Can You Browse the Internet in Secrecy? Part 2: The Experiment

by | Sep 28, 2015 | Uncategorized

By Jessica Riccio

In part one, we defined private browsing and discussed its history. We covered places where various browsers store browsing history and the technical means through which each browser does so.

In this part, we give the steps and results of my own experiments with regard to the efficacy of using private browsing..

Experimentation

To test the validity of each company’s claims for secure private browsing, I have set up an experiment. The experiment is designed to look only at whether or not the private browsing history entries of each browser can be found once the private browsing session has ended.

In order to streamline the process by which the Internet artifacts are to be found, I have chosen to use Magnet Forensics’ Internet Evidence Finder (IEF). Starting with version 5.6, IEF has the ability to search specifically for Incognito, Private Browsing, and InPrivate entries. By visiting unique websites during regular and private browsing, we will be able to know if the private browsing history entries were still lingering around after the sessions have ended.

Materials

In order to perform the experiment, we will need the following:
• Computer
• Internet Evidence Finder v 5.6
• Internet Explorer 8, Mozilla Firefox 20, and Google Chrome 26
For the purpose of this experiment, I chose to use Windows XP as the operating system on which to run the programs. It is worth mentioning that browsers will store information differently depending on their installation process and operating system on which they were installed. In addition, all Internet browsers were installed with a default configuration.

Process

After installing all three browsers on the computer, I determined six unique website URLs that would be used for private browsing and six unique URLs that would be visited during regular browsing.

Websites Used For Experiment

Regular Browsing

http://en.wikipedia.org/wiki/Watermelon
http://en.wikipedia.org/wiki/Kiwi
http://en.wikipedia.org/wiki/Coconut
http://en.wikipedia.org/wiki/Raspberry
http://en.wikipedia.org/wiki/Lemon
http://en.wikipedia.org/wiki/Limes

Private Browsing

http://en.wikipedia.org/wiki/Banana
http://en.wikipedia.org/wiki/Orange
http://en.wikipedia.org/wiki/Strawberry
http://en.wikipedia.org/wiki/Blueberry
http://en.wikipedia.org/wiki/Mango
http://en.wikipedia.org/wiki/Pineapple

To best simulate a realistic private browsing session, the websites were visited for various amounts of time. The total time spent using private browsing mode came from a study conducted by researchers with Mozilla found the average time a user spent browsing privately was ten minutes. So, while the amount of time spent viewing each page varied, the average time spent using private browsing was ten minutes.

Findings

RAM is dynamic and volatile. It is constantly changing, and its content disappears when the computer is shut down. Because all computers utilize RAM, if acquired quickly and correctly – before the computer is shut down – RAM can offer a few gigabytes of evidence that may never have made its way to the hard drive. It is quite possible that Internet browser artifacts could be found in RAM.

After visiting the websites, I used Internet Evidence Finder and chose to search only for artifacts relating to Internet Explorer, Firefox, and Chrome.

Google Chrome

Internet Evidence Finder did not find any of the website URLs that were visited using Incognito. However, it did find all of the websites that were visited during regular browsing. These artifacts were found in the daily History file and in the History file.

Mozilla Firefox

Like Chrome, there were no history entries found on the computer from private browsing. The only artifacts that were left behind by Firefox were those from the websites visited during a regular browsing session. These entries were found in the places.sqlite file.

Internet Explorer

The search for InPrivate history entries yielded different results than the previous two searches. Internet Evidence finder was able to find one InPrivate website entry. Specifically, it found the first website that was visited, http://en.wikipedia.org/wiki/Banana in the pagefile.sys file.

Conclusions

Due to the lack of private browsing artifacts found by Internet Evidence Finder in regards to Incognito mode, the method employed by Google to ensure that private browsing artifacts are not kept on the computer after a session has ended is at least sufficient enough to not be found by a common industry standard program.

Though Internet Evidence Finder was unable to find any Incognito artifacts, there are programs that are specifically designed to look for them. Perhaps a search program that focuses on depth instead of breadth could produce artifacts.

Firefox stores its data in a similar fashion as Google Chrome. In the user’s Application Data folder, there is a Profiles folder that contains a profile for each user on the computer. The Firefox data for each user is found in that user’s profile file.

In terms of Firefox, the methods used by Mozilla are good enough to evade the findings of Internet Evidence Finder.

Internet Explorer seems to perform the poorest when deleting all remnants of its private browsing history. The fact that we were able to find the URL of a website visited in InPrivate mode suggests that Microsoft still has some work to do in how Internet Explorer handles private browsing.

In conclusion, the storage and deletion methods used by Mozilla and Google to make a user’s activities truly private appear to be sufficient, while Microsoft has the weakest implementation of private browsing. Overall, the chances of finding many private browsing artifacts are fairly small. However, it would be wise to look in pagefile.sys, hibernation files, and other common areas for possible remnants of the private browsing artifacts.

Future Work

The results and conclusions that were reached in this article do not reflect all of the possible areas in which a web browser can unsuspectingly leave behind artifacts from a user’s private browsing session. In order to completely prove or disapprove the idea that web browsers have the ability to truly allow a user to browse in secrecy, further extensive testing should be done.

Subscribe to our free and informative weekly forensics newsletter!

 

Related Posts

CSI Cases from Burgess Forensics #69 A Case of Hiphop Beef

The Stories are true; the names and places have been changed to protect the potentially guilty. It was almost closing time on Friday and my thoughts were turning to Barbequeing some of that mouth-watering Santa Maria tri-tip while my nose was turned to the scent of...

Email as a signed contract vs. fraudulent emails

Email as a signed contract vs. fraudulent emails We all send and receive email, but did you know that what you say in an email can be interpreted as a legal contract? And that sometimes, emails are fraudulent? Both are true. The Statute of Frauds Although email didn’t...

El Salvador Adopts BitCoin

El Salvador Adopts BitCoin copyright Steve Burgess, 2021 El Salvador just passed a law to make BitCoin (BTC) legal tender and is the first country to do so. It did something similar back in 2001, when it made the US Dollar the official currency, replacing the...

Keeping Your Bitcoin Safe

BitCoin. Everybody wants some. But what’s the best way to keep it safe once you’ve got it? And how to get it? First things first – you get BitCoin (and Etherium, and DogeCoin) from a cryptocurrency exchange, like you would from a “regular” currency exchange to turn...

Cyberbullying and Covid-19: 2021 Update

California defines a cyberbully as anyone who sends any online communication to deliberately frighten, embarrass, harass, or otherwise target another. The Cyberbullying Research Center defines it as “willful and repeated harm inflicted through the use of computers,...

Cybersecurity & Covid-19: Vulnerability and What to Do About It

Cybersecurity & Covid-19: Vulnerability and What to Do About It Steve Burgess, 2020 As if we didn’t have enough to worry about. With so many of us working from home (close to 90% of American corporations are encouraging or requiring employees to do so) and having...

Indian Summer Lovin’ – Tech Tips For a Warm Autumn

by Natalie Miller, 2019 With Indian Summer temperatures rising, here are some tips to help you make sure your devices are ready to conquer these warm days of Fall like you are. Check Those Pockets! Taking a dip in the pool, going for a paddle in a kayak, and jumping...

Electronic Waste and Recycling – What Your Old Devices Can Say About You

by Natalie Miller, 2019 With new models of phones and computers being released every year, wanting the latest and greatest is never a bad thing, but what about your old devices? The truth is that old devices can still hold all of the data you put on them or that they...

The Case of The Client Who Wanted … to be Wanted

The Case of The Client Who Wanted … to be Wanted copyright Steve Burgess, 2018 It was nearly Christmas, but the morning sun was pouring in through the windows of my Central Coast office, casting shoe-shaped shadows on the West side of my desk. Perhaps I should have...

Burgess Forensics Newsletter Vol. 5 Issue 1: FitBit Fun Forensics & Foes 08.08.2018

  Fitbit, Fun, Forensics, and Foes Have you tracked your 10,000 steps today? Has anyone else tracked them? Fitness trackers are big business, helping people get and stay fit, and helping them share their progress with friends – and sometimes with strangers. The...

Pin It on Pinterest

Share This