Are there any good sources or articles that get specifically into Google Toolbar forensics?
I am checking a computer running XP, and it has Google Toolbar version 3.0.20070525w installed on Firefox. (v 2.0.0.12)
All I can determine so far is that when you have Google Toolbar installed, searches from the Toolbar itself, search box (set to Google) and the google webpage are all recorded in a file called Google2E%web.w
Also, if I made a search from Interent Explorer (which doesn't have the toolbar installed) it would also be recorded in that file. If you clear the Toolbar history from the browser, the entire contents of the Gogle2E%web.w file is deleted.
Anyway, I was hoping that maybe it was possible that I could find something in the ntuser.dat file, or some other registry file. Anybody know if Google Toolbar searches are recorded somewhere else?
Anybody?
Anybody?
Never researched the issue, so I don't really have an answer.
Any answer would be likely to be release dependent – it's not what Toolbar does, but what Toolbar 1.0 or 1.2 or 2.5 beta does. You don't say … so perhaps you're asking for too much, or you have not figured out what to ask for.
However, it seems easy enough to research the question using Sysinternals Process Monitor fire it up, configure it to watch Toolbar activities, particularly related to writes to file system, and then walk through it, and see what files it writes to, when, and possibly also what it writes.
On the Sysinternals Process Monitor web page you find links to two MSDN Defrag webcasts that describe how to use it – they're pretty good, and will give you a fairly short starting time.
Also, in Jerry Honeycutt's book on Windows Registry, you'll find a chapter (I think it's chapter 5, based on the TOC on Amazon) in which he describes how to use Process Monitor (or possibly a precursor to it) to identify what registry settings the Tweak UI tool uses, as an example of how to research registry questions. This very similar to what you're asking, except that you want to be watching the file system rather than the registry.