Google Takeouts Installed Apps Parsing

Anyone with a Google account, or an Android phone has an accumulation of data that is kept by Google.  All of the data that Google stores is accessible from a place called Google Takeouts – a downloadable compilation of your activity.  This database stores your location history, photos, installed applications, browser bookmarks, photos, calendar appointments, chats, you name it. 

Owners of an account (or of a domain account) can download any of this data by visiting:  https://takeout.google.com/ 

One thing to note for those working as staff on high risk public campaigns is that enrolling in the Google Advanced Protection program, downloading the data requires both two factor authentication and an extended, vague wait period before a download link will be provided.  The protection in this serves to deny unauthorized access and protect information such as your current or most recent stored locations. 

For any user (including returns for law enforcement warrants), the data arrives via emailed link, which downloads a zipped archive of the data.  Inside the zip are JSON files, which are not easily readable, searchable or reported on by humans because of their layout.

Due to the potential sheer quantity of the data in the JSON file, it’s ideal to parse the data and clean it up to provide a friendly end-user readable format. 

The GTakeoutsAppsInstalled parser will clean up all of the extraneous data and JSON formatting and return a list of all applications (including date and time) that were installed on devices for the account.  Contents are written to a .txt file.  The information in the report will show the investigator (or user) all apps (including some system components) that were installed to the account’s devices.  This information can be used to show that banned apps were installed on a device, that unwanted apps were installed, or to show apps that may point to a user’s activity that warrants further investigation.

The code can be found here:  https://github.com/DFIRLore/Google-Takeouts

For an in-depth look at the data found in Google Takeouts, here is an excellent webinar: https://www.magnetforensics.com/resources/exploring-the-data-available-from-google-takeout-webinar-recording/