Figure 2a. (top) A hex editor perspective
on the INDEX.DAT file and the four cache
folders.
Figure 2b. (right) The parsed contents
of INDEX.DAT.

spective of INDEX.DAT after a single IE visit to Google.com. Note that the cache filenames are identified in the header of INDEX.DAT. Figure 2b shows the parsed contents of the file. As with cookies, if the user doesn’t manually remove all of this data it accumulates in the backup files and is readily accessed. Other tools exist to recover cached images.

LEARNING TO LIVE WITH APPLICATION RESIDUE Unintended residue is also a by-product of typical application use, especially with Microsoft productivity tools. I’ll illustrate this point

with the now-classic example of how Word metadata was used to embarrass Tony Blair’s government.

Users become familiar with the Word metadata through the properties box (found under MS Word>File>Properties>Summary). In 2003, Richard Smith extracted the revision log from a 2003 document sent by Tony Blair’s government to Colin Powell that was used to justify the attack on Iraq. As it turned out, parts of the document were copied from an article written by a postgraduate student. The source document was easily identified because the copy pre-

served spelling, grammatical, and typographical transgressions. The metadata in the source document appears in the sidebar here. The metadata of immediate interest are the four abbreviated names in the revision history: phamil, jpratt, ablackshaw, and MKhan, which were usernames of four people in the Blair government. The log reveals three autorecovery backups to the LOCAL\temp directory for userid=“cic22,” a subsequent copy by jpratt onto a floppy (A drive); another copy made by ablackshaw onto a floppy, and the final editing on Mkhan’s computer. According to Smith, Parliamentary hearings