Digital Village

Figure 1a. Example Web Trends cookie.

SITE: m.webtrends.com/

VARIABLE: ACOOKIE

VALUE:

C8ctADEzMS4yMT YuMTE5LjIxLTEwN TUwMjE5NjguMjk5MTU4OTIAAAAAAAABAA AAcAAAAOk5yEeaOchHAQAAABMAAADpOchHmjnIRwAAAAA-

CREATION TIME: 02/29/2008 08:59: 30

EXPIRE TIME: 02/26/2018 08:59: 21

FLAG FIELD: 2147484672

SI TE: statse.webtrendslive.com/

VARIABLE: ACOOKIE

VALUE:

C8ctADEzMS4yMT YuMTE5LjIxLTE4ODIyN TE5NjguMjk5MTU4OTIAAAAAAAABAA AA/ WAAAO05yEftOchHAQAAAEooAADtOchH7TnIRwAAAAA-

CREATION TIME: 02/29/2008 08:59: 34

EXPIRE TIME: 02/26/2018 08:59: 25

FLAG FIELD: 2147484672

Figure 1b. Example Web Trends cookie.

link, the browser sends an HTTP request to a remote resource. That triggers a download of information. There are many by-products of this exchange—some well understood, some less so.

Cookies are one such by-product. Since HTTP is “stateless,” the Web development community introduced these identifiers to store information about the client-server exchange for subsequent connections, either during the current browser session (session identifiers) or during subsequent browser sessions (persistent identifiers). Persistent IE identifiers reside in Documents and Settings>(User)> Cookies under the name of the Web site that produced it. For example, when I recently visited the www.microsoft.com Web site, seven cookies from webtrends.com, atdmt.com, indextools.com, and dcstest.wtlive.com were deposited

in this folder on my computer.

The Webtrends Web site reports that “Influential technology companies such as Microsoft have used Web Trends Marketing Lab 2 to get a real-time view into both online visitor activity and offline customer information,” so I have some idea of why the cookie was left.

When parsed, the two webtrends.com cookies appear as shown in Figure 1a and Figure 1b. The precise meaning of the “value” field is irrelevant to the current discussion. The two datapoints of interest are the timestamps—first because the timestamp records when my computer was touched by Web Trends, and second because that record won’t expire for 10 years—neither of which leaves me with a particularly good feeling about the experience. As I wrote in a previous column (“Caustic Cookies,” April 2001) cookies are transforming our private sanctuaries into electronic auditoriums.

In addition, these cookies collect like lint even if IE security settings are increased. The default browser privacy setting for the risk-averse user might involve putting the privacy setting on HIGH for the Internet zone (IE>Tools>Privacy), because the BLOCK ALL COOKIES setting restricts functionality beyond tolerable levels. The HIGH setting should block tracking cookies and cookies from sites without a compact privacy policy. However, since IE doesn’t clear private data on closing (as Firefox does), one must do it manually (IE>Tools>Delete Browsing History>Delete All). Therein lies the rub: the private data is archived in Windows every time the system creates a restore point (XP, 2000) or an incremental shadow copy (Vista). So, if the information isn’t manually deleted before that day’s backup, it’s easy pickings for a BRAP forensicist. System restore points and shadow copies include personal data whether or not you know it. In some cases you can shut them off, but then there’s no recovery mode for the operating system. In short, the computer most likely has a record of some or all Web sites visited, and this record is recoverable. The operative question is: Is this what you want?

The same applies to cache and URL history. This data is organized in a largely cryptic INDEX.DAT file in Documents and Settings\<User>\Local Set-tings\Temporary Internet Files\Content IE5. To illustrate, Figure 2a shows a hex editor’s per-

References:

http://m.webtrends.com/

http://statse.webtrendslive.com/

http://www.microsoft.com

http://webtrends.com

http://atdmt.com

http://indextools.com

http://dcstest.wtlive.com

http://webtrends.com

http://webtrends.com

Archives