basic BRAP utilities discussed here were developed by Keith Jones and are an ideal starting point for both BRAP forensicists and voyeurs. These tools are open source and available on the foundstone.com Web site. The reader should be forewarned that the documentation is more difficult to find than the software. Galleta is indispensible in expedient cookie
analysis because of the strange cookie data format used by Internet Explorer including, among other oddities, timestamps
that are defined in terms of 100 nanosecond increments since midnight, January 1, 1601. INDEX.DAT and INFO2 were
parsed by Jones utilities PASCO and RIFIUTI, respectively. The documentation for Keith Jones’s tools from which my
examples were taken can be located with a search for “Keith Jones” at www.foundstone.com/us/. Mandiant
( www.mandiant.com) has a streamlined utility—Web Historian—that saves parsed history data in an Excel spreadsheet
for easier analysis. SANS ( sans.org) now offers a half-day course in browser forensics. Based on my experience with
SANS, I would expect this to be the most thorough treatment available.
The data clusters described here are indexed in the Windows Registry Hive. The most important file in BRAP Forensics
is NTUSER.DAT. A good overview of the linkage between the registry hive and critical activity files like NTUSER.DAT is
provided in AccessData’s Registry Quick Find Chart at www.accessdata.com/media/en_US/print/papers/
wp.Registry_Quick_Find_Chart.en_us.pdf.
Perhaps the easiest way to see how the registry hive organizes BRAP data is DeviceLock’s Active Registry Monitor
( devicelock.com). Registry Monitor has a “compare” feature that reveals differences between registry scans that were produced by applications.
Many of these capabilities are bundled into computer forensics tools such as Encase ( guidancesoftware.com), Windows Forensics Toolchest ( foolmoon.net/security/wft/index.html), and The Forensics Toolkit (access-
data.com/Products/ftk2test.aspx).
The Tony Blair/Colin Powell case illustrates how effective BRAP forensics may be. For an overview of the plagiarism
side of the case, see www.casi.org.uk/discuss/2003/msg00457.html. For the BRAP forensics perspective, see Richard
Smith’s account at www.computerbytesman.com/privacy/blair.htm. The fragment of metadata appearing in the sidebar
was reproduced from the source document at www.computerbytesman.com/privacy/blair.doc by Harlan Carvey’s metadata extraction and parsing tool wmd.pl (see cfed-ttf.blogspot.com/2008/01/what-is-your-ms-office-metadata- telling.html). The British government admitted to the plagiarism ( www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/
archive/2003/02/08/MN200631.DTL). c
revealed that Pratt passed on a
floppy disk to Blackshaw who sent
it to Colin Powell for his presentation to the United Nations. The
revelation of this information,
together with the plagiarism,
proved to be a credibility disaster
for the governments involved.
Consider the millions of email
attachments in global circulation
daily. How many people actually
know about the volume of metadata they are broadcasting?
RECYCLING THAT DOESN’T HELP
THE ENVIRONMENT
We all like to think of the delete
key as the quintessential digital
cleansing experience. But as we
know, modern operating systems
do not overwrite deleted file data
areas but rather just reassign the
affected disk space to the operating
system for further use. The intermediate step in this process in
Windows involves a recycle bin or
recycler. But putting digital waste
in the recycle bin doesn’t destroy
anything. In fact it exposes the
user to even more risk because the
file information is compressed into
a smaller part of the disk, which
makes recovery easier.
If you think about it, all of the
data necessary to recover a deleted
file must go in the recycle bin.
Otherwise the file couldn’t be
undeleted. In Windows XP, for
example, the information is stored
in a file, INFO2. The information
