Court documents are ambiguous and don't reveal how the FBI discovered his search terms. That could have happened in one of three ways: an analysis of his browser's history and cache; an Alpha employee monitoring the company's wireless connection; or a subpoena to Google from the police for search terms tied to his Internet address or cookie.Link (via Tor mailing list, thanks anonymous)
Google has confirmed that it can provide search terms if given an Internet address or Web cookie, but has steadfastly refused to say how often such requests arrive. (Microsoft, on the other hand, told us that it has never received such queries for MSN Search, and AOL says it could not provide the information if asked.)
This isn't the first time that Google search terms popped up in a criminal case: Last year, prosecutors in a North Carolina murder case introduced as evidence phrases culled from a seized hard drive. The defendant was found guilty in part because he searched for the words "neck," "snap," "break" and "hold" before his wife was killed.
Reader comment: Craig Ball ("Attorney and Technologist, Certified Computer Forensic Examiner") says,
In your post today, [Declan McCullagh] identifies three ways by which prosecutors may have come by the accused's Google searches. I believe [he] failed to mention the most likely means (though [he] likely meant more-or-less the same thing when you mentioned browser History).
There are several places in a Windows/Internet Explorer environment where users net activity is recorded other than in the History, the cache (Temporary Internet Files) or the Cookies folders. In particular, the most likely source turned up during a computer forensic investigaton would be the index.dat files used by the sytem to, among other things, manage net cache. These durable records permit second-by-second reconstruction of web activity, though their contents must be decoded. A Google search would be carried as a URL, and the search terms would be included in the search string. Even when the system deletes an index.dat file, it can be carved from the unallocated clusters and brought back for analysis. It's a great forensic resource.
Another little known sources for net activity are the User Assist keys in the system Registry. These Rotation-13 encoded data also walk an investigator through network activity, and the interesting thing about the User Assist keys is that, insofar as I've been able to discern, they have no clear purpose in supporting user activity. Rotation-13 is really high security encryption of the sort you might have devised in third grade. All letters are rotated 13 places in the alphabet. It's just enough encryption that users who stumble across the key won't recognize the content or find it in a text search.
Welcome to my world.