The past week has been hectic though the Siri project has taken great leaps forward. We decided to look for evidence of Siri in Safari internet searches. If Siri does not know the answer to a question asked by the user, it asks if you would like to search the web for it. If the user accepts, Siri will begin a web search using Google on Safari for the prompted question.
The goal for this week is to find distinguishing features between a web search a user typed into Safari browser, and a search done by the user asking a question Siri has to do a web search for.
To start this research, we generated some content of different web searches. There are several different kinds of searches that can be done on an iPhone.
One type of search is a Google homepage search on the Safari application. This search is done when a user types in www.google.com and performs a search on the main search bar of the Google homepage as seen below.
Next there is the Google sidebar search through Safari. This is done when the user selects the sidebar on Safari and conducts a search. By default this sidebar is set to search on Google, however in the Safari settings it can be set to search through Yahoo or Bing.
The third kind of search is what we call a “mobile” search. This is when a user erases the text from the top bar of a previous search on Google. This is different from a home page search because it is conducted from the results page of a previous search string. It is also different from a side bar search because it is using the Google website rather than the Safari application.
The final search, is a Siri search. This is a search where the user asks a question and Siri prompts the user for a web search of that question. By default Siri uses the Safari application and Google web search.
What we found was the key to differentiating the searches is in the web history links. We imaged the iPhone by doing a file system extraction in Cellebrite. Then, using EnCase v7.04.01, we uploaded the phone’s extracted file system. We found the History.plist of all the web searches we made in Backup Service> var> mobile> Library> Safari. By cross referencing the History.plist with my template, we were able to distinguish different types of searches.
We copied and pasted the “transcript” view into Notepad++. The “transcript” view in EnCase “suppresses file noise, such as formatting and metadata,” which makes it easy to view. We then put spaces between the different searches to take a closer look at the links. We were able to find some correlation between different kinds of web searches. What was found is displayed below in the screenshot from notepad++.
We started off with a Google homepage search. We visited www.google.com and typed “what do narwhals eat,” manually into the main search bar on the home webpage. After going through the process of generating data and imaging it multiple times, it appears that the term “mobile-gws-hp” is found in URLs of Google homepage searches.
Next, we performed a Siri search by asking Siri a question. In this example, we asked Siri “How many polar bears live in North America?” She asked if we would like to search the web for it, and we clicked search the web which opened Safari and brought up a Google search.
After asking this question, we did a “mobile” search, where we deleted the text automatically put in the search bar from conducting my Siri search. We then used that search bar at the top of the page to search for “how fast can penguins swim”. The results of the History.plist show that this link has the term “mobile-gws-serp” in it.
We then preformed a sidebar search in the Safari app. This bar was automatically set to search on Google. We typed “where do arctic foxes live”. The link appeared in a similar format to Siri searches.
We then did another “mobile” search by deleting my text from the previous Siri search on the top bar and typing in a new search for “how do arctic seals keep warm”. Once again we were brought to a link with the term “mobile-gws-serp”.
Once more, we ran a Siri search by asking “How much is a trip to Alaska” and then selecting “search the web” button. This link appears similar to the sidebar searches.
As you can see, manual searches typed on the Google homepage are distinct with the term “mobile-gws-hp” and searches in the Google “mobile” searches are distinct with “mobile-gws-serp”. However, Siri and sidebar searches are considered the same. It does not appear as though Siri searches have a unique identifier. When the sidebar is selected to perform a search, recent searches appear
. Siri searches appeared there as well. It appears the iPhone looks at searches done manually by Siri in the same way it looks at a sidebar search.
There is some information that implies Siri was used, though it is not conclusive. Siri searches automatically capitalize the first letter of the search. In contrast, if a user types a sidebar search, by default the keyboard is not set to capitalize the first letter. Of course the user can easily capitalize the first letter in their search. Looking at that particular user’s habits would be necessary before making any assumptions, and even then it is questionable. It does not appear at this time a distinction can be made between a search done by Siri and a sidebar search, however you can distinguish Siri/sidebar searches from searches done on the homepage of Google and “mobile” Google searches.
 Bunting, Steve. EnCase Computer Forensics — The Official EnCE: EnCase Certified Examiner Study Guide, 3rd Edition.