Google Searches

Google search terms can be great evidence and I doubt that many machines exist where they can't be found. NetAnalysis identifies them within URLs and cached webpages may hold some results pages.

On a Vista box I am looking at there is a helpfully named folder entitled Local Search History at the path

C\Users\{account name}\AppData\Roaming\Google\Local Search History

The equivalent location on XP is C:|Documents and Settings\{account name}\Application Data\Google\Local Search History.

Within this folder are five files on the box I am looking at

1. google%2Emaps.w
2. google%2Eweb.w
3. google%2Egroups.w
4. google%2Eimages.w
5. google%2Enews.w

Each one contains search terms in unicode. I have tested and found as it appears the type of google search is contained in the filename (e.g. google map searches are in google%2Emaps.w and so on).

Notably testing using IE7 with a separate Google Toolbar installed running in Vista revealed that searches made using

1. Instant search box (set to Google)
2. Google Toolbar
3. Google webpage

all populated google%2Eweb.w .

I have found traces of these files in unallocated clusters also.

The google toolbar has a Clear History option and as far as I can tell this modifies the MFT for the file resulting in Encase reporting an Empty File. In testing I carried out searches that caused google%2Eweb.w to extend over three clusters as follows

I cleared search history and via disk view in Encase viewed each cluster. In cluster 1447520 I found remnants of google%2Eweb.w but after a few minutes this cluster was zeroed out (during this test I had pointed Encase at my local drive). So at this point I am not sure why I have found traces in unallocated.