Figure 1a. Example Web Trends cookie.
C8ctADEzMS4yMT YuMTE5LjIxLTEwN TUwMjE5NjguMjk5MTU4OTIAAAAAAAABAA
CREATION TIME: 02/29/2008 08:59: 30
EXPIRE TIME: 02/26/2018 08:59: 21
FLAG FIELD: 2147484672
SI TE: statse.webtrendslive.com/
C8ctADEzMS4yMT YuMTE5LjIxLTE4ODIyN TE5NjguMjk5MTU4OTIAAAAAAAABAA
CREATION TIME: 02/29/2008 08:59: 34
EXPIRE TIME: 02/26/2018 08:59: 25
FLAG FIELD: 2147484672
Figure 1b. Example Web Trends cookie.
link, the browser sends an HTTP
request to a remote resource. That
triggers a download of information. There are many by-products
of this exchange—some well
understood, some less so.
Cookies are one such by-product. Since HTTP is “stateless,” the
Web development community
introduced these identifiers to store
information about the client-server
exchange for subsequent connections, either during the current
browser session (session identifiers)
or during subsequent browser sessions (persistent identifiers). Persistent IE identifiers reside in
Documents and Settings>(User)>
Cookies under the name of the
Web site that produced it. For
example, when I recently visited
the www.microsoft.com Web site,
seven cookies from webtrends.com,
atdmt.com, indextools.com, and
dcstest.wtlive.com were deposited
in this folder on my computer.
The Webtrends Web site reports
that “Influential technology companies such as Microsoft have used
Web Trends Marketing Lab 2 to get
a real-time view into both online
visitor activity and offline customer
information,” so I have some idea
of why the cookie was left.
When parsed, the two webtrends.com cookies appear as
shown in Figure 1a and Figure 1b.
The precise meaning of the “value”
field is irrelevant to the current discussion. The two datapoints of
interest are the timestamps—first
because the timestamp records
when my computer was touched
by Web Trends, and second because
that record won’t expire for 10
years—neither of which leaves me
with a particularly good feeling
about the experience. As I wrote in
a previous column (“Caustic
Cookies,” April 2001) cookies are
transforming our private sanctuaries into electronic auditoriums.
In addition, these cookies collect like lint even if IE security settings are increased. The default
browser privacy setting for the
risk-averse user might involve
putting the privacy setting on
HIGH for the Internet zone
(IE>Tools>Privacy), because the
BLOCK ALL COOKIES setting
restricts functionality beyond tolerable levels. The HIGH setting
should block tracking cookies and
IE doesn’t clear private data on
closing (as Firefox does), one must
do it manually (IE>Tools>Delete
Browsing History>Delete All).
Therein lies the rub: the private
data is archived in Windows every
time the system creates a restore
point (XP, 2000) or an incremental
shadow copy (Vista). So, if the
information isn’t manually deleted
before that day’s backup, it’s easy
pickings for a BRAP forensicist.
System restore points and shadow
copies include personal data
whether or not you know it. In
some cases you can shut them off,
but then there’s no recovery mode
for the operating system. In short,
the computer most likely has a
record of some or all Web sites visited, and this record is recoverable.
The operative question is: Is this
what you want?
The same applies to cache and
URL history. This data is organized in a largely cryptic
INDEX.DAT file in Documents
and Settings\<User>\Local Set-tings\Temporary Internet
Files\Content IE5. To illustrate,
Figure 2a shows a hex editor’s per-