BenT,
That's a really good paper that you guys have put together so far. I will check out the updated version tonight. As far as my research goes – I thought I would be done the paper over the weekend, but I keep finding new things to test D
I'm writing this research paper as a side project also for my forensic internship right now. Google desktop is pretty interesting..
Also, to the OP, one of the authors works for an Australian state policing agency, and he's (apparently) used GDS in real case work.
By this do you mean he took the GDS indexes off the suspect hard drive, made them read only, and looked at the indexes through GDS on a test machine? …which in theory would allow you to view the contents of the indexes nicely without using notepad (which is quite difficult and time consuming to find anything). Making thr db files read only would also ensure they arn't being changed in any way. I'm actually testing this right now on my other test drive – I will report my results. I'll get the md5 hash value as well before and after I do an analysis on them just to ensure they aren't being altered in any way…
Any thoughts on this?
-Derrick
Shucks! I'm all flattered and blushing. The two papers are similar, and were only ever written as an introduction, so they don't cover all the bases. I think I had more words int he IJDE one, so it might have other work in addition.
I know the method outlined in the paper is cumbersome, but it worked on all the test machines we had. Making the files read-only in windows didn't work on the version of GDS that we were using at the time as the app wouldn't load properly without write access to the DB files. Of course, this may have changed in later versions.
A friend and myself are looking at other methods of dealing with desktop search (mainly google) right now, but it's being fit around other projects.
To the poster who was discussing privacy and GDS as a data source, its true that these possibilities exist, but I personally think google have attempted to limit them. The option for encryption, for example. Also, given the location of the files, if they have your database, they probably have everything else too. I've always assumed in my research that all extraction and analysis are conducted as a component of a legitimate analysis, and the legal issues have been beyond scope.
dfarmer03 - what is an internship? Is this a research thing, or a corporate job? Sorry - I have no idea of the American system.
Check out Google Apps, the bookmark program and others. Apps is especially troubling, although I have not tested it. But anything that stores possibly confidential data on a 3rd party server scares me…
Making the files read-only in windows didn't work on the version of GDS that we were using at the time as the app wouldn't load properly without write access to the DB files. Of course, this may have changed in later versions.
I've done some testing on this as well with the latest version. It looks to me like GDS opens these indexes upon startup and reads the file attributes seeking full access. GDS wont startup if they are read only. I tried to launch GDS with the files as full access and then change them to read-only after it was running. I paused indexing so they wouldn't be written to and monitored the db files in filemon – when I ran a search on the index, GDS actually writes to the files. I figure this must be because the index files are already open in GDS so the new permissions don't take a effect. Long story short -dead end.
Does anyone know an application that these db index files can be viewed in to make them easily readable? I can open them in notepad, but it isn't very pretty and would be difficult to make presentable in a real case. Any idea if they can be opened in anything else?
From what I understand, GDS runs a local sever on the desktop on port 4664 and that's what makes these files viewable in the web browser. Would it be possible to install an IIS local server, php, and mysql on the exam machine and then import the db files into mysql as read-only, allowing the contents to be easily readable in a web browser? Do you think this is far fetched?
dfarmer03 - what is an internship? Is this a research thing, or a corporate job? Sorry - I have no idea of the American system.
An internship is kind of like a job, but isn't my primary job. I work full time in the IS department at a local federal credit union. At the same I'm obtaining my B.S in Computer and Digital forensics (one semester left). An internship is a way to get practical experience in the field you’re studying and want to pursue. The internship is through Champlain College and in conjunction with the Burlington police department and the state of Vermont’s ICAC (internet crimes against children). A part of the internship is to do research on any topic of my choice and produce a paper that would aide the forensic community. I'm sure you know what an internship is now that I've explained it. I think they have something like this everywhere – it just may be called something different. Some call it an apprenticeship.
-Derrick
Try using Notepad++ with Hex Editor Plugin, in read only mode.
The Notepad++ allows me to develop various file formats, and reads them accordingly. Raw binary files can be viewed as such, or in Hex view format, adjusting "word" size (8,16,32, or 64), hex or binary, big or little endian, and the number of columns.
And the best part? Free.
Try using Notepad++ with Hex Editor Plugin, in read only mode.
The Notepad++ allows me to develop various file formats, and reads them accordingly. Raw binary files can be viewed as such, or in Hex view format, adjusting "word" size (8,16,32, or 64), hex or binary, big or little endian, and the number of columns.
And the best part? Free.
Thanks. I just downloaded it from sourceforge. I'll give that a try D
Standby.
-Derrick
I installed notepad++ and the hex plugin. Very cool program indeed. I have played around with it a little bit, but I have a few questions…
Why do most of the characters show up as 'NUL'? Is there a way to convert that 'NUL' stamp or hide it?
Notepad++ doesn't seem to like really big text files. A couple of my database files are around 224mb each and as soon as it opens them the program crashes. Have you had any problems opening large files? It doesn't have any problem opening the ones that are around 20mb…
Thank you and I appreciate your help D
-Derrick
any idea libertate?
-Derrick
The nuls are there because you are viewing it in text mode. The specific byte is 00, so in text mode, it converts it to the black "nul", and all the other non-printable characters are also converted to such icons.
I do not know how to turn that off, in raw text view mode. Maybe developing a language file would do it.
Switch to Hex mode, and it should disappear. sorry, I am not much help, as I always wanted to see null and non-printable characters. They help when searching for specific string of characters.
As for size, I cannot help either. CGenie allows opening huge (unlimited) sized files, but it is no longer developed.
sorry.
Okay, so I've been incredibly busy finishing up a course and with work the past couple weeks, but I'm back on track with GDS and actually found out that the FTK demo allows me to view the google index database very nicely and I can to keyword searches and all. I'm not sure how helpful all of this can be during an examination, but it's petty interesting to look at these db files. Anything and everything that is on the hard drive shows up in there because it indexes EVERYTHING. This may be useful in proving that something was once on the system and the exact location of where it was.
Hypothetical
If someone has a very incriminating file that could potentially break a case and the suspect knew that file wasn't good to have their pc or someone tipped them off that the police was looking for them. So the suspect ditches the file on to a thumb drive and hides it who knows where. It's no longer on the pc and not FTK or EnCase pick up the fact that it was once there. If the user had google desktop installed, it was probably indexed and may be stored in the index database in one of the 5 files located there. Opening these text based files in FTK and doing a keyword search could show that the file we are seeking was once on that pc and it's exact location. Far fetched? Maybe, but out of 16 people who voted on this poll, 6 have seen an installation of GDS on the pc being examined – this could be one more source for evidence.. what do you think?
I'm going to work on the paper more this weekend. I'm open to comments, suggestions, questions, anything at all – feedback is MORE than welcome.
Derrick