top of page
Search

Investigating Data Exposure in Google Drive

  • 2 hours ago
  • 3 min read

If you’ve worked in Google Workspace long enough, you already know this truth:

Google Drive is where data leaks love to happen.

Not always malicious. Sometimes it’s just:

  • “Oops, shared it publicly”

  • “Oops, shared it with the wrong domain”

  • “Oops, didn’t realize Anyone with the link means literally anyone”


So when data exposure happens, we usually care about two questions:

  1. What happened to the file?

  2. Can we still access or recover it?

That’s where Google Drive investigation tools come in.


-------------------------------------------------------------------------------------------------------------

Tool 1: Google Drive Log Events (Your Timeline, Not Your Files)

Think of the Drive Log Events as your CCTV footage, not the evidence locker.


What it’s good at:

  • Showing who did what

  • Showing when it happened

  • Showing permission changes

  • Near real-time visibility (usually within minutes)


What it’s not good at:

  • Accessing files

  • Showing file contents

  • Tracking anonymous viewers or downloads


Key Things to Know About Drive Log Events

Let’s break this down simply:

  • Keeps 6 months of history

  • Logs actions like:

    • File creation

    • Sharing changes

    • Permission updates

    • Deletions

  • Does NOT give you the file itself

  • CSV export is limited to 100,000 rows

  • Unauthenticated access is only logged for editing

    • Viewing or downloading by anonymous users? ❌ Not logged


So if a file was publicly shared and downloaded 1,000 times anonymously — the audit log will not tell you that.

Painful, but important to know upfront.



Where Are Drive Log events Now?

Earlier, Drive log events lived in their own section. That changed.

Today, Drive Log Events live inside  in the Google Admin Console.

Inside Investigator, you can:

  • Filter events

  • Use AND / OR logic

  • Group by fields (user, document, event type)

  • Search using partial matches

One warning though ⚠️Even though logs are generated quickly, some events can lag up to 12 hours before showing up.

------------------------------------------------------------------------------------------------------------

Tool 2: Google Vault (This Is Where the Files Live)

If Audit Logs are the timeline, Vault is the evidence room.

Vault is what you use when:

  • You actually need the document

  • A file was deleted

  • A user “accidentally” removed something important

But Vault comes with conditions.


What Vault Can Do

  • Access files in user Drives

  • Access deleted files

  • Apply holds

  • Enforce retention rules


What Vault Cannot Do

  • Give you an audit trail

  • Tell you who did what and when

It’s access, not visibility.


Deletion Timelines (This Matters a LOT)

Here’s the reality of deleted files:

  • When a user deletes a file → it goes to Trash

  • Trash keeps files for 30 days

  • Once removed from Trash:

    • Admins have 25 more days to recover (without Vault)

    • With Vault, recovery can extend further

  • Custom retention rules or holds = files stay longer

If Vault is enabled, you can often recover files without restoring the user account.

------------------------------------------------------------------------------------------------------------

Alternate File Recovery Scenarios (The “Oh No” Cases)


Case 1: Active User Deleted Files

  • Trash keeps files for 30 days

  • After Trash deletion:

    • Admins have 25 days to restore

  • Restore options:

    • Original location

    • Shared Drive

No Vault license? After 25 days — game over.

Case 2: Deleted User Account

This one catches teams off guard.

  • Deleted user accounts can be restored for 20 days

  • Files can only be recovered if:

    • The user account is restored first

    • Or Vault is used

  • Ownership transfer is another option:

    • Files move to another user’s Drive

Again — Vault makes life easier here.

------------------------------------------------------------------------------------------------------------

Exporting Drive Logs



------------------------------------------------------------------------------------------------------------

Important Fields You’ll Actually Use During an Investigation

Let’s translate the useful ones into investigator language:

Document ID

This is gold.

  • Unique across all Google Workspace tenants

  • Same ID you see in the document URL

  • Perfect for matching phishing URLs to actual Drive files


Owner vs Actor

  • Owner: Who owns the file

  • Actor (User field): Who performed the action

These are often not the same person.

Visibility & Prior Visibility

This tells the real story.

  • Prior Visibility → what access looked like before

  • Visibility → what access looks like now

This is how you catch:

  • Private → Public changes

  • Internal → External sharing

  • Domain-wide exposure


IP Address

Extremely useful for:

  • Geo anomalies

  • Impossible travel

  • Correlation with other Workspace logs


------------------------------------------------------------------------------------------------------------

Final Thoughts (The Big Picture)

When investigating Google Drive exposure, remember:

  • Drive log events tell you the story

  • Vault gives you the evidence

  • Timing is everything

  • Anonymous access visibility is limited

  • Exports are clunky but necessary


Drive investigations are rarely about one log or one tool — it’s about stitching together:

---------------------------------------------Dean-----------------------------------------------------------

 
 
 

Comments

bottom of page