Google Forensics (...beta)

File carving is a technique that can be used by forensic investigators to recover files from a disk.

Forensic software can search through the raw data against a set of known file header signatures and extract items based on content rather than metadata.

This is particularly useful when examining the free space on a disk, as files that may no longer exist within the file system can be recovered. This can be particularly useful if the file system has changed, such as when a Windows system has been rebuilt as a Linux box.

It will not always be possible to recover the full path or original creation dates by file carving, as only the data contained within the file might remain. But the data itself can sometimes contain more information than timestamps could provide…

On the surface, the extraction of a Google logo from temporary internet files might not appear to be of any real relevance to a forensic examination. But what if the Google logo was of the Cookie Monster? This logo was created to commemorate the 40th anniversary of Sesame Street, and replaced the standard Google logo on the site in selected countries on the 5th of November 2009. Similarly, forensic examiners viewing a pumpkin instead of the ‘e’ of Google can be fairly confident that the site was visited on the 31st of October 2009. A plasma covered logo from Nikola Tesla’s birthday indicates activity on the 10th of July.

Whilst this technique cannot, of course, provide indisputable evidence, it demonstrates how the content of web based files can be used to build a more complete picture of how and when a machine has been used. It could even allow other evidence to be collected that may aid a case, particularly when recovering data from file or volume slack.

http://www.google.com/logos/