Digital Forensics Has Lost a Key Tool: Goodbye, Google Cache

Digital Forensics Has Lost a Key Tool: Goodbye, Google Cache

An often-told tale of a digital forensics investigation is where a target website has revealed key elements of information that a timeline of activity. This might be related to a site which was trading illegally, but when under investigation, the Web site was changed. For investigators have often turned to Google Cache to examine previous versions of a Web site:

A typical use case is when a Web site has been hacked or taken-over. With this, an investigator could pin-point the exact time that a Web site changed for its content. This often contained key information for the investigation.

But, now, Google has “quietly” dropped the service:

Overall, Google outline that the cache feature allowed users to view a cache when it was not loading correctly, but these days, we use Web caches that deliver Web pages from the edge of the Cloud (and not fully from a server). This means that the Web is so much more reliable than it used to be.

The main alternative is the WayBack engine, and where we WayBack archives pages on a regular basis:

Unfortunately, as you can see from above, sites might only be crawled on an irregular basis, and an investigator could miss a key update. If you are interested, here is ASecuritySite from 15 Feb 2013 [here]:

Another feature that was good about Google Cache was where there was an error in accessing a site and where you could just backtrack to a previous version that worked.

Conclusions

Google is a master at releasing services that users like, and then dropping them when they do not quite fit their focus. In this case, it is more about the reliability of the Web improving than dropping a service which users actually like to use. For investigators, it’s back to WayBack.