Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<str<strong>on</strong>g>Five</str<strong>on</strong>g> <strong>on</strong> <strong>Forensics</strong><br />
© 2002-2008 <strong>Craig</strong> <strong>Ball</strong> All Rights Reserved<br />
operator. It’s important to note that cookies are not programs. They are merely electr<strong>on</strong>ic<br />
Post-It notes, but unscrupulous web site operators who, by working in c<strong>on</strong>cert, can assemble<br />
data about a user that will facilitate tracking a user’s web surfing habits can abuse cookies.<br />
From the standpoint of computer forensics, cookies offer insight to a user’s <strong>on</strong>line behavior.<br />
Users that take steps to erase their browser history files often forget to dispose of their<br />
cookies, which are stored in the cookies subdirectory of the Windows directory <strong>on</strong> Windows<br />
95/98/ME systems and within the individual user profile <strong>on</strong> Windows Vista/XP/NT/2000<br />
systems. On my system, I found 5,731 cookies. Very few of them represent any effort by me<br />
to customize anything <strong>on</strong> a website, but <strong>on</strong>e that does is the cookie associated with my <strong>on</strong>line<br />
subscripti<strong>on</strong> to the New York Times crossword puzzle, shown in Figure 13. Cookies are not<br />
required to adhere to any fixed format so note that very little of the cookie’s c<strong>on</strong>tent is<br />
intelligible. Most of the data has no value bey<strong>on</strong>d the operati<strong>on</strong> of the website that created it.<br />
However, note that the name of the cookie indicates (in Windows XP) the identity under<br />
which the user was logged in when the site was visited. The file’s properties (not shown) will<br />
indicate the date the cookie was created and the date the web site was last accessed.<br />
A file called INDEX.DAT c<strong>on</strong>tained within the Cookies subdirectory is worth examining since<br />
it c<strong>on</strong>tains a (partially) plain text listing of every site that dropped a cookie <strong>on</strong> the system, sort<br />
of a “super” history file. One provocative aspect of cookies is their ability to act as an<br />
authenticati<strong>on</strong> key. If the New York Times cookie from my system were copied to the Cookie<br />
subdirectory <strong>on</strong> your system, the New York Times website would see and admit you as me.<br />
This potential for extending an investigati<strong>on</strong> using another pers<strong>on</strong>’s cookie data raises many<br />
interesting—and potentially unsettling—possibilities.<br />
Figure 13<br />
Applicati<strong>on</strong> Metadata<br />
Metadata is "data about data.” Applicati<strong>on</strong> metadata is a level of informati<strong>on</strong> embedded in a<br />
file and more-or-less invisibly maintained by the applicati<strong>on</strong> that created the file. Although<br />
applicati<strong>on</strong> metadata data security issues affect many programs, the epicenter of the<br />
applicati<strong>on</strong> metadata c<strong>on</strong>troversy has been Microsoft Word and other comp<strong>on</strong>ents of<br />
Microsoft Office. Applicati<strong>on</strong> metadata grows not out of the Secret Bill Gates C<strong>on</strong>spiracy to<br />
<strong>Page</strong> 31