By Jessica Riccio
In part one, we defined private browsing and discussed its history. We covered places where various browsers store browsing history and the technical means through which each browser does so.
In this part, we give the steps and results of my own experiments with regard to the efficacy of using private browsing..
To test the validity of each company’s claims for secure private browsing, I have set up an experiment. The experiment is designed to look only at whether or not the private browsing history entries of each browser can be found once the private browsing session has ended.
In order to streamline the process by which the Internet artifacts are to be found, I have chosen to use Magnet Forensics’ Internet Evidence Finder (IEF). Starting with version 5.6, IEF has the ability to search specifically for Incognito, Private Browsing, and InPrivate entries. By visiting unique websites during regular and private browsing, we will be able to know if the private browsing history entries were still lingering around after the sessions have ended.
In order to perform the experiment, we will need the following:
• Internet Evidence Finder v 5.6
• Internet Explorer 8, Mozilla Firefox 20, and Google Chrome 26
For the purpose of this experiment, I chose to use Windows XP as the operating system on which to run the programs. It is worth mentioning that browsers will store information differently depending on their installation process and operating system on which they were installed. In addition, all Internet browsers were installed with a default configuration.
After installing all three browsers on the computer, I determined six unique website URLs that would be used for private browsing and six unique URLs that would be visited during regular browsing.
Websites Used For Experiment
To best simulate a realistic private browsing session, the websites were visited for various amounts of time. The total time spent using private browsing mode came from a study conducted by researchers with Mozilla found the average time a user spent browsing privately was ten minutes. So, while the amount of time spent viewing each page varied, the average time spent using private browsing was ten minutes.
RAM is dynamic and volatile. It is constantly changing, and its content disappears when the computer is shut down. Because all computers utilize RAM, if acquired quickly and correctly – before the computer is shut down – RAM can offer a few gigabytes of evidence that may never have made its way to the hard drive. It is quite possible that Internet browser artifacts could be found in RAM.
After visiting the websites, I used Internet Evidence Finder and chose to search only for artifacts relating to Internet Explorer, Firefox, and Chrome.
Internet Evidence Finder did not find any of the website URLs that were visited using Incognito. However, it did find all of the websites that were visited during regular browsing. These artifacts were found in the daily History file and in the History file.
Like Chrome, there were no history entries found on the computer from private browsing. The only artifacts that were left behind by Firefox were those from the websites visited during a regular browsing session. These entries were found in the places.sqlite file.
The search for InPrivate history entries yielded different results than the previous two searches. Internet Evidence finder was able to find one InPrivate website entry. Specifically, it found the first website that was visited, http://en.wikipedia.org/wiki/Banana in the pagefile.sys file.
Due to the lack of private browsing artifacts found by Internet Evidence Finder in regards to Incognito mode, the method employed by Google to ensure that private browsing artifacts are not kept on the computer after a session has ended is at least sufficient enough to not be found by a common industry standard program.
Though Internet Evidence Finder was unable to find any Incognito artifacts, there are programs that are specifically designed to look for them. Perhaps a search program that focuses on depth instead of breadth could produce artifacts.
Firefox stores its data in a similar fashion as Google Chrome. In the user’s Application Data folder, there is a Profiles folder that contains a profile for each user on the computer. The Firefox data for each user is found in that user’s profile file.
In terms of Firefox, the methods used by Mozilla are good enough to evade the findings of Internet Evidence Finder.
Internet Explorer seems to perform the poorest when deleting all remnants of its private browsing history. The fact that we were able to find the URL of a website visited in InPrivate mode suggests that Microsoft still has some work to do in how Internet Explorer handles private browsing.
In conclusion, the storage and deletion methods used by Mozilla and Google to make a user’s activities truly private appear to be sufficient, while Microsoft has the weakest implementation of private browsing. Overall, the chances of finding many private browsing artifacts are fairly small. However, it would be wise to look in pagefile.sys, hibernation files, and other common areas for possible remnants of the private browsing artifacts.
The results and conclusions that were reached in this article do not reflect all of the possible areas in which a web browser can unsuspectingly leave behind artifacts from a user’s private browsing session. In order to completely prove or disapprove the idea that web browsers have the ability to truly allow a user to browse in secrecy, further extensive testing should be done.
Subscribe to our free and informative weekly forensics newsletter!