Artifacts

Posts Tagged ‘google desktop search’


Google Desktop Search

Posted by:  /  Tags: , ,

Author Name
Matt

Artifact Name
Google Desktop Search (GSD)

Description
Google Desktop is a utility that indexes the contents of a hard drive to provide quick search access to the user. Files indexed include email, office documents, chat logs, music, and web activity. It is possible to find deleted files within the contents of the index created by GSD. The main file of interest is “dbeam”, but the file structure is not easily parsed by current forensic tools. It is a text based file and therefore it is possible to conduct keyword searches looking for items of interest. The best workaround is to boot the forensic image in a VM or copy the files over to a clean GSD install as described by Hans Heins in the first research link.

Registry Keys
HKEY_USERS\<SID>\Software\Google\Google Desktop

File Locations
C:\Documents and Settings\<username>\Local Settings\Application Data\Google\Google Desktop

Research Links
http://www.hansheins.nl/forensics/gds/
http://www.utica.edu/academic/institutes/ecii/publications/articles/EFE47BD9-A897-6585-5EAB032ADF89EDCF.pdf
http://computer-forensics.sans.org/community/papers/google-desktop-search-analysis-tool_359

Forensic Programs of Use
See first Research Link for work around by Hans Heins