Google History Forensics

by Craig Ball

In my last Forensic Focus column, I touched on migration to handhelds and the cloud, mushrooming drive capacities and encryption-by-default as just some of the factors auguring the eventual extinction of conventional digital forensics. But an end to old school digital forensics is no threat to examiners who evolve. There will be plenty to do for those adapting their skills and tools to new sources and forms of information. We will learn to read new tea leaves.

Happily, for every source of forensically-rich information that fades away, others emerge. For every MacBook configured to wipe deleted data, there’s an iPhone storing screenshots and typed text. When webmail shooed away some of our ability to locate messaging artifacts, social networking and geolocation wandered in with stories to tell.

Now and then, the emergent sources just seem too good to be true.

Case in point: Google History...

Read more

Please use this thread for discussion of Craig's latest column.
_________________
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Blog: www.forensicfocus.com/blog
Twitter: twitter.com/ForensicFocus
LinkedIn: www.linkedin.com/in/jamiemorris 

Good article - note also that your searches on other devices (eg smartphone) will be saved too, once you're logged in to your Google account at the time!  

Great information, but I'm curious about how many folks actually sign up for Google Web History. I don't recall receiving an "invitation" over the course of my Google searches. I also wonder whether there's an artifact on the local system that would reveal whether your user activated this feature. If so, I would think that we could issue a preservation letter and ultimately a warrant to get the information.  

The interesting part of google history is that average users still don't know about it. For example, when you sign up into your youtube account(and you have a google account), you'll automatically activate your google history feature.

Great article  

Here is the link to delete Google web history:
www.google.com/account...rvice=hist

Would be an interesting URL to look out for on a review/exam and to see if it was used post preservation notice.
_________________
------------------------
Douglas A. Brush, CFC, EnCE
www.linkedin.com/in/douglasabrush 

Just had sight of this interesting article and had a play with checking out my history using Mozilla browser.

I also have Google Chrome and note that this function is available from the browser as standard after login (spanner icon top left).
opens similar page: history/

Karl  

There will be two notable hurdles to the proliferation of cloud services. 1) local/state/fed laws will need to keep pace with the changing landscape, meaning they need to address existing laws that typically apply to a local “thing” seized by court order (warrant, subpoena, etc). Such laws will need to have “reach” just as data now has “reach” facilitated by these new cloud-type services. So perhaps when a computer or PDA is seized by warrant or subpoena such seizure extends to all “reach” aspects of the device, such as all Google or Yahoo accounts found on the computer, all twit/twot/book/flick accounts, etc. This changes the legal aspects that such services have to deal with, but so be it. However, to counter the law efforts, the “good” bad guys know how to skate in a dark park making it very difficult for forensics to find much evidence, or at minimum make it so the dots cannot be connected without seemingly ridiculous speculation.

Anyone take a gander at the new Amazon Kindle Fire and how it integrates with the Amazon Cloud? The device doesn't even have a SD card slot so in essence it will coax the owner into using the Cloud because it is "free".

IMHO, clouds are highly "unknown" and will present many challenges from the security side, including forensics. I suspect the progression of laws changing will be the norm, something bad has to happen 1st, then we get new law, etc. Nature of the beast I guess.