Google Chrome Initial Search
As of this December in 2009, the Google Chrome web browser is the worlds fourth most widely used web browser. As an example, nearly 7% of all Anti-Forensics.com visitors are using the Chrome web browser. This article will cover Google Chrome search history, artifacts and logs that are created by the Chrome web browser when a Google keyword search is performed from the browser address bar. You will also learn how to delete Google Chrome history.
The Chrome web browser has a privacy mode which is referred to as “incognito” mode. This feature can be accessed by pressing the hotkeys CTRL + SHIFT + n with the browser in focus. Google Chrome’s incognito mode will not be covered in this article (but expect to see it soon!). The purpose of the testing which was carried out for this article was to see what artifacts would be created when performing a Google keyword search from the address bar of the web browser and then which of those artifacts are left behind after a fine-tuned cleaning was completed with the CCleaner software (yes, there was evidence left behind when using CCleaner with overwriting/wiping options enabled – yikes!).
CCleaner is created by Piriform and is a popular system tune-up application for Windows which has the ability to delete temporary Internet files, application history and more. One of the great features of CCleaner is its “secure wipe” function which will force the software to purposely over-write the data that it is deleting and data that has been deleted through normal means in the past. A simple one pass wipe is sufficient to prevent any recovery of data with modern technology, which is what CCleaner was set to do during the investigative and testing portion of this article.
CCleaner has the ability to “wipe free space” or more appropriately “unallocated data” or “unallocated file space”. Unallocated file space is the area of a hard drive or other digital media which is available for new active data to be written to. On a Windows system, the standard deletion of data will mark that now “deleted” data as unallocated and free for use by the operating system. This means that with the right tools, that deleted data (or fragments of that data) residing in unallocated file space can be recovered. A wiping softwares ability to wipe the free space on digital media will render data located in unallocated or free space over-written and essentially destroyed, preventing any recovery of data from unallocated file space that existed before the wiping software did its deeds.
To begin, a fresh and clean test environment was setup for all of the testing done in this article. The operating system used in the testing was Windows XP Professional with the Google Chrome web browser installed.
An initial search for “how to delete google history” was typed into the Chrome web browser address bar as seen in the screenshot below.
Google Chrome Initial Search
After hitting enter the search engine results page was displayed.
Google Search Results
The Google Chrome web browser was then closed in the average standard fashion of hitting the “X” in the top right corner of the application title bar.
The hard drive was then examined with the EnCase suite of computer forensics tools. To start, the phrase “how to delete google history” was created as a keyword within the EnCase software.
EnCase Keyword Added
Notice that the additional option “Unicode” was selected in the screenshot. A lot of data is stored in the Unicode standard format by modern operating systems.
This option was selected so that in the event that the search history has been written to the hard drive in this format, it will be found by the EnCase keyword search.
A keyword search was then performed with “how to delete google history” as the only keyword selected.
EnCase Keyword Search Setup
In the screenshot above you will notice that the option to search “file slack” has been enabled. The Windows XP operating system (among others) writes files to clusters on digital media, such as a hard drive. Rarely will the ending portion of a file be the exact fit and size to completely fill the last cluster. The space remaining after the end of the file until the end of the cluster is wasted and unused. This space is referred to as slack space and it is not uncommon for Windows to fill this portion of slack space with data from RAM or your computers memory after a file is written to the hard disk.
This means that there is the potential for data that resides in computer memory (such as a search performed from a web browser or even instant messaging conversations) to end up being written into the slack space at the end of a file.
In the following two screenshots you will see the results of the keyword search which was performed with EnCase.
EnCase Search Hits
Viewing the screenshot above you will see the first half of the search hits that EnCase was able to find for the keyword search “how to delete google history”.
Notice that there are three active files which the search phrase appears in. These are “Current Tabs”, “History”, and “Current Session”. These files are all located in the “Application Data\Google\Chrome\User Data\Default” directory for the currently logged in user account on Windows XP.
The search phrase was also discovered in the unallocated portion of the hard drive and within another deleted file with the name “History Index 2009-12-journal”.
The second half of the search results is viewable in the screenshot below.
EnCase Search Hits
In the second half of the search results you will notice that there is an additional hit for the phrase within an allocated or active file with the name “History Index 2009-12″.
Google Chrome gives users the options to view a detailed account of browsing history as well as previously closed browser tabs. The data in these active files is what is parsed and then displayed in an easy and human readable format by the Google Chrome web browser.
As you can see, if you were the subject of a computer forensics examination it would not be hard to recover your past web browsing habits from the Google Chrome web browser. If you were to manually delete these history files without some form of wiping, the files would be easily recoverable with the EnCase forensic software (and your basic data recovery software). So long as the files had not been overwritten through the normal use of the operating system.
Now, onto preparing CCleaner for the removal of artifacts and the wiping of free space. First of all, in addition to the default settings I modified these settings which can be seen in the following screenshots.
CCleaner Secure Deletion
As seen above, I changed CCleaner’s secure deletion settings to perform a one pass wipe which will consist of over-writing data once.
I then made sure to select all of the deletion options it listed for Google Chrome under settings.
CCleaner Chrome Artifacts
I chose to modify the 24 hour history deletion setting as well as you can see below (unchecked the top option).
CCleaner Temporary Files
After running CCleaner and letting it complete its deletion and wiping I accessed the drive once again with the EnCase forensic software and performed a keyword search for the same phrase “how to delete google history”.
EnCase Search Hits After Running CCleaner
The screenshot above shows the results of the keyword search performed after running CCleaner. As you can see, it’s a bit disappointing as there are now three hits left in unallocated file space for the search phrase “how to delete google history”.
Looking at the bottom pane in the screenshot you can see that I have highlighted a portion of the data which shows the full Google search URL including the keywords which were searched for. These hits came from either the previously allocated file named “History Index 2009-12″ or the unallocated file “History Index 2009-12-journal”. The data was not properly over-written by CCleaner.
CCleaner did a good job of overwriting and destroying all of the other data which contained that search phrase but it somehow neglected this data. I’m not sure why this data was skipped while the rest was wiped.
In any case, I personally use a second piece of free software called Eraser (which has been mentioned by other readers of this blog as well) which may not have all of the fancy default options for wiping installed applications and their directories and log files but it does have a very nice unallocated file space and slack space disk wiping utility.
I set the Eraser application to perform only a single pass wipe (by default it might be set to the 35 pass wipe).
Eraser Single Pass Wipe
I then scheduled a free disk space wiping task and chose to run it.
Eraser Wipe in Progress
After the wiping operation had completed I then once again accessed the hard drive with EnCase and performed the same keyword search for “how to delete google history”. Behold the results of the search in the screenshot below.
EnCase Search Hits After Running Eraser
You’ll notice that there were no more search hits for the Google search in either the standard plain-text formatting or the Unicode standard. Those of you reading this article will have to understand that the methods presented here may not produce the same results on your own system. I performed one simple Google search, which I then erased evidence of. All within hours after performing the search. There are so many factors that could affect where history and artifacts end up on your computer that were not in play in the scenario I created.
For example, you may be running applications that backup files on your hard drive. If any of these files are located on your backups, you’re just creating another active copy of the data which will not be erased by default with CCleaner. Your computer may also be creating restore points. This process might be generating another copy of search history and artifacts during the creation of the restore points. It’s also possible that the search I performed was formatted in a different manner. An example of this is that Google will format the search keywords to “how+to+delete+google+history” in URLs (final searches were performed for this keyword after the Eraser wipe and no results were found).
You’ll just need to be aware of the fact that there are many factors that can be involved and take extra precautions when protecting your privacy. One great example of protecting your privacy would be the use of full disk encryption software. If you’re really paranoid you could also just do all of your Internet browsing from a Linux live CD as well.
If you’ve comments, questions, concerns, criticism, or anything else, don’t be afraid to leave a comment using the form below.
Other articles in this series:
Google Toolbar Download
There are many people who use the popular Google Toolbar with the Mozilla Firefox and Microsoft Internet Explorer web browsers. The Google Toolbar can be used to conduct keyword searches with the Google search engine and the toolbar will conveniently save those searches so that they can be viewed later.
Normally, to delete these searches a user will just click the “Clear History” link in the drop down search history box. However, using this method to delete your Google toolbar search history will not get rid of the other artifacts and remnants of searches that were performed before this action. For example, search history will remain in the Index.dat files that Internet Explorer uses to store browsing activity. Any web pages or Google search engine results pages may be cached in the Temporary Internet Files folders on a Windows system. The artifacts located in these files and locations may not be readily viewable to the average computer user but a trained computer forensics examiner will be examining this type of history.
It’s very important to understand that by just clicking “Clear History” from the Google Toolbar, you are not protecting your privacy by erasing all evidence of your searches. What I did for this article was go through the process of setting up a new virtual environment to see just what artifacts and Google history is being created during these Google toolbar searches.
The first step I took after installing a fresh copy of Windows XP Professional was to install the Google Toolbar for Internet Explorer.
Google Toolbar Download
After installation of the Google Toolbar, you’ll notice a search box which can be used to perform Google searches.
Google Toolbar Installed
I gave the Toolbar a try and performed a search for the keyword phrase “homemade pipe bomb” like in the screenshot below. Don’t judge me on my search criteria 
You know you’ve always wanted to make one… or if you’re on this site, maybe you already have.
Google Toolbar Search
After the search was performed I loaded up the EnCase Forensic Suite of computer forensics software to do some keyword searches to see what artifacts were created with this simple Google Toolbar search. The most prominent result was a file created by the Google Toolbar which contains the exact search phrases that are typed into and searched for with the toolbar. The file is located in the “Local Search History” folder which you can find at %username%Application Data\Google\Local Search History. The screenshot below shows this Google Toolbar history file viewed from within the popular EnCase Forensic software. Notice that the bottom pane shows the contents of the file and since I’ve only performed one unique search, there is only one entry in the file.
Google Toolbar History
After seeing this Google Toolbar history file which contains the keywords that have been searched for, I wanted to see what exactly would happen when the “Clear History” option was chosen. You will notice that this option is located in the drop down box of previous searches which can be seen in the screenshot below.
Google Toolbar - Clear History
Choosing this option will clear the search history log in the local search history directory which can be seen in the following screenshot. This screenshot was taken after the clear history option was clicked.
Google Toolbar Cleared History
However, it will not get rid of any of the other artifacts and evidence of the search. Not only is the toolbar collecting search phrases but Internet Explorer will also be caching searches, HTML pages and more which can be seen in the following screenshot.
Google Search Artifacts
You’ll notice that by just clicking the simple “Clear History” option on the Google Toolbar, you will not get rid of all of the evidence that is created when you perform a Google search. You’ll notice from the same screenshot that an Index.dat file contains an entry for the Google search and that there is an HTML file (search[1].htm) cached in the Internet Explorer web browser temporary internet files directory which if loaded in a web browser, shows the search engine results page for the “homemade pipe bomb” search.
The Firefox web browser contains its own browser caches as well which will contain similar results if the Google Toolbar for Firefox is used. To get rid of all of these extra artifacts you will need third party software which has been specifically coded to wipe these other artifacts.
Remember that when you’re using wiping software you need to have the wipe settings set to do a single-pass wipe and not a normal deletion which does not include any writing over of files. You can usually set your wiping software to perform more than a single pass wipe but you’ll just be wasting your time.
If you’ve any questions, concerns or comments then please leave a comment using the form below. You can also contact me via the Contact Form or by leaving a post on the Anti-Forensics Forum.
EnCase - WinRAR Archives
Use a hex editor to modify the file signature of a WinRAR archive to that of an executable file to beat the EnCase forensic software's file signature analysis.
Read MoreGoogle Mail is a powerful engine for spammers. Email sent through Google's web mail contain no origin IP address in the email's header. This means that spammers do not have to deal with rotating or masking their sending IP address which will get blacklisted fairly quickly when mass mailing.
Read MoreThe thumbs.db file on a Windows XP system can be a treasure chest of 96 x 96 pixel artifacts. By default, in the standard Windows XP home and professional editions, a thumbs.db file is created in folders viewed in the thumbnail view which contain jpegs, bitmaps, GIFs, PNGs and other files.
Read More
setupapi.log log file
This article covers the USBSTOR registry key and the setupapi.log file and methods to delete them. These two artifacts can contain data regarding USB devices that have been plugged into a system. There are other things you should be aware of as well which are covered in the article. Sometimes just deleting a registry key or file is not enough.
Read MoreCIPAV or the Computer and Internet Protocol Address Verifier first came to light in 2007 when it was used during an investigation of a teen who had made bomb threats against his high school.
Read MoreIt seems the contact form was picking and choosing which input fields to actually save and many email addresses were parsed out.
Read MoreParts of the agreement (ACTA, Anti-Counterfeiting Trade Agreement) will allow border agents and officials in airports to seize your digital equipment such as laptops, mp3 players and phones to search for copyright protected material. People who are found to be in violation can have their equipment seized and destroyed as well as a fine.
Read More
Mac MakeUp
If you conduct online business under an alias such as "Mr. Green" or "Zero Cool" then using wireless networks that do not belong to you and have no connection to you is a great way to cover your tracks. You might just be a small time spammer trying to pay your rent. You could be a hacktivist preparing to deface a website. You could be many things and have numerous goals but the anonymity provided by using wireless networks that do not belong to you and have no connection to you is golden.
Read More