basic BRAP utilities discussed here were developed by Keith Jones and are an ideal starting point for both BRAP forensicists and voyeurs. These tools are open source and available on the foundstone.com Web site. The reader should be forewarned that the documentation is more difficult to find than the software. Galleta is indispensible in expedient cookie analysis because of the strange cookie data format used by Internet Explorer including, among other oddities, timestamps that are defined in terms of 100 nanosecond increments since midnight, January 1, 1601. INDEX.DAT and INFO2 were parsed by Jones utilities PASCO and RIFIUTI, respectively. The documentation for Keith Jones’s tools from which my examples were taken can be located with a search for “Keith Jones” at www.foundstone.com/us/. Mandiant

( www.mandiant.com) has a streamlined utility—Web Historian—that saves parsed history data in an Excel spreadsheet

for easier analysis. SANS ( sans.org) now offers a half-day course in browser forensics. Based on my experience with SANS, I would expect this to be the most thorough treatment available.

The data clusters described here are indexed in the Windows Registry Hive. The most important file in BRAP Forensics is NTUSER.DAT. A good overview of the linkage between the registry hive and critical activity files like NTUSER.DAT is provided in AccessData’s Registry Quick Find Chart at www.accessdata.com/media/en_US/print/papers/ wp.Registry_Quick_Find_Chart.en_us.pdf.

Perhaps the easiest way to see how the registry hive organizes BRAP data is DeviceLock’s Active Registry Monitor

( devicelock.com). Registry Monitor has a “compare” feature that reveals differences between registry scans that were produced by applications.

Many of these capabilities are bundled into computer forensics tools such as Encase ( guidancesoftware.com), Windows Forensics Toolchest ( foolmoon.net/security/wft/index.html), and The Forensics Toolkit (access- data.com/Products/ftk2test.aspx).

The Tony Blair/Colin Powell case illustrates how effective BRAP forensics may be. For an overview of the plagiarism side of the case, see www.casi.org.uk/discuss/2003/msg00457.html. For the BRAP forensics perspective, see Richard Smith’s account at www.computerbytesman.com/privacy/blair.htm. The fragment of metadata appearing in the sidebar

was reproduced from the source document at www.computerbytesman.com/privacy/blair.doc by Harlan Carvey’s metadata extraction and parsing tool wmd.pl (see cfed-ttf.blogspot.com/2008/01/what-is-your-ms-office-metadata- telling.html). The British government admitted to the plagiarism ( www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/ archive/2003/02/08/MN200631.DTL). ^c

revealed that Pratt passed on a floppy disk to Blackshaw who sent it to Colin Powell for his presentation to the United Nations. The revelation of this information, together with the plagiarism, proved to be a credibility disaster for the governments involved.

Consider the millions of email attachments in global circulation daily. How many people actually know about the volume of metadata they are broadcasting?

RECYCLING THAT DOESN’T HELP THE ENVIRONMENT We all like to think of the delete key as the quintessential digital cleansing experience. But as we know, modern operating systems do not overwrite deleted file data areas but rather just reassign the affected disk space to the operating system for further use. The intermediate step in this process in Windows involves a recycle bin or recycler. But putting digital waste

in the recycle bin doesn’t destroy anything. In fact it exposes the user to even more risk because the file information is compressed into a smaller part of the disk, which makes recovery easier.

If you think about it, all of the data necessary to recover a deleted file must go in the recycle bin. Otherwise the file couldn’t be undeleted. In Windows XP, for example, the information is stored in a file, INFO2. The information