I just presented my research on investigations including Google Home devices at the SANS DFIR Summit and with that am releasing the Python script that I wrote for part of it.
My presentation was based on the fictional scenario below:
In the scenario, I was sent to a scene containing a Google Home and an Android phone. The main problem I wanted to solve was “How do I know that the Android device, that contains the Google account details, is related to the Google Home device”.
What Homespeak allow you to do is send a few commands, quickly and easily, that obtain data from the home device (and I haven’t included the commands that can modify the home).
You can either log onto the network that the Home is on and query it that way (once you find the IP address), or you can reboot the Home and connect to the network that it creates when it starts up.
If you take the second route, the Home seems to scan and store the surrounding wifi networks, so just be aware if you don’t want that to be stored on the device.
The tool requires Python3 and the “Requests” library.
The most useful two commands are “info” and “bluetooth”:
- Info gets you the “Cloud Device ID” which can be correlated with the device ID located within the “Home graph” file in the Android data. If the cloud device ID is found in the Home graph, then that’s the account that is linked with the home device with the corresponding ID. It’s important to note that whilst the device ID is persistent, it is refreshed if the user holds the reboot button and starts the device again. As a result, I don’t think it’s based on something like the serial number printed on the device’s base.
- Bluetooth will get you all of the currently paired bluetooth devices, including their pairing and last connection/disconnection date, name, and MAC address. This is a great additional piece of data for tracking a persons movements. If you want deleted blueooth device you may get lucky by removing and reading the NAND flash chip.
You can run the “all” command, which for the most part works on Google Home devices, but may crash on Chromecast devices. As a result I’d recommend running “all”, “info” and “bluetooth” separately and save them into a text file.
If anyone would like more information, I’ll probably upload my slides up shortly, and SANS will be posting the video in a couple of months.
Otherwise, feel free to reach out…happy to speak to anyone that’s done some work on Home devices, especially for a proper investigation.