Title: Web browser artefacts in private and portable modes: a forensic investigation
Authors: Cassandra Flowers; Ali Mansour; Haider M. Al-Khateeb
Addresses: Babraham Research Campus, Babraham, Cambridgeshire, CB22 3AT, UK ' Department of Computer Science and Technology, University of Bedfordshire, Park Square, Luton, Bedfordshire, LU1 3JU, UK ' Department of Computer Science and Technology, University of Bedfordshire, Park Square, Luton, Bedfordshire, LU1 3JU, UK
Abstract: Web browsers are essential tools for accessing the internet. Extra complexities are added to forensic investigations when recovering browsing artefacts as portable and private browsing are now common and available in popular web browsers. Browsers claim that whilst operating in private mode, no data is stored on the system. This paper investigates whether the claims of web browsers discretion are true by analysing the remnants of browsing left by the latest versions of Internet Explorer, Chrome, Firefox, and Opera when used in a private browsing session, as a portable browser, and when the former is running in private mode. Some of our key findings show how forensic analysis of the file system recovers evidence from IE while running in private mode whereas other browsers seem to maintain better user privacy. We analyse volatile memory and demonstrate how physical memory by means of dump files, hibernate and page files are the key areas where evidence from all browsers will still be recoverable despite their mode or location they run from.
Keywords: web browser forensics; portable applications; private browsing; incognito mode; physical memory; Windows; Chrome; Firefox; Opera; OSForensics; Internet Exporer; web browsers; browser artefacts; portable browsers; user privacy; volatile memory; recoverable artefacts; record recovery; evidence recovery.
International Journal of Electronic Security and Digital Forensics, 2016 Vol.8 No.2, pp.99 - 117
Received: 23 Jul 2015
Accepted: 30 Sep 2015
Published online: 28 Mar 2016 *