Paranoia, Murder and Google Analytics Cookies

Today, we look at paranoia, hi-tech policing and the forensic cookie-crumb trail to conviction for murder.

The facts in this article (other than the technical explanations) are based on truth, obfuscated liberally to protect the potentially guilty from a miss-trial. They may also have been stretched and strained just a bit to facilitate the technical explanations but they are based in truth.

Mr. X is planning to murder his wife. How would you go about that exactly? What would you need? I guess that depends on the method. Say, strangulation with an Ethernet cable.

Would you approach it like a project? What happens if there are bugs? Is this something one must get right, first time? How do you do the testing? Is there a specific technique to it or will brute force do the trick? Is Ethernet cable strong enough?

Remember that it’s Mr. X, not Dr. X, so Googling appropriate search terms is inevitable. One doesn’t need to be a computer whiz to get that sort of information, and he’s not. Whatever baggage Mr. X carries, paranoia is not one of his problems. He is, however, oblivious to the trail of personal information he leaves behind, both on his computer, his bank account, credit card slips and sticky notes.

From the search results for the term “strangulation with rope” he learns that ropes leave distinct weave patterns and rope fibers. Since he doesn’t have any rope and does not want to be seen purchasing it, he thinks of something smooth like the Ethernet cable. From searching for various terms he eventually tries “Cat5 breaking strength” and concludes from the results that it might not be strong enough, so he goes for an extension cord—items he has around the house.

His study and preparation having paid off, he does the deed without a hitch. He comes home after drinking with his buddies to “find his wife strangled” and makes a well rehearsed 911 call.

Faced with a single suspect with an alibi, the prosecutor calls in forensic computer expert Mr. M to search Mr. X’s computer for corroborating evidence.

The expert finds the browser history sketchy, the only Google searches relating to cheating on husbands. A motive perhaps but not sufficient to incriminate Mr. X.

An inspection of the cookies turns up numbers and session IDs and a number of strange __utm type cookies.

The __utmz cookies are particularly interesting since they contain strings like:

and

Mr. M does some searching of his own and finds my earlier post Slicing and Dicing Cookies – Part 2 – Body Parts

A few emails are exchanged and before we know it, VKI is strutting around like it’s CSI:Vancouver. Nonetheless we assisted Mr. M in understanding the timestamps, visit counts and referrals establishing that the first cookie was for a search with a timestamp of 1194785690 done at 11/11/2007 4:54:50 AM PST and that the other searches were done on Mr. X’s computer while his wife was at work and before the date of the murder.

The combination of motive, the data in the cookies and the circumstantial evidence at the murder scene may well serve to convict Mr. X.

To decode timestamps, see my post with the Timestamp Converter

Oh! The Paranoia. Well Mr. X does not carry that in his baggage. But what about the rest of us? Stories abound suggesting that investigators or the government can go to Google and get possible search terms and matching IP addresses and trace down the perpetrators, thereby invading our privacy.

That might work if they had the exact search terms and time period searched. Failing that, they would be looking for generic terms like “strangulation” resulting in a long list of IP addresses. Some of these IP addresses are dynamic, some even from Internet service providers using IP pooling (multiple users sharing multiple IP addresses) and yet others belonging to companies with many employees.

That “fishing expedition” might even be feasible if there were a cause justifying the expense and the a search warrants. But are the rest of us worried about a real problem or are we being mostly irrational?

These crime scenarios involve suspects’ computers being accessed directly along with other physical evidence. There would be no need to go to Google, just as there was no purpose in doing so in the case of Mr. X. To read the accounts of such stories and start worrying about our privacy without considering the reality is paranoia.