Digital Village
Hal Berghel
BRAP Forensics
Boutique computer activity mining vs. personal privacy management.
BRAP forensics is one of the
latest additions to the digital
forensics toolset. 1 One of
the more subtle forms of computer
activity mining, it has considerable
potential for privacy abuse. Some
practitioners distinguish browser
forensics from applications footprinting, but the two investig ative
procedures are so closely related
(browsers are, after all, applications) that subsuming them
both under the same category of computer activity
mining seems more reasonable.
Computer activity mining (CAM) involves the
recovery of information
about a computer user, or a
computer’s use, from the
computer itself. As such, it is
one of the core areas of modern
digital forensics along with log
analysis, timeline analysis, keystroke capture and analysis, system
imaging, and so forth. Log analysis
is perhaps the best-known example
as it has been a staple of network
forensics for years, and is a primary
tool for network administrators to
reverse engineer hacks of their sys-
PETER HOE Y
1
I use the acronym BRAP for BRowser and APplications.
tems. It is so common in fact that
sophisticated hackers consider log
cleansing the final stage of a successful hack.
Another core area of digital
forensics is media analysis (aka file
system forensics)—the practice of
recovering data from non-volatile
storage devices. Where CAM
focuses on activity, media analysis
focuses on data. BRAP forensics
bridges the gap by revealing stored
data as well as information about
user behavior. That’s what makes it
interesting—and threatening to
those concerned with personal privacy management.
In addition, the courts have
made computer activity mining an
important area of electronic dis-
covery. Law enforcement officials
routinely look to CAM for evi-
dence of wrongdoing. This is par-
ticularly true in the prosecution of
cases involving unacceptable com-
puter use, sexual harassment, child
pornography, EULA, computer
fraud, identity theft, and intellec-
tual property cases. As with
media analysis, BRAP forensics
should be thought of as indis-
criminate. Once the warrant is
served and the forensics com-
pleted, personal privacy issues
are no longer applicable.
BROWSER RESIDUE
While the browsing experience is
familiar to most computer users,
the nuances remain nebulous.
These nuances are the grist for the
BRAP forensics mill. Internet
Explorer (IE) on Windows is noteworthy in this regard because it
leaves behind a surplus of browser
residue. I will focus on IE, though
examples may be derived from
non-Windows operating systems
and alternative browsers.
The browser is the navigation
and rendering tool for the Web.
When the user clicks on an icon or
