I was a Windows engineer for Google's Corp Eng PaaS SRE team and have familiarity with this topic.
It's not hard to get this data or set this data collection up on a Windows domain or machine. Anyone can set this up as long as you have the TBs to collect the data and the presentation/searching layer to find it.
Windows has the ability to log everything, including device installs/uninstalls, file opens/closes/creation/deletion, logons/logoffs, you name it. The Windows Auditing library is really, really, really extensive.
Additionally, setting this up in Active Directory is really easy, both manually and magically with Powershell. It takes about ten minutes or so.
As you would iamgine, most of these policies were enabled on the domain to which most users authenticated and the data it collected was siphoned off to essentially a giant cluster of syslog servers.
In fact, just about any domain will audit device plugs/unplugs. Had Anthony known about this (it's easy to find out even if you're not an admin), he would've not plugged in that memory stick :)
In general, it's pretty hard to do stealthy stuff on Google's network. Everything is logged eight ways to Sunday, especially with GAIA and key-based, two factor auth to EVERYTHING. And unlike most other networks, I wouldn't put it past their security engineers to find shady behavior in a moment's notice.
I don't think GAIA has been publicly commented on by the company, in case that matters to you at all. Could be wrong, though, as it seems the term is present in the deposition and un-redacted.
FWIW Google seems to refer to the GAIA ID in stuff like random error messages, documentation for Google Apps, and in data downloaded from Google Takeout. If it's not supposed to be public information then Google isn't doing a very good job.
It's not hard to get this data or set this data collection up on a Windows domain or machine. Anyone can set this up as long as you have the TBs to collect the data and the presentation/searching layer to find it.
Windows has the ability to log everything, including device installs/uninstalls, file opens/closes/creation/deletion, logons/logoffs, you name it. The Windows Auditing library is really, really, really extensive.
Additionally, setting this up in Active Directory is really easy, both manually and magically with Powershell. It takes about ten minutes or so.
As you would iamgine, most of these policies were enabled on the domain to which most users authenticated and the data it collected was siphoned off to essentially a giant cluster of syslog servers.
In fact, just about any domain will audit device plugs/unplugs. Had Anthony known about this (it's easy to find out even if you're not an admin), he would've not plugged in that memory stick :)
In general, it's pretty hard to do stealthy stuff on Google's network. Everything is logged eight ways to Sunday, especially with GAIA and key-based, two factor auth to EVERYTHING. And unlike most other networks, I wouldn't put it past their security engineers to find shady behavior in a moment's notice.