Accessing Google Workspace

Two authentication methods are available for conducting cloud forensics with Binalyze Tornado for Google Workspace. Each provides different levels of access and data collection capabilities.

1. Normal User Login

What is it?

• Basic user authentication method

• Uses individual Google Workspace account credentials

• Ideal for single-user investigations

• Limited to personal data access

When to use it?

• Investigating a specific user's activities

• Collecting personal mailbox data

• Analyzing individual Drive activities

• Reviewing personal email settings

2. Service Account Login

What is it?

• Advanced authentication method

• Uses service account credentials for organization-wide access

• Includes all normal user capabilities plus administrative features

When to use it?

• Organization-wide investigations

• Security incident response

• Compliance audits

• Multi-user data collection

Normal User Login Collectors

1. Mail Data Collectors

• Mail Collection

  • What it collects: Emails (sent, received, and stored messages)

  • Use case: Communication analysis

  • Example: Investigating email threads and attachments

  • Scope: Personal mailbox only

• Email History Information

  • What it collects: Detailed history of email activities

  • Use case: Timeline analysis

  • Example: Tracking email sending patterns

  • Scope: Personal email history

• Label Usage Information

  • What it collects: Email organization patterns

  • Use case: Information management analysis

  • Example: Understanding how emails are categorized

  • Scope: Personal label usage

• Email Settings Information

  • What it collects: Account configurations

  • Use case: Email setup analysis

  • Example: Reviewing auto-forwarding rules

  • Scope: Personal email settings

2. Drive Activities Collectors

• Drive Usage Activities

  • What it collects: File activities and sharing information

  • Use case: Document access analysis

  • Example: Tracking personal file-sharing history

  • Scope: Personal Drive activities

Service Account Login Collectors

When using the Service Account login method, you will need to provide Tornado with the Google Workspace (GWS) private key generated during the setup process (refer to the link above for detailed instructions). This key is typically provided in the form of a JSON file, as illustrated below.

Additionally, you must specify the email address of an impersonated user, which should belong to an administrator or a user with the required permissions, as outlined in the example below.

The Service Account will give you access to all of the accounts but Tornado will allow you to filter down to only the accounts you are interested in

1. All Normal User Collectors (with Extended Scope)

• Access: Includes all collectors listed above

• Scope: Organization-wide data collection, applicable to any user

• Capabilities: Broader data visibility and collection

2. Reports Data Collectors (Service Account Only)

• Access Transparency Collector

  • What it collects: System access logs

  • Use case: Security monitoring

  • Example: Tracking admin access to user data

  • Key features:

    • Google staff access logs

    • System-level access tracking

    • Compliance monitoring

• Admin Collector

  • What it collects: Administrative activities

  • Use case: Admin behavior analysis

  • Example: Tracking configuration changes

  • Key features:

    • Admin action logs

    • System settings changes

    • User management activities

Key Differences Between Access Modes