Monday, August 22, 2011

Google History Forensics

by Craig Ball

Craig Ball
About the Author

Craig Ball is a Texas lawyer who limits his practice to service as a court-appointed special master and consultant in computer forensics and electronic discovery.

In my last Forensic Focus column, I touched on migration to handhelds and the cloud, mushrooming drive capacities and encryption-by-default as just some of the factors auguring the eventual extinction of conventional digital forensics. But an end to old school digital forensics is no threat to examiners who evolve. There will be plenty to do for those adapting their skills and tools to new sources and forms of information. We will learn to read new tea leaves.

Happily, for every source of forensically-rich information that fades away, others emerge. For every MacBook configured to wipe deleted data, there’s an iPhone storing screenshots and typed text. When webmail shooed away some of our ability to locate messaging artifacts, social networking and geolocation wandered in with stories to tell.

Now and then, the emergent sources just seem too good to be true.

Case in point: Google History.

Certainly, forensic analysts routinely look at Google searches locally; parsing Internet activity to assess what the user searched and surfed: “Nude children.” “How to make chloroform.” “Wipe a hard drive.” It’s compelling evidence.

But, as users grow savvy about covering their tracks, we see more cache deletion and deployment of antiforensic “privacy” tools designed to deprive us of the low-lying fruit. It’s potentially “spoliation” on the civil side and “obstruction of justice” on the criminal side. On both sides, proving it helps justice be done.

Then again, data can disappear innocently, too. Oliver Wendell Holmes, Jr., observed that, “Even a dog distinguishes between being stumbled over and being kicked." Discerning evil intent—mens rea in the law—is crucial to deciding whether and how much to punish actions that result in lost evidence. One way we demonstrate intent is by showing the planning that preceded an act. We reasonably infer intent to destroy evidence from web searches seeking ways to make evidence disappear.

But what do you do when the data destroyed is the evidence of intent in its destruction?


No comments: