LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • 1. Normal User Login
  • 2. Service Account Login
  • Normal User Login Collectors
  • Service Account Login Collectors
  • Key Differences Between Access Modes

Was this helpful?

Export as PDF
  1. AIR
  2. Features
  3. Tornado (Preview Version)
  4. Tornado Collectors

Accessing Google Workspace

Two authentication methods are available for conducting cloud forensics with Binalyze Tornado for Google Workspace. Each provides different levels of access and data collection capabilities.


1. Normal User Login

What is it?

  • Basic user authentication method

  • Uses individual Google Workspace account credentials

  • Ideal for single-user investigations

  • Limited to personal data access

When to use it?

  • Investigating a specific user's activities

  • Collecting personal mailbox data

  • Analyzing individual Drive activities

  • Reviewing personal email settings


2. Service Account Login

What is it?

  • Advanced authentication method

  • Uses service account credentials for organization-wide access

  • Includes all normal user capabilities plus administrative features

When to use it?

  • Organization-wide investigations

  • Security incident response

  • Compliance audits

  • Multi-user data collection


Normal User Login Collectors

1. Mail Data Collectors

  • Mail Collection

    • What it collects: Emails (sent, received, and stored messages)

    • Use case: Communication analysis

    • Example: Investigating email threads and attachments

    • Scope: Personal mailbox only

  • Email History Information

    • What it collects: Detailed history of email activities

    • Use case: Timeline analysis

    • Example: Tracking email sending patterns

    • Scope: Personal email history

  • Label Usage Information

    • What it collects: Email organization patterns

    • Use case: Information management analysis

    • Example: Understanding how emails are categorized

    • Scope: Personal label usage

  • Email Settings Information

    • What it collects: Account configurations

    • Use case: Email setup analysis

    • Example: Reviewing auto-forwarding rules

    • Scope: Personal email settings

2. Drive Activities Collectors

  • Drive Usage Activities

    • What it collects: File activities and sharing information

    • Use case: Document access analysis

    • Example: Tracking personal file-sharing history

    • Scope: Personal Drive activities


Service Account Login Collectors

When using the Service Account login method, you will need to provide Tornado with the Google Workspace (GWS) private key generated during the setup process (refer to the link above for detailed instructions). This key is typically provided in the form of a JSON file, as illustrated below.

Additionally, you must specify the email address of an impersonated user, which should belong to an administrator or a user with the required permissions, as outlined in the example below.

The Service Account will give you access to all of the accounts but Tornado will allow you to filter down to only the accounts you are interested in

1. All Normal User Collectors (with Extended Scope)

  • Access: Includes all collectors listed above

  • Scope: Organization-wide data collection, applicable to any user

  • Capabilities: Broader data visibility and collection

2. Reports Data Collectors (Service Account Only)

  • Access Transparency Collector

    • What it collects: System access logs

    • Use case: Security monitoring

    • Example: Tracking admin access to user data

    • Key features:

      • Google staff access logs

      • System-level access tracking

      • Compliance monitoring

  • Admin Collector

    • What it collects: Administrative activities

    • Use case: Admin behavior analysis

    • Example: Tracking configuration changes

    • Key features:

      • Admin action logs

      • System settings changes

      • User management activities


Key Differences Between Access Modes

Access Scope

Personal data only

Organization-wide data

Data Collection

Limited to authenticated user

All users and administrative data

Best For

Individual investigations

Enterprise-level investigations

Advantages

Simple, user-specific analysis

Complete visibility of organization data

Limitations

Cannot access other users' data

Requires service account credentials

Use Case Example

"I need to investigate my own email communications from last month."

"I need to investigate all email communications within the finance department."

PreviousTornado CollectorsNextService Account Creation

Last updated 3 months ago

Was this helpful?

To use the Service Account Tornado users are required to set up some GWS Collector Prerequisites, and this is explained here:

Service Account Creation
GWS credentials will be required for Service Account login