a cybersecurity forensic investigator, who is examining a Google Home Voice Controller (GHVC). It will also explore the device’s connection to other technologies that adopt Google’s voice command. The document will pinpoint how GHVC stores and processes information, and discusses how this can improve the outcome of forensic investigations. The investigator will determine specific measures for managing digital evidence, data acquisition, legalities, encryption methods, cloud storage and other hardware and software that will assist in the forensic investigation. The investigator will highlight several types of data stored by GHVC with a special emphasis on audio files. Any device using the Google Assistant application in addition to GHVC can leave a digital trail of audio files and other sensitive data regarding the time and proximity of a suspect during investigation. Symantec has a whitepaper on IoT devices that use voice command, its data on GHVC will be used as supporting evidence of how to appropriately conduct an examination of the device. It is important for users to be aware that Google’s End User License Agreement gives them the authority to send copies of all voice command request to their company servers without notification and states that the company owns those copies. While Google does not provide an online manual for GHVC, several others are available in the opensource. The investigator will pinpoint how the device may provide both exculpatory and inculpatory evidence in given circumstances, and also the advantages and disadvantages of the device’s use of cloud storage. The investigator will need four pieces of hardware: the GHVC, a smartphone that will connect to it, write blocker, and a laptop computer for storing copies of the files. Six different pieces of software are needed to make it possible to copy data from the GHVC without damaging the original files. The investigator will use an approach that ensures data integrity of any collected data (audio files, documents, evidence of malicious code, etc.).

Google Home Voice Controller: Forensic Investigations

Google Home Voice Controller (known as Google Home or GHVC) is one of the most popular smart speakers on the market. It allows users to connect to Wi-Fi, control features on other compatible smart devices, and runs the Google Assistant application. The device uses voice-command to respond to search queries and retrieve information. Common uses for voice-command would be to tell the device to play music or find data through Google Search like information on a specific topic, directions for transportation and many other commands. While Google Home is the most advanced version of the hardware, Google provides a number of alternatives that also carry the same vulnerabilities: Home Mini, Home Max and Nest Hub. The device can be connected to other Google services that may contain personal information about the user including Gmail data, type and number of search queries, browsing history, and other programs that may have physical addresses or financial information attached to them. Google Home contains two microphones that record user voice-commands after they activate the feature by saying “OK Google” or “Hey Google”; the device will record until it provides the user with data or launching an application. Investigators use computer forensics on Google Home and the growing number of IoT devices available today by examining the following key areas: how the device processes and handles digital evidence, what privacy and legal issues prevent them from acquiring the device or its data, types of encryption and cloud storage, as well as the forensic and investigative tools needed to promote security with Google Home and other IoT devices.

Processing and Handling Digital Evidence

A forensic examination on Google Home requires investigators to analyze digital evidence that is stored on the device and in the cloud. This sometimes creates a level of complexity with the investigating agency as there may need to gain access to legal documents that will allow them to view an organization’s data within the cloud or company storage; this especially may be the case when conducting forensic investigations within the private sector and law enforcement crime scenes. In a hypothetical scenario in which a Google Home speaker becomes evidence due to a crime, there are steps necessary for the investigator to take in order to collect data with integrity. In order to identify digital evidence, it would be significant for investigators to apply the following strategy: identify digital information relating to the case, collect and preserve all evidence, analyze (identify and organize) evidence, verify the results of the investigation by creating a proxy system or rebuild evidence to ensure that all data remains unedited and secure.

When collecting data on Google Home it remains significant to understand the rules of evidence, essentially applying proven security procedures for all forensic cases that will ensure the integrity of information. The investigator’s strategy should include previously used methods of collecting and examining data that are consistent with each other. For example, the investigator may be able to use much of the strategy applied in a previous case using an Amazon Echo device for a new investigation on Google Home in a consistent manner. As a popular IoT device, Google will periodically send updates to the product; it remains significant for cybersecurity professionals to analyze these changes in order to effectively conduct forensic investigations for Google Home in ways that are consistent with company policy and law. It is a best cybersecurity practice to adopt the disk-to-image approach when examining Google Home, as this is the most effective way to gather all evidence from the device without having to create a more time and resource intensive disk-to-disk approach. Investigations should remain compliant with the law when they collect information regarding business, public records, unallocated data as well as any new laws and policies. Google Home contains computer-generated records and computer-stored records, both of which are important data points in a forensic investigation. This will provide the investigator with audio files, voice-commands and log files indicating the time and dates of specific user criminal actions. After all data has been collected it is important for the investigator to rebuild the criminal activity in order to prove that the original data has not changed, which is essential should the case be brought to a court. Through analysis investigators can use the log files to gather metadata regarding the case and assert information like when and where particular voice-commands were made and what kinds of information flow from Google Home to other IoT devices along with a timestamp for those actions.

When Google Home becomes evidence, it is the investigator’s responsibility to discover if it is best to examine the device at the crime scene or wait until it is collected and appears in a crime lab. In either location, it would be wise to create a disk-to-image replication of the original hard drive and cloud storage and select to make it read-only, this further indicates that if the original data matches the replication it would be viewed as valid evidence in court. It would be beneficial for investigators to save the replicated data to a USB flash drive as they can store a high number of gigabytes and terabytes of information more securely than other methods. It would also be a best cybersecurity practice to make two copies of the files stored on the Google Home device and its cloud storage space. It is also important for investigators to provide documents and use encryption methods (frequently hashing methods) with their reports in order to add an extra layer of security. A best cybersecurity practice would be for investigators to provide a written report as well as an electronic one for submission to authorities within investigations.

Data Acquisition

Investigators will begin the data acquisition process by connecting a smartphone (typically with Android operating system) to Google Home. Next the investigator will connect Google Home and the smartphone to the same Wi-Fi network and link a Google account to the IoT device. In addition to these devices the investigator will also have a laptop which will be used to store collected data. It is a best cybersecurity practice to include the following six pieces of software to conduct a forensic examination of Google Home: 7-Zip, Android Studio, DB Browser for SQL Lite, Google Home App, Google Play Services App, and FX File Manager. After the Google Home application is downloaded on the smartphone, investigators will collect data from the original source for further analysis. According to a study by cybersecurity experts at the University of Albany, an effective method of copying data from the original source includes the following steps: put the smartphone into developer mode, enable USB debugging on it, unlock its bootloader, ensure that the phone is rooted, use the FX file manager software to copy data associated with Google Home and send it to a USB flash drive. After copying the files, investigators can analyze them using Android Studio which will give them access to voice-commands, audio files, documents, images, videos and other media. Android Studio also provides log files that inform investigators of the times and dates of information that had been used on Google Home as well as unencrypted databases containing metadata.

Google Home stores most of its information in the cloud, investigators gain access to it in order to discover new evidence regarding the case. The connection between the smartphone and Google Home allows investigators to gather information when Google accounts are linked between the two devices, giving them the opportunity to find evidence on the IoT device’s application layer. The cloud storage will contain a lot of voice-command information, the majority of which will be different than the files stored on Google Home’s hard drive. Android Studio has the ability to turn voice-commands and audio recordings into text documents in order to provide supplemental data that matches the quality of information stored on the original source. The software also reliably provides timestamps and geospatial intelligence, which can help the investigator determine the order of the series of events leading up to the crime. One helpful strategy in circumstances in which the investigator needs to regain access to Google Home would be to use the copied audio files (many of which are “OK Google” and “Hey Google”) and play them from the smartphone or laptop and regain easy access to the device. This best practice can assist cybersecurity investigators as well as law enforcement with their ability to access data from the original source, which may be helpful in completing the investigation in less time. This may also lead to the discovery of exculpatory evidence that can help defendants during a trail, or inculpatory evidence that can be used to show a suspect’s guilt.

Privacy & Legal Issues for Acquiring the Device or its Data

Investigators should view the expansion of IoT devices as a prospective vulnerability in cybersecurity as millions of consumers within the United States own these technologies. Such innovations create difficulties with privacy and legal issues when conducting a forensic investigation or simply making IoT devices a secure product for use by consumers. Some consumers may wonder at what exact point does the smart speaker stop listening to the users. Google Home, and similar products, are supposed to stop recording the user’s voices after they provide information regarding a specific voice-command. Some users have risen concerns that the devices may still be recording them after it has successfully provided the user with information.

Even though debates continue regarding the privacy of Google Home, it is safe to assert that these devices may record audio that is relevant to a criminal case. Data stored on Google Home can have a significant impact on evidence for a criminal case; observing the voice-commands could be an important factor if the criminal made a request for something illegal or relevant to a crime. There are currently issues concerning privacy, probable cause and Fourth Amendment restrictions, but law enforcement and cybersecurity experts would agree that the evidence could be an integral part of a criminal trial. There have been recent criminal trails in which judges and attorneys requested access to Google Home data through search warrants and subpoenas. Google and other tech companies have not been very responsive to these requests, which makes it more difficult for law enforcement and cybersecurity staff to introduce all facets of evidence during a criminal trial or employment investigation.

Domestically, it can take a lot of time to gather such evidence for law enforcement as they would typically need to establish probable cause before gaining access to a device or anything else connected to a crime scene. Without probable cause it becomes nearly impossible to use a search warrant or subpoena of the owner of the IoT device in order to introduce digital and audio evidence into a court case, as this could potentially be seen as a privacy issue or jurisdiction matter. If Google and the other tech companies continue to remain unforthcoming with data concerning their IoT devices, this issue could find itself being argued at the state or federal level, possibly even through legislation for the United States Supreme Court. While Congress continues to create policies that address these privacy and legal issues in the United States, there currently is no legislation or treaty that will enforce IoT owners in other territories (who may have data regarding a crime) to allow law enforcement and cybersecurity staff to gain access to their devices for discovering new evidence. According to an article in Wired magazine, in response to questions regarding its End User Agreement for Google Home and other IoT devices, Google asserted that its privacy policies do not address issues with voice-recorded data. Google further stated that it has the authority to share Google Home data with other organizations in ways that are legal, regulatory or determined necessary by government request. Google has the ability to share user data without their permission, which virtually ensures no legal protection or privacy for the owner of Google Home devices, or regard for the law enforcement and cybersecurity personnel who need access to the company’s information in order to present evidence for criminal trails.

Encryption

Google Home encrypts each voice-command and sends it to Google servers. Once the information reaches Google’s servers the company uses an additional layer of encryption while it is in storage. This multi-factor encryption strategy theoretically ensures that each voice-command will not be disrupted while it is in transit or when it is within the server’s storage space. When law enforcement and cybersecurity staff need access to information that has already reached Google’s storage, the company responds most quickly to request made by government entities, and sometimes agrees or disagrees with allowing information to be examined for a criminal trial or forensic investigation.

Since most users will connect Google Home to several other applications and IoT devices, the investigator may find other personal information regarding a suspect like their financial or banking information, passwords and other private data associated with other connected devices and software. Gathering this evidence can assist investigators in gaining an understanding of who the suspect is and what they have done or will be capable of doing. Google Home users trust Google to send their information to servers through multi-factor encryption methods, but that does not ensure that the data will never be breached or subject to a search warrant or subpoena for examination or inclusion in any trail.

According to cybersecurity research, the fewer devices, programs and accounts that are connected to Google Home, the more secure it becomes to use the device. A best cybersecurity strategy would be to create a new Google account that will only be used with Google Home, and not connect existing Gmail and other Google services (Long, 2018). If the investigator is successful in gaining access to Google Home as evidence, there is the possibility of gathering more information on a suspect by viewing the ways in which they used other applications prior to committing a crime. After gaining access to Google Home, the investigator may need to use a decryption software in order to view the stored data if Google makes the device available without changing its encryption.

Cloud Storage

It is important for investigators to know how Google Home stores information in the cloud and how this can potentially impact an investigation. Google Home sends every voice-command through its Google Assistant application and into either physical servers that reside in data centers or virtual ones in the cloud. Users have the ability to delete their data on Google Assistant, but investigators will use tools to gather unallocated data. Google Cloud Platform uses virtual machines to collect data within their cloud storage internationally. These services are considered public cloud infrastructures; a recent survey conducted by SADA Systems determined that 84% of IT managers prefer to store data within the cloud rather than physical servers in data centers. If IT managers continue their use of cloud storage over the traditional methods, it may make it more difficult to obtain permission to get those pieces of evidence for a criminal case. Many companies are choosing to work within the cloud when it can provide more security than the company can with its available resources, it gives the opportunity to easily add more storage space when needed, and it may be more cost-effective when compared to other methods of storage. Google Cloud Platform has increased in popularity among technology users since the company acquired FASTER Cable System in 2016, which provides them the ability to flow transit information through fiber optic cable at 10Tbps. Google indicates that Google Cloud Platform is the most reliable option for cloud storage due to the company’s ability to encrypt communication in transit, multi-layer authentication, integration options with different ISPs from around the world, technical certifications and multiple audits conducted on the service each year. It is interesting to note that Google provides a Google Security whitepaper for its cloud services, but it does not directly discuss the security of Google Home and many of its other services. The most informative white paper that includes information on Google Home is provided for free by Symantec, as they inform investigators about the capabilities and ways to gather information from Google Home and its associated devices.

Forensics regarding IoT devices and their cloud connections presents a complex technical problem and the need to remain compliant with the law. Since technology is constantly evolving and newer versions will become available for Google Home, the same can be suggested by Amazon Echo and other similar IoT devices. It would be best for investigators to use the techniques that they currently apply to forensics on cloud services, while remaining flexible in order to add newer techniques to their cybersecurity strategy. It is important for investigators to pinpoint cloud activity regarding Google Home which involves viewing the storage as software as a service (SaaS). This will save the investigator time by not observing the cloud services as Platform as a Service (PaaS) and Infrastructure as a service (IaaS) that most likely will have no relation to the investigation. Google Cloud Platform, which is responsible for storing data for Google Home, uses the public cloud method to provide services to users around the world on an ongoing basis. This is important for investigators to know as they can use search warrants and subpoenas to collect data within any area of Google’s public cloud services. The Google Cloud Platform is designed to be a cost-effective service for individual internet users, as well as businesses. It should be more efficient for the investigator to collect data stored in the cloud through proven methods rather than ones that will make it more difficult to gain access to both public and private sections of Google’s cloud services. Public cloud services are not the most secure from a strategic standpoint, but it may be more efficient for forensic investigations since there will be no need to examine the private or hybrid sections of Google’s cloud services. After the collection of data within the cloud, it may appear in court as evidence for criminal trails and be used as a part of courtroom testimony.

Forensic and Investigative Tools (hardware and software)

In order to conduct a forensic examination on Google Home, investigators will need 6 pieces of software and 4 hardware. 7-Zip is a free and opensource solution for archiving data, using compression and encryption techniques. Android Studio is a development space that gives users the ability to make changes to settings within the Android Operating system. DB Browser for SQL Lite gives investigators access to databases, unallocated information, search records, as well as import and export items within databases. The Google Home app assists the user in setting up or changing settings on Google Home devices, and linking to other IoT devices. The Google Play Services app updates the programs installed onto the devices and features privacy settings and other data an investigator may find of interest to a case. FX File Manager helps investigators view and store data either on a mobile device or desktop computer without losing any quality.

The investigator will need four pieces of hardware to conduct the investigation. Gaining access to the Google Home device at the center of the investigation is an important step, as it may contain evidence related to the investigation. It is also necessary to have a smartphone that is compatible with Google Home, typically any type of Android. The investigator will also need a write blocker in order to make a disk-to-image file for the investigation. It would be a best practice to also use a laptop for uploading and examining the disk-to-image file.

Conclusion

As more consumers continue to use IoT devices in their daily lives, the potential for them to record personal, professional or criminal information increases. The process of conducting a forensic investigation on a Google Home device may be similar to others on the market; there are best cybersecurity practices that investigators use in order to conduct their examinations of these devices. It is important to note that investigators have options regarding the types of hardware and software they will use throughout their cybersecurity efforts. Since Google provides multi-layered encryption on its voice-command data, it is safe to assume that these files are relatively safe but there still may be vulnerable to hackers once the information reaches the data centers or cloud storage services. Whenever possible, gaining access to audio files from Google Home could be introduced as evidence in court and assist them in determining who should be responsible for criminal activity.

Exit mobile version