BRAP forensics is one of the latest additions to the digital forensics toolset. 1 One of the more subtle forms of computer activity mining, it has considerable potential for privacy abuse. Some practitioners distinguish browser forensics from applications footprinting, but the two investig ative procedures are so closely related (browsers are, after all, applications) that subsuming them both under the same category of computer activity mining seems more reasonable. Computer activity mining (CAM) involves the recovery of information about a computer user, or a computer’s use, from the computer itself. As such, it is one of the core areas of modern digital forensics along with log analysis, timeline analysis, keystroke capture and analysis, system imaging, and so forth. Log analysis is perhaps the best-known example as it has been a staple of network forensics for years, and is a primary tool for network administrators to reverse engineer hacks of their sys-
PETER HOE Y
1
I use the acronym BRAP for BRowser and APplications.
tems. It is so common in fact that sophisticated hackers consider log cleansing the final stage of a successful hack.
Another core area of digital forensics is media analysis (aka file system forensics)—the practice of
recovering data from non-volatile storage devices. Where CAM focuses on activity, media analysis focuses on data. BRAP forensics bridges the gap by revealing stored data as well as information about user behavior. That’s what makes it interesting—and threatening to those concerned with personal privacy management.
In addition, the courts have
made computer activity mining an
important area of electronic dis-
covery. Law enforcement officials
routinely look to CAM for evi-
dence of wrongdoing. This is par-
ticularly true in the prosecution of
cases involving unacceptable com-
puter use, sexual harassment, child
pornography, EULA, computer
fraud, identity theft, and intellec-
tual property cases. As with
media analysis, BRAP forensics
should be thought of as indis-
criminate. Once the warrant is
served and the forensics com-
pleted, personal privacy issues
are no longer applicable.
BROWSER RESIDUE
While the browsing experience is familiar to most computer users, the nuances remain nebulous. These nuances are the grist for the BRAP forensics mill. Internet Explorer (IE) on Windows is noteworthy in this regard because it leaves behind a surplus of browser residue. I will focus on IE, though examples may be derived from non-Windows operating systems and alternative browsers.
The browser is the navigation and rendering tool for the Web. When the user clicks on an icon or
References:
Archives