By Jessica Riccio
Under normal circumstances, browsing the Internet leaves many footprints (“artifacts”) across the user’s computer. A computer forensic experts’ ability to find Internet History artifacts will frequently have a significant impact on the outcome of a case.
The well-known 2004 case of Scott Peterson is such a case. Peterson was found guilty of first-degree murder for the death his wife and their unborn child. Peterson’s Internet searches for tidal currents in San Francisco Bay near the location where the body of his wife was found were key components in the prosecutor’s case against Peterson .
In 2006, Justin Barber’s wife was killed by a gunshot and he was found guilty of her murder. He was sentenced to life in prison in part because of the incriminating Google searches he performed including “gunshot,” “trauma,” and “right chest” .
More recently, in 2012, Casey Anthony was acquitted of all murder charges brought against her for the death of her daughter Caylee Anthony even though there were searches found on her computer for “neck breaking,” “chloroform,” and “chest trauma” . The search evidence was important to the prosecutor’s case, but in this instance was not enough for a conviction.
Most Internet browser programs now have a setting that, rather than keeping track of movements on the Web, attempts to hide Internet activities. While it is important for the computer forensics expert to search the computer for common Internet artifacts, it is equally important to search the computer for these more hidden tracks. The idea of finding what supposedly cannot be found could have a large impact on the way computer forensic experts search for evidence in a case involving Internet history.
Internet users who surf the web for less than exemplary activities think that they can rely on the private browsing feature of their web browser to hide their activities from other users on the same computer. A user’s belief that activities are not being monitored and saved during their private session may end up providing valuable information in a case if these artifacts are able to be recovered. By coupling the history and specific aspects of various private browsers with the likelihood of finding these private artifacts, an expert can determine where and how to best search for private browsing artifacts.
While Private Browsing may have a variety of names depending on a given browser program’s implementation of the feature, it comes as no surprise that Apple was the first company to implement the idea of private browsing. In the spring of 2005, Apple released an update to the Safari browser that included the option of private browsing. Apple made the claim that you could now browse the Internet “as if you were never there .” Over the next five years, companies began to create their versions of private browsing, all claiming similar functionality: what you do in private browsing is not logged and therefore cannot be found. As of this writing, Google, Mozilla, Apple, Opera, and Microsoft offer different flavors of private browsing.
What is Private Browsing?
There exists no exact definition of private browsing but one can gain a fairly good idea of what it means to use private browsing just from the words themselves. Generally speaking, private browsing is an option that now comes standard with the majority of Internet browsers. It allows the user to enter into a mode that does not log many common Internet artifacts. By not logging a user’s actions, the sites visited during this mode are not visible to other users on the computer.
The way in which the Internet browser accomplishes the task of browsing in secret is implemented differently depending on the browser. Through experimentation with the three of the most popular web browsers, we will determine which browser currently does the best job of allowing the activities during these sessions to be kept secret and we will offer possible explanations as to why each browser performs the way it does from a computer forensics standpoint.
Common Storage Areas
There are areas of a computer in which computer forensics experts are more likely to find relevant and valuable data than other places. We discuss these below.
Random Access Memory (RAM)
RAM is dynamic and volatile. It is constantly changing, and its content disappears when the computer is shut down. Because all computers utilize RAM, if acquired quickly and correctly – before the computer is shut down – RAM can offer a few gigabytes of evidence that may never have made its way to the hard drive. It is quite possible that Internet browser artifacts could be found in RAM.
The Pagefile.sys file is an important file to the overall mechanics of the Windows operating system. The file helps with the allocation and usage of non-volatile storage and programs. It can be thought of in lay terms as the computer’s scratch pad. When there are many applications running on a computer, Windows will often transfer applications that are open but not actively being used at the moment to the pagefile.sys file, which allows other programs more access to RAM.
This ensures two things:
(a) The programs that are accessing RAM most frequently are able to maximize their resources and
(b) When the user is ready to resume activity with a program that is no longer in RAM, it will be loaded back into RAM because its contents and attributes were readily accessible in the pagefile.sys file.
Even though the data in pagefile.sys persists over time, it contains a record of data that was in RAM before the computer was shut down. Therefore, it’s a way of looking at non-volatile artifacts through volatile storage. Often, experts can find in the pagefile.sys remnants of programs or files that were recently opened .
For example, an employee was recently browsing websites on his company computer that were not within the bounds of the company’s computer use policy before he started work for the day. Before the employee leaves for lunch, the computer is shut down and subsequently picked up by his supervisor, who had been suspecting the employee’s inappropriate behavior had been happening for a while. When a forensic image of the computer is made by the company’s expert, the expert could find the illicit websites that were visited by the employee.
Both Windows and Macintosh OS X have the option of entering into hibernation mode and as a result, each may have a hibernation file. When the computer goes into hibernation, all of the contents found in volatile memory are moved to a file that will be loaded back into the volatile memory when the computer comes out of hibernation mode. In Windows, the file that contains the data is a root level file called hiberfil.sys. In Macintosh, hibernation mode cannot be accessed directly by the user and but there is a file like the hiberfile.sys called sleepimage. The data that was in RAM is written to sleepimage while the Macintosh system is in hibernation mode, more commonly referred to as Safe Sleep  . Hibernation files can contain valuable evidence of what programs were open, including Internet browsers.
Because disk space on a hard drive is a broad topic, it may be more effective to focus on the aspects of disk space as they relates to each of the browsers with which we will be experimenting. Though the specific path is dependent on which version of Windows is being used, Google Chrome stores its data in the User Data folder, which is a subfolder in a user’s Application Data folder.
Firefox stores its data in a similar fashion as Google Chrome. In the user’s Application Data folder, there is a Profiles folder that contains a profile for each user on the computer. The Firefox data for each user is found in that user’s profile file.
Unlike Chrome and Firefox, Internet Explorer stores its Internet artifacts in many different places on the hard drive. The history of Internet Explorer is stored in two different files but both files are entitled index.dat. One file is a daily record of all the websites visited by the user. The second file keeps track of all the websites that have been visited since Internet Explorer was installed.
Currently the most commonly used web browser, Chrome has cleverly named its private browsing mode, “Incognito.” Incognito boasts quite the list of activities that are not logged when using Incognito. According to Google, webpages and file downloads are not logged, changes to bookmarks and settings are not saved, and any cookies that have appeared during the private browsing session are deleted when the session is finished.
However, Google makes it clear that using “Incognito mode only keeps Google Chrome from storing information about the websites you visited .” Also, signing into your Google account while using Incognito mode will still log all web searches unless you disable tracking. Although there are a large number of artifacts that are usually stored on the computer during a regular Internet browsing session, Google seems to cover all of its bases when choosing which activities to not record during Incognito mode.
Technical Specifications of Incognito Mode
Unfortunately, Google does not offer any public specifications on its implementation of Incognito. However, web pages need certain computer resources in order to load and function correctly. Logically, it makes sense that even during a private browsing session some data will be written to necessary parts of the computer even if it is going to be deleted or erased when the session is finished.
The pagefile.sys or at the very least RAM could contain some remnants of the Incognito data. Though it exists, and can be quite effective, capturing the data from non-volatile storage is not a realistic means of investigation in our case. Unless the expert is actively monitoring the activity occurring with a suspect or person of interest, the odds of showing up fairly close to the time an incriminating search took place and being able to retrieve it from the non-volatile storage areas are minimal.
Microsoft Internet Explorer
Since the end of 2008, the proportion of users who primarily use Internet Explorer is declining. Today, only about thirty percent of all Internet users use Internet Explorer for their web browsing, making it the second most widely used browser in the world . Almost four years after private browsing was first being deployed, Microsoft began implementing its version of private browsing, InPrivate browsing, with the release of Internet Explorer 8. Since then, Microsoft has released two newer iterations of Internet Explorer with the most recent being Internet Explorer 10. These newer versions also have InPrivate browsing.
According to Microsoft, InPrivate browsing “enables you to surf the web without leaving a trail in Internet Explorer .” Like Google, Microsoft’s list of information that is not stored during private browsing is quite extensive. The webpage history, form data, passwords, Autocomplete, and information in the address bar are not stored. Also, temporary web files and cookies are deleted when the session has ended .
Technical Specifications of InPrivate Browsing
To make your private browsing experience smooth, Microsoft keeps the cookies loaded into memory and clears that portion in memory when the session has ended. The temporary Internet files are stored on the disk and are subsequently deleted when the InPrivate browser closes . Unlike other companies, Microsoft does not claim that nothing gets stored to the computer during the session, only that once the session has ended the data will be deleted. Data deleted in such a fashion is likely to be recoverable by a computer forensics professional.
When Mozilla released Firefox 3.5 in 2009, it contained the first stable release of Private Browsing. It is important to distinguish between the generic private browsing and Mozilla’s brand, “Private Browsing,” in this section. Private Browsing (with capitals) refers to the name Firefox uses for its privacy mode, whereas private browsing (all lower case) is the generic term.
Since 2009, Mozilla has been correcting and improving the Private Browsing feature to become the best for browsing in secrecy. With Firefox 20 being released in the last month, many have pointed out that its private browsing feature is unique in that you don’t need to open a new window to initiate a Private Browsing session. The Private Browsing mode can be tab specific. For example, you can watch a YouTube video using one tab and shop for a birthday gift for your significant other in secrecy in the other tab. Chances are you do not mind people knowing you are watching a YouTube video, but you probably do not want your significant other to find out you have been shopping for the perfect gift.
According to Mozilla, Private Browsing does not save visited pages, form and search bar entries, passwords, cookies, and temporary Internet files . Just like Incognito, Private Browsing does not list any downloaded files in the download manager (Note: all downloads made during the Private Browsing session are still kept).
Technical Specifications of Private Browsing
Originally, Firefox implemented Private Browsing through temporary databases specific to the type of Internet artifact they were meant to store during the session. When the session ended, the databases were “thrown away” and Firefox began using the regular databases again . It is unclear how exactly the databases are “thrown away” when the private browsing session has ended. However, Mozilla has since removed this model almost completely from Firefox 20 and will probably have a different implementation by the time Firefox 21 is released.
Part II of this article will be in next week’s newsletter, and will include our experiments with each of the browsers, as well a comparison between the effectiveness of the private browsing features. The article will be entitled, “Experimenting with Secret Browsing.”
Sources  http://gs.statcounter.com/#browser-ww-monthly-201210-201303
Subscribe to our free and informative weekly forensics newsletter!