Google Toolbar Download
There are many people who use the popular Google Toolbar with the Mozilla Firefox and Microsoft Internet Explorer web browsers. The Google Toolbar can be used to conduct keyword searches with the Google search engine and the toolbar will conveniently save those searches so that they can be viewed later.
Normally, to delete these searches a user will just click the “Clear History” link in the drop down search history box. However, using this method to delete your Google toolbar search history will not get rid of the other artifacts and remnants of searches that were performed before this action. For example, search history will remain in the Index.dat files that Internet Explorer uses to store browsing activity. Any web pages or Google search engine results pages may be cached in the Temporary Internet Files folders on a Windows system. The artifacts located in these files and locations may not be readily viewable to the average computer user but a trained computer forensics examiner will be examining this type of history.
It’s very important to understand that by just clicking “Clear History” from the Google Toolbar, you are not protecting your privacy by erasing all evidence of your searches. What I did for this article was go through the process of setting up a new virtual environment to see just what artifacts and Google history is being created during these Google toolbar searches.
The first step I took after installing a fresh copy of Windows XP Professional was to install the Google Toolbar for Internet Explorer.
Google Toolbar Download
After installation of the Google Toolbar, you’ll notice a search box which can be used to perform Google searches.
Google Toolbar Installed
I gave the Toolbar a try and performed a search for the keyword phrase “homemade pipe bomb” like in the screenshot below. Don’t judge me on my search criteria 
You know you’ve always wanted to make one… or if you’re on this site, maybe you already have.
Google Toolbar Search
After the search was performed I loaded up the EnCase Forensic Suite of computer forensics software to do some keyword searches to see what artifacts were created with this simple Google Toolbar search. The most prominent result was a file created by the Google Toolbar which contains the exact search phrases that are typed into and searched for with the toolbar. The file is located in the “Local Search History” folder which you can find at %username%Application Data\Google\Local Search History. The screenshot below shows this Google Toolbar history file viewed from within the popular EnCase Forensic software. Notice that the bottom pane shows the contents of the file and since I’ve only performed one unique search, there is only one entry in the file.
Google Toolbar History
After seeing this Google Toolbar history file which contains the keywords that have been searched for, I wanted to see what exactly would happen when the “Clear History” option was chosen. You will notice that this option is located in the drop down box of previous searches which can be seen in the screenshot below.
Google Toolbar - Clear History
Choosing this option will clear the search history log in the local search history directory which can be seen in the following screenshot. This screenshot was taken after the clear history option was clicked.
Google Toolbar Cleared History
However, it will not get rid of any of the other artifacts and evidence of the search. Not only is the toolbar collecting search phrases but Internet Explorer will also be caching searches, HTML pages and more which can be seen in the following screenshot.
Google Search Artifacts
You’ll notice that by just clicking the simple “Clear History” option on the Google Toolbar, you will not get rid of all of the evidence that is created when you perform a Google search. You’ll notice from the same screenshot that an Index.dat file contains an entry for the Google search and that there is an HTML file (search[1].htm) cached in the Internet Explorer web browser temporary internet files directory which if loaded in a web browser, shows the search engine results page for the “homemade pipe bomb” search.
The Firefox web browser contains its own browser caches as well which will contain similar results if the Google Toolbar for Firefox is used. To get rid of all of these extra artifacts you will need third party software which has been specifically coded to wipe these other artifacts.
Remember that when you’re using wiping software you need to have the wipe settings set to do a single-pass wipe and not a normal deletion which does not include any writing over of files. You can usually set your wiping software to perform more than a single pass wipe but you’ll just be wasting your time.
If you’ve any questions, concerns or comments then please leave a comment using the form below. You can also contact me via the Contact Form or by leaving a post on the Anti-Forensics Forum.