by Craig Ball
In my last Forensic Focus column, I touched on migration to handhelds and the cloud, mushrooming drive capacities and encryption-by-default as just some of the factors auguring the eventual extinction of conventional digital forensics. But an end to old school digital forensics is no threat to examiners who evolve. There will be plenty to do for those adapting their skills and tools to new sources and forms of information. We will learn to read new tea leaves.
Happily, for every source of forensically-rich information that fades away, others emerge. For every MacBook configured to wipe deleted data, there’s an iPhone storing screenshots and typed text. When webmail shooed away some of our ability to locate messaging artifacts, social networking and geolocation wandered in with stories to tell.
Now and then, the emergent sources just seem too good to be true.
Case in point: Google History.
Certainly, forensic analysts routinely look at Google searches locally; parsing Internet activity to assess what the user searched and surfed: “Nude children.” “How to make chloroform.” “Wipe a hard drive.” It’s compelling evidence.
But, as users grow savvy about covering their tracks, we see more cache deletion and deployment of antiforensic “privacy” tools designed to deprive us of the low-lying fruit. It’s potentially “spoliation” on the civil side and “obstruction of justice” on the criminal side. On both sides, proving it helps justice be done.
Then again, data can disappear innocently, too. Oliver Wendell Holmes, Jr., observed that, “Even a dog distinguishes between being stumbled over and being kicked.” Discerning evil intent—mens rea in the law—is crucial to deciding whether and how much to punish actions that result in lost evidence. One way we demonstrate intent is by showing the planning that preceded an act. We reasonably infer intent to destroy evidence from web searches seeking ways to make evidence disappear.
But what do you do when the data destroyed is the evidence of intent in its destruction?
Imagine my astonishment and excitement at discovering that, for many of its users, Google remotely stores and readily displays an extensive history of searches. When I checked mine, Google displayed a list of 22,151 Google searches I’d done going back to March of 2006! For my wife, Google stored more than twice as many searches in the same timeframe. Neither of us recalled activating a search archival feature beyond whatever was entailed in creating our Gmail accounts.
Getting to a search history is easy, but it requires authentication. Go to www.google.com/history and enter your user ID and password. You may see nothing, or you may see tens of thousands of searches over years of use. The history is searchable and can be organized by type of search (e.g., web, images, maps, etc.).
Accessing a user’s Google History is immediate and cost-free, but requires both a user’s credentials and a legal right to access the data for the investigation. In the face of a spoliation claim, an opponent may be willing to voluntarily grant access. Else, the court can order a party in a civil suit to disgorge credentials and authorize access with appropriate deference given to issues of confidentiality and privilege. While a subpoena served on Google is technically an option, those who’ve gone that route in civil cases are often frustrated, finding they must secure a court order.
Again, your ability to access another person’s information is not the same as the right to do so.
Because Google History allows a user to delete and alter their history, counsel in the case should consider if it’s a source of data to be encompassed in a preservation demand or order requiring a party not to delete or alter the data. If a preservation demand or order speaks only to “social networking” or “online storage,” Google History is something else altogether.
If you’ve used Google History to a fruitful end in an investigation, I’d like to hear from you, either in a comment below, or by e-mail ([email protected]).
Click here to discuss this article or leave a comment below.
Craig Ball is a globetrotting Texas lawyer who limits his practice to service as a court-appointed special master and consultant in computer forensics and electronic discovery. Notwithstanding formal training and multiple certifications in computer forensics, Craig credits a lifelong passion to understand how things work and be able to explain it to others as his most cherished credential. Craig writes the award-winning Ball in Your Court column on electronic discovery for Law Technology News and is the author of numerous articles on e-discovery and computer forensics, many available at www.craigball.com