Search Histories, Caylee Anderson, and Bill Gates
Saturday, September 6th, 2008 by Harry LewisCaylee Anderson is the Florida toddler whose mother Casey failed to report her missing for a month and who has been jailed for child endangerment (she’s out on bail). No one yet knows what happened to the little girl, but CNN reports this tidbit today:
Authorities said they have found traces of chloroform in the car Anderson drove and Internet searches of chloroform Web sites on her computer.
Searching computers is as much a part of criminal forensics now as searching a crime scene or the home of a suspect. And because, as we say, bits don’t go away, it can be even harder to eradicate digital fingerprints than it is to eradicate real ones.
Most likely the authorities were just checking the web browser history on Casey’s computer. If you don’t know what I’m referring to, look for a “History” menu on your browser; it’ll show ¬†where you’ve been to on the Web. The default setting on Safari, a browser I use on my Mac, is to save the history for a week, but I can make it longer. It’s a convenience; every now and then I want to go back to something I was looking at a few days ago, and by using the history I can find it quickly. When I search using Google, the history records not just that I was using Google, but what I was searching for. Bingo, if you’re a gumshoe and can get access to my machine. (There is an entirely separate issue of whether Google is keeping its own record of my searches and would turn it over to law enforcement. We talk about that in Blown to Bits also.)
Suppose Casey wanted to cover her tracks — what should she have done? Well, Safari has a “Clear History” command; that would be a good place to start. There’s also a “Reset Safari” menu item (try it — it will let you choose what to reset and give you the option of canceling or following through). Firefox calls this “Clear Private Data.”
But most people are PC and Internet Explorer users. I assumed Casey is too, and checked what Microsoft says about clearing the history of Explorer searches.
Have you seen those Mac ads where a geeky Bill Gates figure fumbles about the complexities of Vista, side by side with a cooler, more normal Mac user? (As a personal caricature, it’s actually unfair to Bill; when he was the age of the actor, he was wiry and energetic, like a coiled spring, not the doughy goofball the ad depicts. Of course, the ad doesn’t claim that’s supposed to be Bill. And in any case ads aren’t required to be fair about things like that.)
Here’s what Microsoft has to say about How to Clear the History Entries in Internet Explorer for version 6:
1. | Close all running instances of Internet Explorer and all browser windows. |
2. | In Control Panel, click Internet Options. |
3. | Click the General tab, and then click Clear History. |
4. | Click Yes, and then click OK to close the Internet Options dialog box. |
If the cached addresses are still listed in the Address box in Internet Explorer, use the following steps:
1. Quit Internet Explorer. | |
2. Delete all of the values except for the (Default) value from the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs |
NOTE: Values in this registry key are listed as Url1, Url2, Url3, and so on. If you delete only some values and the remaining values are not in consecutive numerical order, only some of the remaining entries are listed in the Address box. To prevent this behavior from occurring, rename the remaining values so that they are in consecutive numerical order.
Even if Casey had tried to cover her tracks, she probably couldn’t have managed, if she was using the version of Explorer that is most widely in use. No wonder Microsoft is mounting its own funky advertising campaign, starring Jerry Seinfeld and the real Bill Gates, to humanize its products.
And no wonder Google sees an opportunity with its new Chrome browser, as we discussed recently. And indeed, no wonder, as David Pogue noted, Chrome has
something called Incognito mode, in which no cookies, passwords or cache files are saved, and the browser’s History list records no trace of your activity. (See also: Safari, Internet Explorer 8 [which is now available in Beta].) Google cheerfully suggests that you can use Incognito mode “to plan surprises like gifts or birthdays,” but they’re not fooling anyone; the bloggers call it “porn mode.”
That’s a useful feature for anyone planning a crime, too!
P.S. There is yet another issue. Even if the history isn’t visible through the menu commands, traces of it may well still be stored on disk in a way that a brute force search of disk blocks, one by one, would reveal. “Deleted” doesn’t actually mean that the bits have been destroyed utterly. In both the offense and defense of computer forensics, you can almost always do a better job if you spend more time and money, so how confidently one can say that bits are “gone forever” depends on the cash value you attach to destroying them or discovering them.