google desktop search forensics

This paper about the use of Google Desktop in forensics is concise and informative. The most interesting aspect of this is just how much Google Desktop indexes and makes copies of. Email, local files, network files, and even web surfing histories are stored independent of those applications of the OS. This means that even a laptop that shouldn’t have sensitive data on it may still contain copies of open network share files that the user has access to, confidential emails, or even files from other users on the same system. In addition, web surfing history and some artifacts are also retained, even if the user attempts to clear those things in the browser options or with a third-party privacy tool.

The only limitation so far is that inability to just read the files. You have to copy the files to a separate machine, make them Read Only, and then open those files in that machine’s Google Desktop Search tool. But still, this can act as a powerful tool to find some artifacts. It can also act as a surprising vector for data leakage in an organization.