Do Private and Portable Web Browsers Leave Incriminating Evidence? A Forensic Analysis of Residual Artifacts from Private and Portable Web Browsing Sessions

Ohana, Donny Jacob; Shashidhar, Narasimha

doi:10.1109/spw.2013.18

Cited by 23 publications

(26 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Yet the Incognito function maintained its privacy as browsing metadata relating to the browsing session could not be recovered. These results are consistent with existing research, where physical memory is indicated to offer a greater chance of discovering browsing actions carried out in a private environment [13][15].…”

Section: Discussionsupporting

confidence: 92%

“…Results differ, yet commonly physical memory and associated disk structures (Hiberfil.sys and Pagefile.sys) are highlighted as key areas for analysis [13] [15], with variable degrees of success regarding the identification of evidential metadata found on the local disk drive [14]. Whilst most research focusing on testing the privacy functionality of a browsing application involves demonstrating whether browsing metadata can be subsequently found on a system, postbrowsing session, this article centers on examining the behavior of the private browsing applications process.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A process-level analysis of private browsing behavior: A focus on Google Chromes Incognito mode

Horsman

2017

2017 5th International Symposium on Digital Forensic and Security (ISDFS)

View full text Add to dashboard Cite

Abstract-With an increasing demand for online privacy, most mainstream Internet browsing applications now offer a service to prevent the local storage of browsing metadata. Termed 'private browsing', this functionality has attracted much attention, both from the media and academic scientific research communities. The effectiveness of these privacy services has been frequently examined by digital forensic evaluative studies, revealing varying degrees of 'privacy leaks' and even now, after over 10 years of development, reports reveal apparent weaknesses in some services of this type. This article presents a process-level examination to establish what is occurring on a local system during a private browsing session, with a focus on Chrome's Incognito mode. Interactions associated with Incognito mode's system process are identified to demonstrate how Chrome's Incognito mode browser window interacts with the operating system and where local-disk-writes are occurring.

show abstract

Section: Discussionsupporting

confidence: 92%

Section: Introductionmentioning

confidence: 99%

A process-level analysis of private browsing behavior: A focus on Google Chromes Incognito mode

Horsman

2017

2017 5th International Symposium on Digital Forensic and Security (ISDFS)

View full text Add to dashboard Cite

show abstract

“…They find weaknesses in all but do not report the possibility of data retention in Internet Explorer 8. In contrast Ohana and Shashidhar (2013), also working with Internet Explorer 8 and other browsers identified recoverable evidence in unallocated and slack space. Similar results were obtained by Said et al (2011) who noted evidence on disk and in physical memory for InPrivate browsing in Internet Explorer 8.…”

Section: Related Workmentioning

confidence: 96%

Private browsing: A window of forensic opportunity

Chivers

2014

Digital Investigation

View full text Add to dashboard Cite

The release of Internet Explorer 10 marks a significant change in how browsing artifacts are stored in the Windows file system, moving away from well-understood Index.dat files to use a high performance database, the Extensible Storage Engine. Researchers have suggested that despite this change there remain forensic opportunities to recover InPrivate browsing records from the new browser. The prospect of recovering such evidence, together with its potential forensic significance, prompts questions including where and when such evidence can be recovered, and if it is possible to prove that a recovered artefact originated from InPrivate browsing. This paper reports the results of experiments which answer these questions, and also provides some explanation of the increasingly complex data structures used to record Internet activity from both the desktop and Windows 8 Applications. We conclude that there is a time window between the private browsing session and the next use of the browser in which browsing records may be carved from database log files, after which it is necessary to carve from other areas of disk. It proved possible to recover a substantial record of a user's InPrivate browsing, and to reliably associate such records with InPrivate browsing.

show abstract

“…In addition, other researchers suggest that the major web browsers were not created equally in regard to the type and quantity of data that they leave behind on the host machine [5]. These researchers examined the various internet browsers in order to determine what traces of browsing activity were retained in the physical memory after using the private browsing modes of each browser.…”

Section: Related Work 21 Private Browsing Modementioning

confidence: 99%

“…This implies that the browser is not an integral part of the computer and can be launched from the portable drive on any supported host and platform [5]. When using a portable web browsers the assumption is that user privacy is enhanced because the browsing data is cached in the portable storage device rather than the host persistent storage [1].…”

Section: Introductionmentioning

confidence: 99%

Forensic Reconstruction and Analysis of Residual Artifacts from Portable Web Browser

Adautin¹,

Meeran²

2015

IJCA

View full text Add to dashboard Cite

In order to protect sensitive information, users have started to effect changes in their often overlooked surfing habit. Portable web browser is considered as one of the techniques which provide the much desired user privacy. Yet it poses a great challenge to forensic investigators who tries to reconstruct the past browsing history, in case of any computer incidence. This research paper examines the residual traces left over by Portable Google Chrome browser. It also proposes a methodology that will help investigators to effectively analyze activities associated with portable web browser with respect to incidence response. Furthermore, it examines the IconCache database file, for its evidential potential. The reconstruction of residual artifacts left on the victim computer by this browser which can serve as evidence that is admissible in court of law is also discussed.

show abstract

Do Private and Portable Web Browsers Leave Incriminating Evidence? A Forensic Analysis of Residual Artifacts from Private and Portable Web Browsing Sessions

Cited by 23 publications

References 2 publications

A process-level analysis of private browsing behavior: A focus on Google Chromes Incognito mode

A process-level analysis of private browsing behavior: A focus on Google Chromes Incognito mode

Private browsing: A window of forensic opportunity

Forensic Reconstruction and Analysis of Residual Artifacts from Portable Web Browser

Contact Info

Product

Resources

About