GHunt: Investigating Google accounts
Link to tool: https://github.com/mxrch/GHunt
GHunt is quite a neat script that evolved quite considerably since September 2020. What is immediately evident is that it has been consistently maintained by the developers, who themselves are very responsive when addressing bugs.
The script itself is a modulable OSINT tool that enables Digital Investigators to information that lies behind a Google email account and Google document. The Email module enables the discovery of:
- Account owner’s name
- Google ID
- The last time that the profile was edited – This is quite useful when attempting to discover whether a target account is active
- Profile picture – Please note that this feature is limited when using the script in Docker
- Google Hangout Bots discovery
- Activated Google services such as YouTube, Google Maps, Google News360 and others)
- Possible YouTube channel – This is somewhat useful, though the search process behind this feature appears to be based on the account owner’s name and other possible usernames (as indicated below). In my experience, the tool could benefit from basing the search on other identified metrics or allowing the Digital Investigator to input custom search parameters.
- Possible other usernames
- Google Map reviews – This is useful with regards to investigations that require geolocations. However, this feature naturally only works if the reviews are set to public (which they are by default)
- Possible physical location – This feature appears to be based on the aggregation of Google Map reviews and providing the Digital Investigator with a range of most reviewed places
- Google Calendar Events – This feature also requires the user to have this feature set on public
With regards to the Google Documents module that exists on the script and allows Digital Investigators to discover documents associated with the Google Account, GHunt enables the following information to be collected:
- Document owner’s name
- Document owner’s Google ID
- Document owner’s profile picture – Again, this feature is not available when using the script on Docker
- Document creation date
- Document last edited date
As acknowledged by the script’s contributors, GHunt has lost the capability to search for Google Photos albums. This issue is currently being addressed though it remains unsure whether this issue is attributed to a bug or a new security feature implemented by Google.
Installation of this script is somewhat straightforward either on Python or Docker. For this review, I opted to use Docker to automatically build and deploy GHunt. The process was seamless with no issues whatsoever. However, the tool requires five Cookies from Google to generate an authentication token. Finding these cookies was very easy by logging into my Google Account then using the ‘Inspect / F12’ feature on Google Chrome and navigating to ‘Applications’. From here, I could copy and paste the required Cookies into the authenticator generator script named ‘check_and_gen.py’. After this, deploying the tool against a target was flawless with instant results – as the image above shows.
In summary, I would recommend the use of this tool in Digital Investigations. Whilst it would be a shame if the tool loses the capability to identify Google Photos albums associated with a Google Account, I do believe that the remaining features are more than effective.