BSidesSF 2026 - Google Drive Hunter: Building the Tool Google Should’ve Built (Ayman Elsawah)

Okay, let's go ahead and get started. Everybody, thank you for joining us in our next session. We have um Aean Elswis joining us today and he's going to be talking about Sleuthther building a tool that Google should have built it. FKA colon Google Drive Hunter. So, please uh if you have Q&A again, go to Slido. If you didn't get that QR code uh in the beginning before uh we took it off, uh please go to bsidesf.org/qna. org/q&a Quebec November Alpha not amperand. All right. Thank you and take it away sir. >> All right. Thank you. Hi everyone. How's it going? I cannot see you. I'm blinded by this light. So I'll but I see some

faces. So uh thanks for having me. So thanks for coming to my talk today. I'm talking about Sleuthther. So um it was called Google Drive Hunter but I decided to change name uh just to avoid any uh license issues. and it's kind of in line with uh this web app I've been playing with as well. So uh and it's a cool name. So there you go. Uh so today we're going to talk a little about u I'll introduce myself and then we'll also talk about the problem of shared drive files and uh you know what kind of inspired me to build this tool and it was it was a really fun uh summer with cloud code. uh just to give you a little

preview and then an interesting story that came up during the time that I was building uh the tool and and just playing around and then what's uh in store in the future and then happy to take some questions at the end. This is only white slide so um so uh my name is Aiman also I'm the head of security currently at Ambience Healthcare and we are hiring uh we're looking for staff security engineers and a really super duper uh technical IT automation person. So if you if that if you fit the bill then uh please get in touch. Uh a little about myself too. I also started a podcast previously called getting into infosc and uh what I would

do is I'd interview people how they got into security because there is no one direct path into security. So uh the idea was to help inspire and encourage other folks out there trying to get into the field. So um that's that's that. And then I also wrote a book uh where if we sat down for coffee, which I'm a bit of a coffee nerd, you'll see in a second. Uh this is what I would say. Uh it's filled with homework and a little bit of a guide of, you know, if we had a chat for about an hour, this is what we go over. And like I said, I'm a little bit of a coffee nerd. Uh this was my set on

the on the left here previously. This is from this morning. So it's uh you know, it it's getting a little out of control. I've stopped the bar at roasting. I have not started roasting yet. Um, but if you ever want to have a conversation about single origin or gujis or even a geisha, I'm definitely happy to have that conversation. I also have a substack uh where I talk about security leadership and I go over some guides. I have some essays, rants, whatever you may call it and uh you know it's over 120 articles on there. Feel free to check that out. Um, and this and you can find me at Coffee with Aiman everywhere. And that's

a little Turkish coffee I had this morning. Just a little note, I might be overcaffeinated and lack of sleep. So, forgive me if uh if I'm all over the place today. And uh this is a musical. I, you know, I was going to sing, but I decided not to just to spare you from anything. Um Besides and SF, uh you know, Besides SF has a really um warm place in my heart. Um you know, over the years, I've been coming here for so long. uh made some really good friends over the years and I just love the community and I want to encourage you to volunteer if you can. I've done my share of volunteering. It's

really fun. Um if you volunteer for safety, you get a cool orange shirt. I don't know if they still have the orange shirt these days, but uh it's really good and I just uh you know kind of want to give a little hand to the B size community and the volunteers for making this uh possible. So thank you. All right. So, let's talk about the problem of shared drive files. Um, you're here because you might have experienced this problem yourself in the in the future in the past. So, uh, let's talk about it. This little icon right here is the bane of my existence and it's probably yours as well. um this little small little global

internet friendly icon uh is just there but you know you see that on a document that might be quite sensitive you kind of just alarm bells start ringing uh and so this is how this was born um you know shared drive files are everywhere they're they're everywhere uh they're a bit of a nuisance um listen they have their purpose okay they have their purpose but you know there's an extent to that u and what's interesting is Google and Slack will conveniently share share them publicly. Um, you know, when you drop a message into into Slack. So, how many people have seen this before, right? Oh, would you like to share this with the world? You know, it's like,

okay, no, please don't. Uh, but honestly, that that's how like half these things happen. Um, when you talk to people, I've talked to them and they're like, I didn't I didn't know it was shared. Uh, how did that happen? And well, this is how it happens. uh either directly or you've given someone else editor access that can also change permissions and they shared it. So it's kind of like a a bit of a rabbit hole. So there are uh tons of examples. I've seen them all. Uh I've seen invoices and contracts uh shared publicly with the world. Sales quotes. Okay. Um pricing calculators. I mean that's like competitive advantage. offer letters with equity and compensation information. Uh board

meeting minutes, right? That should be confidential. Even worse, bank account numbers, driver's license photos, passports, and more. Uh things I haven't, you know, uh I don't want to talk about it here, but you know, I've seen I've seen everything. Um and they've all been shared publicly on the internet. So, it's a it's a big problem. Now, um a little bit of PSA. I'd be a miss remiss by not telling you how to prevent this. Um you you may or may not know how to prevent this, but it's relatively easy to prevent. Um you can restricted by OU in Google Workspace. You could also restrict it by a Google group. Um you create a Google group as a

security group. So you know if it's so easy then why isn't it done? Well uh for most cases um there people don't know that this exists. two, uh you may not have a full-time IT person there to, you know, help guide you. Or three, it's kind of a scary thing to limit people from sharing things publicly. And so you might get fired if you enable this. And so, um that's I think the three reasons for most part people why they haven't done this. Um now sales and marketing are generally the biggest offenders. Um and so but they they need that ability to do that. That's fine. I think some groups that don't need that ability are maybe

finance or um you know they have they handle some really sensitive information. Um so I think coupling it both with technical controls and some education is it can go a long way and it's really important. Um I'm not going to talk about all the things you could do but definitely want to like you know we should try to not only put technical controls but also educate folks on how to do it. But in the case that you can't, well, we have a tool to help do that. So, um, how did this journey start, right? So, we were kind of thinking, we're like, okay, we want to, you know, we found a publicly shared file. We're

like, oh, how many others are out there that that meet this criteria? And so, we're like, okay, let's find all the publicly shared files in our Google Workspace. And um so I started off with in Google Admin, but if you've ever spent time in Google Admin, um it's how do I say it? Ugly. It's it's just not, you know, really uh friendly. So yeah, I see a lot of people nodding their heads. So it's just not friendly. Um you know, God bless their hearts. They, you know, they try to do their best. Um but, you know, it it doesn't it doesn't fit the bill. So uh yes you know uh so anyway this is what it looks like

right you try to run a search you try to look for files uh you get this um you get the resource ID uh you know that's a unique ID of the of the document but what are you going to do with that you there's no like click clickable link that you could open to see the information in the file um so yeah so that's that and we all know that in Google Workspace the real power is behind the API many of you have used GAM before. GAM is great and now they just released Google Workspace CLI which is like finally I don't know how many years later um so that's that's a thing now but still this was uh you know we're

trying to solve this problem and Google Workspace was not cutting it again this is how it would look like you know it's just not really uh super clean yes you can export to sheets but then what do you do with this information am I literally going to copy and paste the document ID so that I you know, find out what the file is. No, no, thank you. I'm not going to do that. So, um, last summer I caught the, uh, the vibe coding bug and, you know, I'm looking for something to build. And so, here we go. I'm like, oh, let's build something. And so, um, you know, I was like, okay, there has to be a better

way. Um, so let's put the requirements together. What do we want to do? We want something that's simple. We want something that's powerful, something like GAM, um, but gives me visibility into types of files, easy to run, like some command line tool that I could just run and automate and obviously gives me the information I need, right? So, so I could discern and figure out, hey, do I need to pull this off the internet or not? So, let's talk about the journey of building uh this tool. So, uh, you know, the pains of OA. So there is the you know several APIs you have to enable in Google Workspace to get this to work. Uh

but you know as I was having conversations with Claude to build this um it wanted all permissions. I'm like no no uh don't do that. Um let's try to do something least privilege. And so uh you know I had to take a look at the oat scopes that are out there and how do we reduce the scopes to you know only what we need to do. Um, and then I'm like, okay, well, do I want to actually revoke permissions and, you know, do I trust a Vibe coding tool to do this? And it was kind of scary. So, you know, you have to do some manual review and make sure you're not, you know, destroying all

your Google Drive workspace files. And how do you back up all your workspace files? You know, that's not a really a thing. Um, yes, you can do that, but I didn't do that uh for my workspace. So, um, yeah. So, it was it was interesting. So, you know, how do we do this in a safe way? So um you know I ran into these you know like okay let's let's go over what we need. We need to go through all users in the directory. So we need admin directory user and and read only. Um we need drive read details right? So that'll be pull the um metadata of a file to let you know if it's shared or

not. Um I want to create a drive for creating the sheets report. So yeah that's good. Uh the most risky one is like drive. It's just like drive means like full drive access to all files in your workspace. That is a really really really risky thing to ask for. Um but unnecessary evil that you have to do to remove permissions. Um and then the sheets API to create and edit u sheets. So I ran into quite a few challenges um building this tool. the fact that you have to enable an API in a project was not super clear to me uh when I was doing it. U so I spent a lot of time kind of troubleshooting and

uh dealing with errors. Um but once I figured out I'm like okay I don't want anyone else to go through this problem again and you know I don't want to tell them RTFM and whatever may be. So let's add some error corrections in there and kind of make it so that it's easy to use. Again what's the northstar here? We want to make it easy to use and and doable, right? So, um, I added some error correction. When you run the tool the first time, it's going to give you an error that's intended, and it's going to give you a link to hop straight into your project and enable three APIs. Once you do that, everything's going to be

nice and and clear. So, um, yeah. So, I just wanted to build that, make it kind of really user friendly. Yeah. Again, um, what else we want to make it? We want to audit all users. So, we want to go over all users in the workspace. Um, I did add a dry run mode for lockdown because hey, what's actually going to happen? Um, I still need I need I think I need to make do some updates. We'll talk about like some future updates, but uh I want to tune lockdown a little more. You could do it by like how many days a file has been out there. And that's actually a good um thing to consider like how many files

are out there that have been out there for more than six months that you really need that people are still using. Not many uh from what I've noticed. So uh sometimes it's safe to just say hey any file over 90 days just blow it away, right? Um so that's that's kind of like what I found in my uh in my research. Um and then even when people leave at a startup, a lot of people come and go. So sometimes the file is not owned by anybody anymore. Um, in the sheet I want to have a tab for each user so that I could go by user and see what what files um are there. Obviously, I want a direct link to

files. So, I want to be able to see the file and see what what the issue is. Um, a little more on on on a security person actually being able to access this file. It's kind of like an interesting conundrum like uh you're trying to find publicly shared files and they're available on the internet, but like you really don't want to be seeing all these files, right? like should I be seeing this file? So, it's it's interesting. Um, and that's where AI kind of uh came in later to help with that. All right, so let's hop into the demo. And we're in a theater, so I decided to put theater music.

Hey,

one And these are all the shared files that are out there. So this was a fake uh presentation that yeah just AI generated as a placeholder. And that's it. That's Suther in action.

All right. So I did a lot of talking, but there's some more. So, um, as I was building, I'm I was building a web app version of this. And I was going through a bunch of different iterations and, uh, you know, bugs, you know, it' find files shared with me or files maybe I didn't own or, you know, then share drive files. U, by the way, I had a gify uh, created of data uh, eating popcorn in a theater like this, but I couldn't get it in here uh, in time. So um I'll put that in the in the public version. So um when I was running a search I I saw this and I was like what is this?

What is this file? Um letter to academic institution and you see on the left there is the owner and it was not me. It was not me as the owner. I'm like what is this file that was created in in September? Um I I have no idea what this file was. And uh I opened the file and inside the file um let's see here um inside the file um was it was it was written by someone I knew. So it was like an executive coach um but it had a lot of detailed information about someone else. It was like a letter of recommendation and I'm like what is this file? Why do I have this file here? Um, so

I was concerned, uh, but I was really confused as to how I ended up with this file. Um, it had the person's name and occupation. It had the letter to a university, how long they were working together, all this kind of stuff. It was it was kind of crazy. So what ended up happening was this file was used as kind of like it was a public file that was shared when I was onboarding with her and like here's an onboarding document and and uh you know how we could work together and all this kind of stuff. What ended up happening is she ended up reusing that same file. She just control you just copied everything, deleted it

and just started writing into this file uh the letter of recommendation that she was doing. And I'm like, "Oh my god, are you serious?" So, um, uh, yeah, I mean, that's like taking recycling and reuse to like another level. Uh, I mean, just create a new file. Uh, so it was it was interesting and I I just kept like luckily there was a virgin history cuz I had editor access as well. Um, so, you know, convenient. Um, and that's that's how I came to this. I'm like, okay, well, I need to tell her this. I need to responsibly disclose this. So, I wrote this letter. Uh it took a while, but I was like, you know, first of all, you

see this, you're like, you know, kind of shaking. I was nervous. Like, why why do I have this? I'm like, okay. So, I just hop into like, you know, uh security mode and uh write this letter and I was pretty proud of it. I kind of wrote this whole letter. I'm like, "Hey, by the way, just not to be alarmed, but I have this file and I don't think I should have it." And um you know, tried to take, you know, try to let her down easy and I said, "Yeah, I know this may be disconcerning for you, but it could have been worse." Um, so you know, I try to let her down easily

and uh I got this message back. She's like, "Oh." And she was happy that at least it came from me, like a former former former client. So, um, you know, she removed access and it was done. Um, it was it was interesting learning lesson. Uh, but you know, she felt pretty horrible receiving it, but um, at least the security person found it, right? So, yeah. Um, and that's that's it. That's uh that's the story. uh a little in the future about Sleuthther. Um I want to put AI classification of files. Why? Well, the idea is that I don't want to see these files. I don't want to go and and look into your uh offer letters,

look into your board minutes, um look at passport photos. I don't want that. I don't want to see all that information. And and you know, if it's a security analyst running, you know, I don't want them to see it necessarily. So why don't we have AI classification uh just go and kind of try to classify it. It's not as easy um as it sounds and I'm playing with that right now. I have a branch uh that's playing with that right now. I'm trying to put either a local model uh option as well or just you know send it to within using an API. Um I want to email users on on our on my behalf so

that you know just get an email saying hey by the way uh this file was found. That way people can just self-mediate. I think that's always the easiest thing to do. Um, I also want to like, you know, the whole experience with OATH tokens. I'm like, hey, what other OLA tokens are out there in my workspace and kind of blow them away? So, really would like to just run a OATH token search and just blow away dangerous OAT scopes that have been granted. So, that'd be nice. Uh, users with public calendars, that's that's a thing. Um sometimes people's calendars are actually publicly available out there and and uh you could see obviously a lot of sensitive

information there. Uh also people sometimes have email forwarding enabled. So kind of just like to so basically like an all-purpose tool to kind of help secure Google Workspace uh in a way but in a in a simple simplistic fashion where possible. Uh so that's that's pretty much it and uh this is where you could find Suther and where you could find me online and uh thank you. >> Awesome. Thank you very much again. Go to uh our Slido uh website to ask any other questions, but we got one right here for you. >> Okay. >> Uh kind of segueed in with the AI. So how does Gemini's integration with drive influence the security controls we

deploy? For example, domainwide sharing opens risks of sensitive data expfiltration via Gemini. >> Um, so I don't know if you mean like Gemini actually sharing or Gemini finding the files. Can you read the question again? >> Yeah. How does Gemini's integration with Drive influence security controls we deploy? >> That's a good question. Um, well, Gemini is not included with all Google Workspace uh accounts. So, um, but if I could have Gemini find the files, um, that could be good, but I'm not sure if Gemini has that capability at the at the super admin level. I think it's only more for your own files. Um, so I wouldn't know how to answer that question, but uh, come see me afterwards

and we could have a discussion. All right, we got another. If we aren't automating remediation and trying to recreate Sleuthther locally, can we scope the permissions better for a readonly report while testing this? >> Yeah. Yeah. So it's default readon. Um so the lock down or or revoke permissions is not enabled by default. Uh so when you run the uh if as you saw in the demo, it's read only by default. So it'll go through all the users in your workspace and find the files and then um you could decide what to do after that. All right. Oh, just popped in. All right. Even if uh Big Co, as they call them, Google offered a similar function,

would you think others would write their own? >> Yeah. I mean, I I encourage everyone to write their own if if uh you don't find the functionality in the software you're looking for. So, you know, I think the big hero of this talk was was Cloud Code uh really and just Vive coding in general. uh the fact that I could write a tool like this as a busy uh professional um has is is a lot. So um I I encourage it if anything just to learn, right? Just to learn more about what works under the hood and and how to get things to work um at scale. So yeah, totally. >> Well, awesome. Thank you, Aiman. I mean,

we got a little gift for you and appreciate your time and your knowledge. And again, a round of applause, please. Thank you.