Analyzing Timestamps in Google Search URLs
Google Search URLs have always been a gold mine of information to forensic examiners. Not only can you get a lot of detail on the search itself but there’s a plethora of timestamps potentially available with these searches as well.
Historically, AXIOM has always recovered the Date/Time from the source system (usually the Last Visit time from whatever browser was used to conduct the search) but you can also get a lot of valuable information from the URL itself. So even if you carve the URL from memory or unallocated space, you can still get valuable information without the browser context. For example: Search Session Start Date/Time has been quite useful in many cases. We’ve always pulled this timestamp from the ei= value from within the URL itself as it represents the time that the user’s session started and is placed in the URL straight from Google (so no dependence on the local system time).
Cheeky 4n6 Monkey has written an excellent explanation on how that ei= value is calculated and provides a script if you’re looking to do your own validation. Instead of me repeating most of those details here, just give his blog a read, well worth the few minutes if you haven’t read it before.
New in AXIOM 3.10
More recently we’ve added two additional timestamps to the Google Search URLs to assist further with your investigations:
- Previous Page Load Date/Time (sxsrf= value)
- Page Load Date/Time (ved= value)
These timestamps also come directly from the URL so they benefit from independence from the user’s system much like the ei= value. The first value is the sxsrf= fragment (called Previous Page Load Date/Time in AXIOM/IEF) and the ved= fragment (called Page Load Date/Time in AXIOM/IEF). These timestamps aren’t available in every search URL but if they are, AXIOM and IEF will pull these automatically for you.
I wanted to give a shout-out to Phill Moore who introduced me to these two timestamps and Ryan Benson who’s non-stop tweeting about them for the month of January finally motivated me to get around to adding them to AXIOM.
Previous Page Load Date/Time (sxsrf= value)
The Previous Page Load Date/Time (sxsrf= value) is usually found near the beginning of the URL and while I had trouble recreating it when Phill first mentioned it, it appears to come up more often in Google searches now. This timestamp usually reflects the time when the page prior to the actual search was conducted. So if I visit www.google.com and then search for “Magnet Forensics” this timestamp will reflect the date/time when I visited www.google.com not when I conducted my search. Having this additional value can be quite helpful to track a user’s interaction with the computer or phone.
Page Load Date/Time (ved= value)
The second timestamp called Page Load Date/Time (ved= value) is a little trickier to calculate because it uses Google Protocol Buffers to store the data in the URL. Both Ryan and Phill go into great detail on how this is done and provide sample scripts on how to do it if you’re looking to validate or try it on your own. Often both these timestamps may match the same time as the search itself as most people would conduct the search immediately after visiting google.com so worst case scenario you get 3 timestamps all for the same time, otherwise they may be slightly different which allows you to draw some conclusions about your user’s browsing habits.
For more information or details checkout Phill and Ryan’s resources here:
- Ryan wrote a free online tool to check and decode Google Search URLs: https://dfir.blog/introducing-unfurl/
- Phill wrote a script to parse out ved values here (super helpful if you’re new to Google protocol buffers): https://github.com/randomaccess3/googleURLParser