Hey everyone,
I've been doing some research on Google Desktop Search because from what I hear it is becoming much more popular and will probably be seen during an examination at some point in the near future.
If you aren't aware of this application – it's quite interesting. After installation the program indexes the entire drive that it is installed on and stores it in its own database. This could be useful because even if the suspect deletes a file, the google indexes can still show these files and where they were located. The program also takes "snapshots" of files. I've tested this and even after you delete the file after it is indexed and do a desktop search for the file google desktop will show you the actual contents of the document or a thumbnail preview of an image. It can also be configured to download and index email. Another interesting feature is if outlook is open it will index that mail too. There are quite of few interesting features in this application and I'm in the process of writing a paper of my research that will be available hopefully by the end of the weekend. It will cover what the program is, how it works, and how it can help us from a forensics point of view.
My main question is – have any of you encountered the google desktop search application during an examination? If so, how many times? Is this new to anyone? I’m just curious if this paper would be of any help to the community… would anyone read it? Has this been covered before?
As always, Thanks in advance for your help.
-Derrick
I've tested this and even after you delete the file after it is indexed and do a desktop search for the file google desktop will show you the actual contents of the document or a thumbnail preview of an image.
some peoples take off this function
p.s.
http//
Hmm.. 71 views and 0 votes? It's a yes or no…
lol.
Thanks for your reply Marat. That's an interesting article. I wasn't aware of that, but will definitely give it a read tonight D
Derrick
Derrick,
It was less than 24 hrs…what do you expect? 😉
I haven't seen Google Desktop on systems, but then I haven't had any reason to look for it, or use any information that may be there.
It might be more helpful if you were to post your information…if folks had information regarding how useful it can be, as well as how to analyze the information they found, they might be more inclined to look for it.
H
It might be more helpful if you were to post your information…if folks had information regarding how useful it can be, as well as how to analyze the information they found, they might be more inclined to look for it.
H
I do plan on posting it by the end of the weekend. It's something else to look for when doing an examination that may land you what your looking for..
Thanks Harlan. I emailed you a while back about some registry research for a senior thesis.. it ended up coming out decent.. You had a few very interesting articles in Digital Investigations journals that I found during my research. Nice job D
PM me if you'd like to take a look at my website presentation of Windows Registry Forensics and I'll send you the link.
Thanks everyone and feel free to put in your .02 about Google Desktop D
Derrick
Derrick,
Can you just PM or email me the link? It's really a lot of trouble for you to tell me to PM you, for something you could just…you know…send me.
H
I've seen it - usually just include it in an investigation.
If your implying it might be useful as an investigative tool.. no chance
Marat's PDF pretty much covers it as a place to uncover data. I guess I'm lost on what your meaning is.. (darn language barriers!)
Derrick,
Can you just PM or email me the link? It's really a lot of trouble for you to tell me to PM you, for something you could just…you know…send me.
H
lol, wouldn't it have taken just as long to PM me as it did to post a reply saying the same thing wink Just kidding with ya, you have a PM D
I've seen it - usually just include it in an investigation.
Marat's PDF pretty much covers it as a place to uncover data.
That's exactly what I'm saying… Sorry for the confusion.
Derrick
I'm curious about the internet implications.. does google save indexes of personal searches on personal PC's anywhere other than local?(query denied via email - I have no clue other than hearsay)
If they are compromised, what other computers might have info stored, even unwittingly.
If they are transmitting and receiving data thats of interest - how many computers have indexed that info?
I'm curious about the internet implications.. does google save indexes of personal searches on personal PC's anywhere other than local?(query denied via email - I have no clue other than hearsay)
If they are compromised, what other computers might have info stored, even unwittingly.
If they are transmitting and receiving data thats of interest - how many computers have indexed that info?
I'm a little confused as to what you are asking.. As far as where the indexes are stored they are only stored on the local pc in a db folder that contains 5 text files which make up the file index of the local drive. With these db files, enough time, and enough patience you can find any file that was on the PC (as long as it was indexed by google desktop and is on the local drive). Google desktop does not index other drives or partitions though… unfortunetly.
-Derrick