Investigate Google gs_lcp parameter

[obsidianforensics]

Description A new Google search parameter (gs_lcp) has appeared, and it looks like it may be the replacement for gs_l, which gave a lot of interesting information on search timing. Unfurl already parses the gs_lcp param as a nested protobuf, so what's needed is some research digging into what those parsed values actually mean.

Examples

• https://dfir.blog/unfurl/?url=https://www.google.com/search?source=hp&ei=BYgfX8rWKfPT9APswJc4&q=hindsight&oq=hindsight&gs_lcp=CgZwc3ktYWIQAzIFCAAQsQMyBQgAELEDMgUIABCxAzICCAAyBQgAELEDMgIIADICCAAyAggAMggILhDHARCvATICCAA6CAgAELEDEIMBOgsILhCxAxDHARCjAjoICC4QxwEQowI6CAguELEDEIMBOgUILhCxAzoHCAAQsQMQCjoICC4QsQMQkwI6AgguOgYIABAWEB46BQghEKABOg4ILhCxAxDHARCjAhCTAjoLCC4QsQMQxwEQrwE6BAgAEANQ5wZYpVhgiWZoAXAAeAKAAX6IAY4VkgEEMjMuN5gBAKABAaoBB2d3cy13aXqwAQA&sclient=psy-ab&ved=0ahUKEwiK7aKK7u7qAhXzKX0KHWzgBQcQ4dUDCAk&uact=5

References

• gs_l parsing in gSERPent by @randomaccess3: https://github.com/randomaccess3/googleURLParser/blob/58f0db205e903e4d18847673d3b94b963b1d2a17/GSERPent.pl#L949
• gs_l parsing in Unfurl: https://github.com/obsidianforensics/unfurl/blob/master/unfurl/parsers/parse_google.py#L411

[jonas-w]

Any progress on this? How was the gs_l parameters figured out?

[obsidianforensics]

No progress I'm aware of. What is known publicly about gs_l was researched by @randomaccess3, I believe through lots of targeted tests - doing an action, then observing the resulting changes in the parameter.

If you have an interest in this, it would be awesome to see some new research. Even if it's not code, but notes and observations about the meanings of the values in the parameter, it would still be quite helpful.

[randomaccess3]

I haven't done any more on this. Was just testing actions and documenting what I saw