I was just wondering if anyone knew of any tools, resources, or research into Google Maps forensics.
Is there any way to tell what addresses a user searched for (the URL doesn't change anymore cry )? Is there any way to see where a user moused/navigated to?
And what type of images are being sent - and are they cached? I gather some cell phone tools can do this, but I think they rely on screen-shots.
(I tried Googling for info on this, but no luck. I also looked at the Google Maps page source, something that would presumably be cached, but it was very ugly and I couldn't find any useful info (yet).
Do you have live RAM dump for that or trying to get any results from a hard drive?
Google Earth saves user activity in .kmz files, but I thought that Google Maps would just save stuff to temporary internet files?
I was just wondering if anyone knew of any tools, resources, or research into Google Maps forensics.
Is there any way to tell what addresses a user searched for (the URL doesn't change anymore cry )? Is there any way to see where a user moused/navigated to?
And what type of images are being sent - and are they cached? I gather some cell phone tools can do this, but I think they rely on screen-shots.
(I tried Googling for info on this, but no luck. I also looked at the Google Maps page source, something that would presumably be cached, but it was very ugly and I couldn't find any useful info (yet).
Wireshark to monitor traffic between server and client.
Procmon to monitor file writes.
Firebug to see what the javascript is actually doing.
I sent you a PM. I did come up with some hex search terms that may be helpful.
Regards,
Chris Currier
I did a bit of web page deconstruction and found the following
First of all you can find the Google Maps search query by searching
for <a href="http//
The search query will typically be of the form
"q=term1+term2+term3+…" since Google Maps appears to use the GET
method to send data to their servers(?).
You can also find the map coordinates that were returned by searching
for center{lat OR lng
Once you get the map coordinates you can simply go to Google maps and
type them into the search box. This will return the map of the
location that was sent to the user.
For instance if you find the following data
center{lat45.456991000000002,lng-75.653740999999997}
You can then plug the following expression in the Google Maps Search
box 45.456991000000002 -75.653740999999997
This will return the map that was sent to the user.
Also, Google Maps sends the satellite images that make up the maps as
jpegs. These can be carved out of either memory or HD images with any
luck. If you're good at jigsaw puzzles, you can assemble them to make
a proper, complete image. )
The road-map overlays are sent as pngs and can also be carved out and assembled.
As for the route directions between two locations, I haven't had time
to look at that yet. I hope to do that soon.
[I'm looking at this from the perspective of memory dumps where a person was using private browsing and it would be unlikely to get complete, cached web pages…]
Hmorgan, with regard to using Wireshark, do you have a technique or tool to decompress the data within packets?
If I recall it used to be fairly easy to simply extract things like jpegs, but I gather a lot of data is now being compressed (GZIP ?) before it is sent - something that makes packet content inspection harder.
Don't waste your time with wireshark in this type of work. You don't need the level of detail that it gives you. You are looking to find artifacts of web traffic, so the better tool is to use a tool that captures web traffic.
I use a tool called fiddler2 (http//
You can inspect the headers of both requests and even pause the traffic to 'fiddle' with the headers or data. It was designed for web developers, but works perfectly for this type of research. This is the tool I use to keep track of the gmail data structures.
James
fiddler has to be on the target machine that generates the traffic.
WireShark just needs to be in the path of the traffic.
Actually, Fiddler just has to be in the path as well. You can configure any machine you want to use Fiddler as its proxy. I have done it with multiple VM machines and physical machines. I have even done it from Linux and Mac to a Windows machine running Fiddler.
Like I said, I use this as my research tool.