Today, a significant number of netizens use private browsing mode to conceal their search history.
Have the browsers really succeeded in concealing the history?
Web browsers are designed to record and retain a lot of information such as cache files, URLs, search keywords, cookies related to the user’s activities. These files are stored on the local computer and can be retrieved by anyone who uses the same computer. The motivation for a user to browse privately is to conceal evidence of unusual browsing activity. Hence there was a need to personalize the browsing activity of user, to protect the critical data from theft, by enhancing the privacy of browsers. As a result, all major vendors started providing a new feature called Private Browsing Mode which restricts the browser from storing the web browsing history.
However, the private browsing mode can be virtually impaired by using third party packages to retrieve the history. A study on the private browsing artifacts of the installed browsers has shown that the private browsing modes of the Google Chrome, Mozilla Firefox and Microsoft Internet Explorer browsers have left artifacts. Microsoft Internet Explorer left forensic artifacts of the private browsing session, in the form of deleted files on the hard disk. Mozilla Firefox left artifacts on the hard disk in the pagefile.sys file. Running a memory leaking program, can pull artifacts from private browsing sessions in to the memory. DNS resolutions are cached by the operating system, and an analysis of the cache and Time to live values, it can be concluded if the user visited a particular site. Further traces can be obtained by checking the swapped pages. Above all, private browsing mode doesn’t stop internet service providers and websites from tracking the usage. An alternative to private browsing mode is the usage of portable web browser.
A web browser installed on a removable drive serves the purpose as the browser is no longer an integral part of the computer. The main motive behind the development of a portable web browser is to personalize the browsing session of the user by limiting the history residues. The enhanced privacy benefits the user at large by reducing the interaction of browsing activity with the computer disk, but poses a challenge for forensic examiners to collect evidence in case of cyber-crimes and internet fraud.
Do these Portable browsers serve the purpose?
When a user plugs in the USB drive to a computer with internet connectivity, one can browse the internet. Privacy is enhanced by storing the browsing sessions on the portable device instead of a computer. Therefore portable web browsers were thought of as a challenge for the forensic examiners to investigate a suspect's Internet activities in cases where questionable web sites were visited or criminal acts were executed using them. But the Windows prefetch file analysis clearly shows the activity performed by the user, breaking the strength of such drives. Windows registry is a gold source where incremental evidence can be found pertaining to the usage of such devices. Furthermore, traditional forensic procedure of searching the Prefetch, Pagefile, Slack space, allocated and unallocated space, and custom destinations like \Recent folder shows traces of such devices.
Computers store evidence in one or the other form. A close perusal of the storage space would unearth valuable data upholding the principle governing forensics.
“…This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, and it cannot be wholly absent. Only human failure to find it, study it, and understand it, can diminish its value.”
For further reading on this topic, refer my article published in an International Journal.