Monday, January 27, 2014

IEF and Google Translate Browsing History

In working a recent forensics investigation for Sibertor, I ran into something I hadn't noticed before - Google Translate URLs.  I ran into these while sifting through Internet Evidence Finder (IEF) output from the hibernation file pulled from the image of my subject's primary machine. As usual, IEF carved some really cool gmail fragments, rebuilt facebook pages and Internet browsing history.  Since the subject worked at an organization that required a great deal of translating as part of his daily job, a good chunk of the Firefox browsing history was Google Translate URLs.  It really was cool to see exactly what was being translated in the URL. As an example, and sadly not related to the investigation, here is one of my favorite conversations translated to Malay (Hello to my friends in Malaysia!):

http://translate.google.com/#en/ms/Justin%20Bieber%20threw%20up%20on%20stage

Since it was relevant to my investigation, I paid special attention to the language that the text was being translated to - in this example the "ms" stands for malay.  In my case, "it" was used to translate the text by the user to Italian.  What is also notable here, and a point of interest to some, is that unlike Google searches, which have been sent encrypted by default for logged in users since October 2011 and all users since September 2013, the Google translations requests are sent in the clear, regardless of whether a user is logged in.

This is good stuff - definitely something that relates to our employee investigations module in SANS FOR526: Windows Memory Forensics In-Depth. The application of memory forensics in employee investigations have yielded some serious wins for me and it sounds like other internal forensics teams are pulling memory more frequently as well.