In December last year I think I wrote one of my most successful articles yet, on how to trace a possible identity via a Gmail address. But life and work happened, and even though I discovered a lot more things, I never had the time and possibility to write about it. Until now! So here we are, with some more tips and hints on one of my favourite topics.
Let's first correct something, because I finally figured out what to call that 21 long digit that connects everything together: GAIA ID and that stands for the Google Accounts and ID Administration ID (source). As you have read in the first article, it used all over the place by Google to identify all kinds of things.
Now that's out of the way it is time to have a bit more fun with some new things you can do with those ID's.
Hangouts by Google is a chat app that has been around since 2013 and is not just easy to use for chats, but also to find the ID’s that we so desperately want. And to be honest, it is not only the easiest way, but it even gives back a lot of information too! Let’s look at an example by opening https://hangouts.google.com while being logged in into an account, and having the ‘network’ tab open in the developer mode. Start a new chat and fill in the email address that you want to investigate.
Before or after pasting the email address, filter on the word ‘lookup’ and check the ‘response’ to see all the JSON information that was received. It contains a lot of information, but more about that later on.
There is one extra thing you should also check, namely removing the filter on ‘lookup’ and have a good look at the lines that start with ‘autocomplete’. There is a possibility of seeing similar accounts that might be connected, like in the following example:
While searching on the email address ‘[email protected]’ we found a ‘[email protected]’ but it has the exact same ID. Within the JSON information both accounts within the properties of the block ‘email’ say that they have the following properties:
But there is a difference. The account we searched for has the element ‘container’ set to PROFILE, and the account that was retrieved (the one with the extra period in the account name) has it set to DOMAIN_PROFILE. The explanation for that can be found in the Google API documentation. The reason is that the latter is a G Suite account, where the first account is a normal Google account. Both are connected to the same user though, so it seems, since the gaia_id is the same.
Another reason why I would recommend using Hangouts is the fact it returns the long list of apps that a user is connected to. When filtering on the ‘lookup’ request, it is possible to find a list of Google apps that the account is connected to, thus giving you some basic information on where to extend further searching.
Some values that you can see in there are:
Strip everything from the at sign on, and use that ‘alias’ to search for a possible connection with the techniques described earlier.
As described earlier, find the gaia_id and add that to the base URL to check for public photos.
The same as with Google Photos, check for publicly available information. And I usually use Google Maps to retrieve the full name of the account.
Haven’t done any research on that, but this indicates that the account is connected to Google’s News360.
When you are looking at the JSON that was returned by your query, I also would like to point out one more thing. The object called ‘lastUpdateTimeMicros’, because this gives you the exact date the account was last edited, or in some cases created, even though there isn’t a way to find out whether the time given is the edit or creation time.
This is still interesting to check though, since it maybe be that you are investigating a bunch of email addresses connected to a certain case, and you find out that the dates they were last “updated” are within minutes of each other, which gives a strong indication that those accounts were created by the same person in rapid succession for whatever reason you may be investigating them.
The time is in UNIX time, so head over to the epoch converter to find out that the above mentioned timestamp converts to the following time in GMT+0:
Thursday, 23 May 2019 07:39:04
Remember the connected apps that I described above? Do you know that it is possible to connect to a Google app with an email address that is not ending on @gmail.com? Go give it a try with the following email address.
Note: please don't abuse this address, it's a real live example I found online.
In a similar fashion as what we have been doing before, we just open the Google Maps link to find the username of, in this case, the description that was given to the account.
When you realise that Google has a huge marketshare when it comes to online services, you can understand that these kind of things can be very valuable. A few simple searches, changes some URL's, knowing how the 'developer tools' in your favourite browser works, and that is all that is needed to maybe find that hidden piece of information you needed.
That's it for today! And judging by the amount of time I have spent digging into all kinds of API's, Google platforms, mobile apps, inspecting network traffic and such, I think it will take quite some time before there is a third part… 😉