DOCSLIB.ORG

2020-07-02-RECON LAB Manual.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

1. Introduction 8 1.1 Why Use a Mac for Forensic Analysis? 9 1.1.1 Apple Extended Attributes 9 1.1.2 Viewing Proper Timestamps 9 1.1.3 Viewing Files Natively 10 1.1.4 Apple File System (APFS) 10 1.1.5 Local Time Machine Snapshots (APFS) 10 1.1.6 FileVault 11 1.1.7 Support for Other File Systems 11 1.2 Hybrid Processing Engine 11 1.3 Three Stage Analysis 12 1.4 Support for Hundreds of Timestamps 12 1.5 Advanced Timelines 12 1.6 Advanced Data Correlation 12 1.7 Advanced Reporting With Full Control 13 2. Recommended Minimum Requirements 13 3. Helpful Hints 14 4. Getting Support 15 5. Renewing RECON LAB 15 6. Training 16 7. Installation 16 7.1 Installing Xcode and Command Line Tools 16 7.2 Installing FUSE for macOS 17 7.3 Installing Paragon Drivers 17 7.5 Installing RECON LAB 18 7.6 Granting Privileges 20 7.6.1 Full Disk Access 20 7.7 Energy and Sleep Settings 21 RECON LAB Copyright © 2010-2020 SUMURI LLC 1 of 199 7.4 Updating RECON LAB 22 8. Starting RECON LAB 23 8.1 Adding Your License 23 8.2 Installing Python 24 8.3 Admin Password 25 8.4 Access Warning Messages 25 8.5 RECON LAB Welcome Screen 26 9. Configuration 27 9.1 Examiner Details 27 9.2 Artifacts and Plugins 28 9.3 User Defined Extensions 31 9.4 User Defined File Signatures 32 9.5 Keyword Lists 33 9.6 Text Indexing Filters 35 9.7 Apple Metadata Filters 38 9.8 EXIF Metadata Filters 40 9.9 Volatility Path 41 9.10 System Password 42 9.11 Text View Settings 43 9.12 External Applications 44 9.13 Highlight User Opened Files 44 10. Starting A New Case 47 10.1 Case Info 47 10.2 Adding Source Data to Process 48 10.2.1 Mounted Volumes 49 10.2.2 Forensics Images 49 10.2.3 FileVault Image 50 10.2.4 Fusion Image 50 RECON LAB Copyright © 2010-2020 SUMURI LLC 2 of 199 10.2.5 Optical Disc Image 52 10.2.6 RAM Image 52 10.2.7 iOS Backup 52 10.2.8 Time Machine Backup 53 10.2.9 Google Takeout 54 10.2.10 macOS Home Directory 55 10.2.11 Folder 55 10.2.12 File 56 10.2.13 ADB Android Backup 56 10.2.14 RECON Logical Image 56 10.3 Adding Source Information 57 10.4 Adding Multiple Sources 58 10.5 Case Directory 58 10.6 Date and Time Settings 60 10.7 File System Modules Selection 61 10.7.1 Apple Metadata Module 62 10.7.2 MIME Types Module 63 10.7.3 Signature Analysis Module 64 10.7.4 EXIF Metadata Module 65 10.7.5 Hashes Module 66 10.8 Artifact Plugin Selection Module 67 11. Reloading a Case 68 12. RECON LAB Interface 69 12.1 Processing Status Window 70 12.2 Case View 72 12.3 Top Menu 73 12.4 Main Columns 74 12.5 Case Sidebar 77 RECON LAB Copyright © 2010-2020 SUMURI LLC 3 of 199 12.6 Main Viewer Window 78 12.6.1 Table View 81 12.6.1.1 Recursive View 81 12.6.1.2 Export to CSV 82 12.6.1.3 Table View Filter and Search 83 12.6.1.4 Navigation Buttons 84 12.6.2 Gallery View 84 12.7 Multimedia Preview Pane 85 12.8 Viewer Panes 85 12.8.1 Detailed Information Pane 86 12.8.2 Hex View Pane 87 12.8.3 Text View Pane 88 12.8.4 Strings View Pane 88 12.8.5 EXIF Metadata View Pane 89 12.8.6 Apple Metadata View Pane 89 12.8.7 Maps Preview Pane 90 13. Removing a Source 91 14. Right-Click Options 92 15. Previewing Files 94 16. Automated Analysis 95 17. Bookmarks and Tagging Evidence 100 17.1 Bookmarks 100 17.2 Tags 101 17.3 Finding Tags and Bookmarks in Sidebar 102 17.4 Removing Tags and Bookmarks 103 18. Indexing 103 19. Search Options 106 19.1 Artifacts Keyword Search 106 RECON LAB Copyright © 2010-2020 SUMURI LLC 4 of 199 19.2 File Search 109 19.3 Content Search 113 19.4 Apple Metadata Search 115 19.5 EXIF Metadata Search 117 20. Advanced Viewers 119 20.1 Plist Viewer 119 20.2 Hex Viewer 121 20.3 SQLite Viewer 126 20.4 Registry Viewer 129 21. Exporting Options 131 22. Carving 133 22.1 File Carving 133 22.2 Data Carving 136 22.3 Carving Unallocated Space 137 23. Hash Sets 140 23.1 Creating Hash Sets 140 23.2 Importing Hash Sets 144 23.3 Removing Files From Case Using Hash Sets 145 24. Hide or Show Files 146 25. Project Vic 148 26. Email Analysis 149 27. Timeline Analysis 153 27.1 Super Timeline 154 27.2 Artifacts Timeline 155 28. Redefined Results 160 28.1 Collated Location History 161 28.2 Collated Messaging 161 28.3 Collated Web History 163 RECON LAB Copyright © 2010-2020 SUMURI LLC 5 of 199 29. RAM Analysis 165 29.1 Setting Up Volatility Framework 166 29.2 Selecting a RAM Image to Process 167 29.3 Carving Passwords from RAM 167 29.4 Using Volatility Framework in RECON LAB 170 30. Local Time Machine Snapshots (APFS Snapshots) 172 30.1 Processing Local Time Machine Snapshots 172 31. Acquiring and Processing iOS Devices 174 31.1 Acquiring an iOS Device 174 31.2 Adding an iOS Backup to Process 177 32. Reporting 178 32.1 Plugin Reports 179 32.2 Global Artifacts Report 181 32.2.1 Case Information Window 181 32.2.2 Customizing Global Reports 182 32.2.3 Global Report Type 185 32.3 Story Board Reports - WYSIWYG Reports 186 32.3.1 Editing a Report 188 32.3.2 Adding Tags and Bookmarks to a Report 188 32.3.3 Adding External Files to a Report 189 32.3.4 Filtering Records In Story Board 190 32.3.5 Adding Records in Chronological Order 191 32.3.5 Blur Image in Report 192 32.3.6 Saving and Exporting a Story Board Report 192 33. Shutdown RECON LAB 193 34. Disk Manager with Write-Block 193 34.1 Write-Blocking 194 34.2 Mounting a Device Read-Only 196 RECON LAB Copyright © 2010-2020 SUMURI LLC 6 of 199 35. Terms and Conditions 196 RECON LAB Copyright © 2010-2020 SUMURI LLC 7 of 199 1. Introduction RECON LAB is a full Forensic Suite that supports numerous file systems such as Windows, macOS, Linux, iOS, Android and more. RECON LAB was created to solve multiple problems inherent in other forensic tools and to expedite processing and analysis without sacrificing the quality of the exam. RECON LAB was designed, developed and runs on macOS. MacOS was the only logical choice for developing a modern forensic tool to support the most common and largest number of file systems and artifacts without losing data. The most difficult file system and operating system (OS) for most forensic tools to support is macOS. Mac understands itself and can interpret its own artifacts. This is not true of other file systems, operating systems, and other forensic tools as they do not natively support macOS and its artifacts. In addition to supporting its own file system and artifacts, macOS supports a multitude of other file systems and the artifacts of Windows, Linux, Unix and many more. RECON LAB is the only full Forensic Suite designed natively on macOS to take full advantage of the power within macOS. Other forensic tools that run on a Mac were ported from other non-Mac operating systems and experience limitations. Instead of utilizing native macOS libraries they rely on reverse engineering and third-party applications which can lead to missed data, improper interpretation of data and slower processing times. RECON LAB primarily relies on native macOS libraries so support for new macOS file systems and/or artifacts is quick or instantaneous. RECON LAB comes with one full year of free updates and support. RECON LAB Copyright © 2010-2020 SUMURI LLC 8 of 199 1.1 Why Use a Mac for Forensic Analysis? Until the release of RECON LAB, no other forensic tool properly processed or utilized the correct timestamps for macOS. This is only one example of an extremely important artifact that is improperly interpreted or missed completely by other forensic tools. It is imperative to understand the importance of macOS in forensic exams and what may be missed by other forensic tools. 1.1.1 Apple Extended Attributes Apple Extended Attributes are special metadata created only within macOS to allow searches via the macOS search utility - Spotlight. Apple Extended Attributes contain extremely valuable information for investigations. This special metadata cannot be seen in Windows. Most Windows forensic tools ignore or have a limited ability to display Apple Extended Attributes as they are not natively supported. Images and data collected by SUMURI’s RECON ITR and processed by RECON LAB provide the most extensive views of Apple Extended Metadata. Understanding Apple Extended Metadata is critical to investigations. 1.1.2 Viewing Proper Timestamps Apple’s macOS utilizes Apple Extended Attributes for timestamps in favor of POSIX (Unix) timestamps. RECON IMAGER, when used with RECON LAB, is the only solution to properly view and utilize the correct macOS timestamps. RECON LAB Copyright © 2010-2020 SUMURI LLC 9 of 199 1.1.3 Viewing Files Natively There are many file types and artifacts proprietary to macOS.
Recommended publications
  • Electronic Evidence Examiner

    Electronic Evidence Examiner

    2 Table of Contents About Electronic Evidence Examiner How To .......................................................................12 How to Work with Cases .........................................................................................................13 How to Create New Case .......................................................................................................13 How to Enable Automatic Case Naming .................................................................................14 How to Define Case Name During Automatic Case Creation .................................................14 How to Open Existing Case....................................................................................................15 How to Save Case to Archive .................................................................................................16 How to Change Default Case Location ...................................................................................16 How to Add Data to Case ........................................................................................................17 How to Add Evidence .............................................................................................................18 How to Acquire Devices .........................................................................................................20 How to Import Mobile Data .....................................................................................................21 How to Import Cloud Data ......................................................................................................22
  • Policy and Procedures

    Policy and Procedures

    Policy and Procedures PEER FORUM I: DISK IMAGING December 7-8, 2017 at The Museum of Modern Art The following notes came out of Peer Forum I: Disk Imaging, a discussion as part of the Media Conservation Initiative ​ at MoMA. These notes represent the views of the speakers and participants who attended this meeting. The following notes came out of Peer Forum I: Disk Imaging, a discussion as part of the Media Conservation Initiative ​ at MoMA. These notes represent the views of the speakers and participants who attended this meeting. Contributors Reinhard Bek, Conservator of Contemporary Art, Bek & Frohnert LLC ​ Amy Brost, Assistant Media Conservator, The Museum of Modern Art ​ Euan Cochrane (Speaker), Digital Preservation Manager, Yale University Library ​ ​ Eddy Colloton, Assistant Conservator specializing in Electronic Media, Denver Art Museum ​ Deena Engel (Moderator), Clinical Professor, Director of the Program in Digital Humanities and Social ​ ​ ​ Science; Department of Computer Science, Courant Institute of Mathematical Sciences, New York University Dragan Espenschied (Speaker), Preservation Director, Rhizome ​ ​ Patricia Falcão, Time-Based Media Conservator, Tate ​ Jonathan Farbowitz, Fellow in the Conservation of Computer-Based Art, The Solomon R. Guggenheim ​ Museum Briana Feston-Brunet, Variable Media Conservator, Hirshhorn Museum & Sculpture Garden ​ Dan Finn, Media Conservator, Smithsonian American Art Museum ​ Ben Fino-Radin, Founder, Small Data Industries ​ Flaminia Fortunato, Andrew W. Mellon Fellow in Media Conservation,
  • Google Search Bar & Search Term History

    Google Search Bar & Search Term History

    DFIR Review Google Search Bar & Search Term History - Are You Finding Everything? Joshua Hickman Published on: May 26, 2020 License: Creative Commons Attribution 4.0 International License (CC-BY 4.0) DFIR Review Google Search Bar & Search Term History - Are You Finding Everything? Synopsis Forensic question: What information can be located regarding searches conducted in the Google search bar? OS Version: Nougat (8.55.6.21) Oreo (8.91.5.21) Tools: WinHex, Version 19.7 (Specialist License) Cellebrite UFED 4PC, Version 7.10.1.1080 (Nougat) Cellebrite UFED 4PC, Version 7.12.1.100 (Oreo) DCode Version 4.02a Google Protocol Buffers, Version 3.7.1 DB Browser for SQLite, Version 3.10.1 Cellebrite Physical Analyzer, Version 7.15.1.1 Cellebrite Physical Analyzer, Version 7.16.0.93 Internet Evidence Finder, Version 6.23.1.15677 2 DFIR Review Google Search Bar & Search Term History - Are You Finding Everything? Introduction Search history. It is an excellent way to peer into someone’s mind and see what they are thinking at a particular moment in time. In a court room, search history can be used to show intent (mens rea). There are plenty of examples where search history has been used in court to establish a defendant’s intent. Probably the most gruesome was the New York City Cannibal Cop trial, where prosecutors used the accused’s search history against him. Of course, there is a fine line between intent and protected speech under the First Amendment. Over the past month and a half I have published a couple of blog posts dealing with Google Assistant and some of the artifacts it leaves behind, which you can find here and here.
  • Langley Aerospace Test Highlights 1990

    Langley Aerospace Test Highlights 1990

    Langley Aerospace 4" Test Highlights I _ r-4 r_ i-j S_ L_ .Z: i:" 7 >- t,/ ,. 1990 Langley Research Center NASA Technical Memorandum 104090 ORIGINAL PAGE AND Wt-fTTE _:"-_TO_PAPH Langley Aerospace Test Highlights 1990 National Aeronautics and Space Administration Langley Research Center Langley Research Center NASA Technical Memorandum 104090 Hampton, Virginia 23665-5225 k ¸ Foreword The role of the NASA Langley Research Center is to perform basic and applied research necessary for the advancement of aeronautics and spaceflight, to generate new and advanced concepts for the accomplishment of related national goals, and to provide research advice, technological support, and assistance to other NASA installations, other government agencies, and industry. This report highlights some of the significant tests that were performed during calendar year 1990 in the NASA Langley Research Center test facilities, a number of which are unique in the world. The report illustrates both the broad range of the research and technology activities at the NASA Langley Research Center and the contributions of this work toward maintaining United States leadership in aeronautics and space research. Other highlights of Langley research and technology for 1990 are described in Research and Technology 1990-- Lan,gley Research Center. Further information concerning both reports is available from the Office of the Chief Scientist, Mail Stop l OS-A, NASA Langley Research Center, Hampton, Virginia 23665 (804-864-6062). Richard H. Petersen Director °o° PRECEDING PAGE BLANK NOT FILMED 111 Availability Information For additional information on any highlight, contact one of the individuals identified with the highlight. This individual is either a member or a leader of the research group.
  • Ransomware and G Suite Business: What You Need to Know

    Ransomware and G Suite Business: What You Need to Know

    EBOOK Pull text goes here and bold some of the copy Ransomware and G Suite Business: What You Need to Know 1 | backupify.com Pull text goes here Theand boldRansomware some Problem of the copy Small to enterprise sized businesses face an enormous computer security challenge. They have hundreds -- or thousands -- of accounts to manage. In most cases, not every account holder will ! have the training or knowledge to take the proper measures to keep the organization’s data secure. With multiple accounts, there’s a pretty good chance that someone will encounter malware. It just takes an accidental click or two to download and install. Ransomware encrypts your files then demands payment. The ransom notification promises that if you pay, you’ll receive an unlock code to decrypt your files. Of course, you have to pay in a hard-to- trace cryptocurrency. If you don’t pay, some variants delete your files -- a few at first, then more over time. Don’t think a reboot will help: that just spurs the software to delete your data. And even if you pay, you might not get your data back. You have absolutely no reason to trust the thieves behind the ransomware. Once they have your money, why would they bother to give you an unlock code that works? And why would you expect ransomware distributors to create bug-free code? There’s a decent chance they’re effective criminals, but lousy coders. Cloud apps and storage, such as G Suite and Google Drive, offer some protection from ransomware. New files you create online will be safe.
  • Certif Ication Handbook

    Certif Ication Handbook

    Certification Handbook EXAM FC0-U51 TM TM CompTIA® IT Fundamentals™ (Exam FC0-U51) CompTIA® IT Fundamentals™ (Exam FC0-U51) 2 Chapter # | Name of chapter CompTIA® IT Fundamentals™ (Exam FC0-U51) CompTIA® IT Fundamentals™ (Exam FC0-U51) Part Number: 099004 Course Edition: 1.0 Acknowledgements We wish to thank the following project team for their contributions to the development of this certification study guide: Pamela J. Taylor, Laurie A. Perry, Gail Sandler, Jason Nufryk, Alex Tong, and Catherine M. Albano. Notices DISCLAIMER While CompTIA Properties, LLC takes care to ensure the accuracy and quality of these materials, we cannot guarantee their ac- curacy, and all materials are provided without any warranty whatsoever, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. The name used in the data files for this course is that of a fictitious com- pany. Any resemblance to current or future companies is purely coincidental. We do not believe we have used anyone’s name in creating this course, but if we have, please notify us and we will change the name in the next revision of the course. Use of screenshots, photographs of another entity’s products, or another entity’s product name or service in this book is for edito- rial purposes only. No such use should be construed to imply sponsorship or endorsement of the book by, nor any affiliation of such entity with CompTIA Properties, LLC. This courseware may contain links to sites on the internet that are owned and operated by third parties (the “External Sites”).
  • Transfer Your Gmail and Drive with Google Takeout for Schools

    Transfer Your Gmail and Drive with Google Takeout for Schools

    Transfer your Gmail and Drive with Google Takeout for Schools You can take it with you! Transfer your Gmail and Drive with Google Takeout for Schools Change is a part of life: Maybe you are a high school senior or a college student and you are graduating. Or perhaps you are a student who is moving to a new school. You might be a teacher who is taking a job at a new school district. Or maybe you are an educator who is retiring after many years of service. In each situation, it is very possible you may have a Google account. G Suite may be used at your high school, your college, and any one of your jobs. So what happens to your Google account when you graduate high school, graduate college, move from one job to another, and eventually retire? You will have built up years of emails, documents, slideshows, and much more. Is there an easy way to take all those files and all that data with you? What would be great would be a simple tool to copy all of your files to a different Google account (such as your personal Gmail account). Well, thankfully we have that with Google Takeout for Schools. This is a very simple and free tool that will copy the emails and Drive files from your school account over to either a personal Gmail account or another G Suite for Education account. See below for a video demonstrating all the steps, as well as written direction on the process. Tutorial Video (9 minutes) Directions for Copying Gmail and Drive For the first step you need to have two different Google accounts, the source account that you are copying from and the destination account that you are copying to.
  • Cloud Forensics: Google

    Cloud Forensics: Google

    Hackinbo 2018 Cloud Forensics: Google Extracting Google Account data © ElcomSoft Ltd. www.elcomsoft.com 1 Google Forensics In This Presentation § Cloud and Over-the-Air Acquisition § Synchronized data § Passwords § Two-Factor Authentication 2 Cloud Forensics Cloud Acquisition: Why? • Helps dealing with locked and encrypted devices • Android 6 and up encrypted by default • Google Account may contain more data than the phone itself • Last resort: may succeed where all other methods fail • Google collects information from all signed-in devices 3 Page 3 Cloud Forensics Cloud Acquisition Helps Bypass All of This: • Secure Lock Screen • Locked Bootloader • Factory Reset Protection (FRP) • Full-Disk Encryption (FDE) and File-Based Encryption (FBE) • Device is broken, wiped, or locked 4 Page 4 Google Forensics Google: Why Cloud Forensics? • Tens of thousand device models • Several thousand manufacturers • Extreme platform fragmentation • Not every Android device is a Google device • Acquisition approaches vary Google Account acquisition • Single point of entry • Unified approach • Impressive amount of information 5 Page 5 Google Forensics Android Open Source vs. Google Mobile Services • Not every Android device is a Google device • AOSP does not mean GMS • Google collects data from other sources if user signs in to: • Chrome browser • Google Maps • Gmail • Google Search • Including competing platforms 6 Page 6 Google Forensics Google Collects Data from Multiple Sources • Multiple devices • Mac • Windows • iPhone • iPad + 23 more • …and Android
  • Disk Imaging Guide

    Disk Imaging Guide

    Disk Imaging Guide Tom Ensom Time-based Media Conservation, Tate Document Last Updated: January 2021 Document Version: 01.00 Document Licence: CC BY-SA 4.0 Contents 1 Document Background ....................................................................................................... 2 2 Introduction to Imaging ....................................................................................................... 3 3 Optical Media Imaging ........................................................................................................ 3 3.1 Optical Disc Structures ................................................................................................ 4 3.2 Optical Drives .............................................................................................................. 4 3.3 Optical Image Formats ................................................................................................ 4 3.3.1 ISO ....................................................................................................................... 5 3.3.2 BIN/CUE ............................................................................................................... 5 3.4 Optical Media Imaging Workflow ................................................................................ 5 3.5 Optical Media Imaging Troubleshooting ..................................................................... 8 3.5.1 Optical Read Errors ............................................................................................. 8 3.5.2 Audio
  • Google Data Collection —NEW—

    Google Data Collection —NEW—

    Digital Content Next January 2018 / DCN Distributed Content Revenue Benchmark Google Data Collection —NEW— August 2018 digitalcontentnext.org CONFIDENTIAL - DCN Participating Members Only 1 This research was conducted by Professor Douglas C. Schmidt, Professor of Computer Science at Vanderbilt University, and his team. DCN is grateful to support Professor Schmidt in distributing it. We offer it to the public with the permission of Professor Schmidt. Google Data Collection Professor Douglas C. Schmidt, Vanderbilt University August 15, 2018 I. EXECUTIVE SUMMARY 1. Google is the world’s largest digital advertising company.1 It also provides the #1 web browser,2 the #1 mobile platform,3 and the #1 search engine4 worldwide. Google’s video platform, email service, and map application have over 1 billion monthly active users each.5 Google utilizes the tremendous reach of its products to collect detailed information about people’s online and real-world behaviors, which it then uses to target them with paid advertising. Google’s revenues increase significantly as the targeting technology and data are refined. 2. Google collects user data in a variety of ways. The most obvious are “active,” with the user directly and consciously communicating information to Google, as for example by signing in to any of its widely used applications such as YouTube, Gmail, Search etc. Less obvious ways for Google to collect data are “passive” means, whereby an application is instrumented to gather information while it’s running, possibly without the user’s knowledge. Google’s passive data gathering methods arise from platforms (e.g. Android and Chrome), applications (e.g.
  • Students: Transfer/Download Your Google School Content

    Students: Transfer/Download Your Google School Content

    Students: Transfer/Download Your Google School Content Student Google Drive Files cannot be recovered after graduation or after a student leaves the district. School G Suite accounts are closed when students are no longer enrolled. This means that once you graduate or leave the district, you will no longer have access to your files and resources in G Suite unless you take them with you. This process must be completed before graduation or leaving Elwood Community School Corporation. Follow these instructions to transfer your Google Drive files and information: 1. Have or create a personal Google account. a. If needed, click here to create a Google account (instructions) b. Having trouble? Visit the Google Help Center 2. While you are logged into your Elwood Community School Corporation Google account, click here and complete the following steps: a. Select the content you’d like to transfer b. Choose ‘send download link via e-mail’, one-time archive, .zip file, and the 2GB options, then click ‘Create Archive’ c. When the archiving finishes, visit your Elwood school email and retrieve the data from the link sent to you by Google Takeout d. Download the data directly to your device e. Sign out of your Elwood school account, then sign into your personal account, and upload the data to your personal account f. Click here for help Please Note: A personal Google account has 15 gigabytes of storage while school accounts have unlimited storage. If the documents from your school account will exceed this amount, you will need to download the documents separately or create multiple personal accounts.
  • ​Google Takeout to Transfer Drive & Gmail Content from School To

    ​Google Takeout to Transfer Drive & Gmail Content from School To

    ​Google Takeout to Transfer Drive & Gmail Content from School to Personal Account Google Takeout Service If you are leaving your school district, you can copy the contents of your Google Drive and transfer it to a personal Google account. Because files are copied, they will NOT be deleted from your school Google account, so it’s safe to do this process anytime. Video Tutorial Step by step instructions are available in this short tutorial video HERE. ​ ​ Preparing to Copy & Transfer Get organized Prior to transferring your files, take time to organize your folders and remove files you do not want to transfer. Once you are ready to transfer files using Google Takeout, your files will be copied into your personal account maintaining the same folder structure / organization as they have in your school account. If you have a large number of files, it will take some time for Google Takeout to copy the contents of your entire Google Drive. Transferrable Content What WILL be Transferred: ● Files in Folders in Google Drive that are OWNED by you ● Shared files that have been “Added to Drive” will be copied but the new file will NOT be shared with ​ ​ collaborators What will NOT Transfer: ● Images stored under “Google Photos” ● “Shared with Me” Files that have NOT been “Added to Drive” ​ ● Google Sites, Google Forms, Google MyMaps & other third party content in Drive Personal Google account You will need a personal Google / Gmail account (must end in @gmail.com) to transfer your files to. If you don’t already have one, visit https://accounts.google.com/SignUp to create your free account.