Do private and portable web browsers leave incriminating evidence ...

Ohana and Shashidhar EURASIP Journal on Information Security 2013 20136httpjiseurasipjournalscomcontent201316

RESEARCH Open Access

Do private and portable web browsers leaveincriminating evidence a forensic analysis ofresidual artifacts from private and portable webbrowsing sessionsDonny J Ohana and Narasimha Shashidhar

Abstract

The Internet is an essential tool for everyday tasks Aside from common use the option to browse the Internetprivately is a desirable attribute However this can create a problem when private Internet sessions become hiddenfrom computer forensic investigators in need of evidence Our primary focus in this research is to discover residualartifacts from private and portable web browsing sessions In addition the artifacts must contain more than just filefragments and enough to establish an affirmative link between user and session Certain aspects of this topic havetriggered many questions but there have never been enough authoritative answers to follow As a result wepropose a new methodology for analyzing private and portable web browsing artifacts Our research will serveto be a significant resource for law enforcement computer forensic investigators and the digital forensicsresearch community

Keywords Private browsing Portable web browsers Internet forensics Portable browsing Web browser artifactsRAM analysis

1 IntroductionIn the last 20 years the Internet has become drasticallyessential for everyday tasks associated with stationaryand mobile computer devices Aside from commonInternet usage people desire the option to browse theInternet while keeping their user information private As aresult new web browsing features were slowly developedfor all major web browsers asserting the option of lsquoprivatebrowsingrsquo This method works by either removinginformation at the end of a private session or by notwriting the data at all Other private browser featuresmay include concealing additional information suchas cookie discoverability from websitesAccording to one study [1] there are two private browsing

objectives The first objective is to allow users to browse theInternet without leaving any trace The second is to allowusers to browse the Internet while limiting identity disco-verability to websites While both of these goals are

Correspondence djo007shsueduDepartment of Computer Science Sam Houston State University HuntsvilleTX 77340 USA

copy 2013 Ohana and Shashidhar licensee SpringCommons Attribution License (httpcreativecoreproduction in any medium provided the orig

important our research will focus on discovering informa-tion from local storage devices since the majority of com-puter investigations involve search and seizure of localmachines One alternative to using private browsing modesis to surf the Internet using a portable web browser such asone stored on a Universal Serial Bus (USB) flash driveTherefore web browsing sessions are more likely to bestored on the portable storage device itself instead of thecomputer or host machinePrivate and portable web browsing artifacts such as

usernames electronic communication browsing historyimages and videos may contain significant evidence toan examiner Prior research in this area is very limitedReferring back to one of the main studies on privatebrowsing modes [1] this research lacks an in-depth analysisof deleted and volatile information pertaining to privatebrowsing sessions In another study focused on portableweb browsers [2] many statements were made without thebasis of true experimental findings Furthermore there arevirtually no published studies on residual artifacts fromcurrent portable web browsers existing on host machines

er This is an open access article distributed under the terms of the Creativemmonsorglicensesby20) which permits unrestricted use distribution andinal work is properly cited

Ohana and Shashidhar EURASIP Journal on Information Security 2013 20136 Page 2 of 13httpjiseurasipjournalscomcontent201316

In the past similar studies have been conducted on theSanDisk U3 flash drive and its portable applications SinceU3-USB devices had a pre-installed read-only partition itwas challenging for forensic investigators to discoverelectronic evidence In the latter year of 2009 SanDiskbegan phasing out support for U3 Technology and ithas been discontinued because of many irresolvableissues [3]Private and portable web browsing artifacts can be

extremely valuable Prior research either lacks significantfindings or does not provide sufficient answers We planto overcome these shortcomings by analyzing bothallocated and unallocated space on entire disks whilemeasuring our results against multiple web browsersFurthermore we plan to analyze volatile data that may beavailable in an incident responseThis paper is organized as follows Section 2 provides

a list of background terms Section 3 describes priorand related work in private browsing modes and portableweb browsers Section 4 discusses the four major browsersand their privacy capabilities Section 5 discusses severaldifferent portable web browsers Section 6 details theimplementation and experiments Sections 7 and 8 concludethe paper with some open questions future work anddiscussion

2 Background definitionsIn this section we provide a list of background termsand definitions (Table 1) to assist readers with some ofthe terminology used in this research

Table 1 Terms and definitions

Terminology Definition

Residual artifacts Remaining data such as files images d

Affirmative link Judicially devised standard to aid Cour

ISO image A computer file that is an exact copy o

Virtual machine Simulation of a real machine

Prefetch files (Windows) Each time an application is run on a Wis created to speed boot time

$I30$MFT New Technology File System (NTFS) In

Browser cache Temporary Internet files (storage) for in

RAM Working memory that is volatile

Pagefile (paging) Virtual memory designated on disk

Memdump Action of dumping volatile memory in

Drive free space Referencing the unallocated space on

Slack spacefile slack Unused space in a disk cluster (area be

System volume information Volume shadow copy (snapshots) for s

FTK orphan directory Contains files that no longer have a pa

Data carving There are many different types of datamost data carvers extract content by lo

3 Related work31 Private browsingIn the study [1] on private browsing modes in modernbrowsers researchers presented a list of inconsistenciesbetween private browsing goals and browser implementa-tions They also defined private browsing modes to havetwo primary goals privacy against the web and privacyagainst local machines Meaning the users identity shouldnot be identified over the Internet (web) and the usersactivity should not be recorded on the machine (local)One example is that Mozilla Firefox and Google Chromeboth take steps to remain private against websitesduring private mode Apple Safari on the other handtakes measures to only protect against local machinesbut through our research we will exploit some of thevulnerability to that methodThe researchers found that all the web browsers (tested)

failed in one way or another when analyzing policies Thisis mainly because of complications introduced by browserplug-ins and extensions It was also shown that extensionscan weaken private browsing modes and therefore activitiescan still be recorded One example is that Google Chromedisables all extensions during private browsing mode andFirefox does not With regard to inconsistencies within asingle browser the researchers found that cookies set inpublic mode in Firefox 36 are not available to the webwhen browsing privately however SSL certificates andpasswords areUltimately this study establishes a good foundation for

private browsing analysis but lacks significant findingsThe areas primarily studied were policy inconsistencies

ocuments and web content

ts in determining sufficiency of evidence between subject and offense

f an existing file CD DVD etc

indows machine a Prefetch file referencing the loaded application

dex AttributeMaster File Table

creasing speed

to a file to view contents

disk

tween end of file and end of disk cluster)

ystem restorebackup

rent and the parent folder is overwritten (using $MFT as a reference)

carving techniques (block-based statistical semantic etc) but essentiallyoking for file headersfooters and then lsquocarvingrsquo data blocks in between

Ohana and Shashidhar EURASIP Journal on Information Security 2013 20136 Page 3 of 13httpjiseurasipjournalscomcontent201316

browser extension weaknesses private browsing usagewebsite user discoverability and Firefox vulnerabilitiesVarious files and folders which were privately modifiedand accessed are pointed out by the researchers but theydo retrieve specific data that is deleted after a privatesession is terminated Also volatile memory artifacts wereignored because they wanted to show discoverability afterthe memory was cleared When a small experiment wasconducted running a memory leaking program certainartifacts from private browsing sessions were discoveredin the memory The reason for this was explainedthat operating systems often cache DNS resolutionsand therefore by analyzing the cache and TTL valuesan investigator can learn if and when the user visiteda particular site In addition the Operating System canswap memory pages leaving further traces of user activityIn contrast to this research we plan to examine all

four major web browsers utilizing a different acquisitionmethod Our goal is to extract as much data as possibleincluding deleted and volatile data to obtain sufficientinformation within the artifacts retrieved One researcharticle [4] argues that browser vendors deliver exactlywhat they claim but consumers have limited knowledge asto what private browsing modes can actually do Comparingthis article to the first study [1] proves otherwise There areclearly private policy inconsistencies within the four majorbrowsers according to the data

32 Portable web browsingOne study on portable web browsers [2] explained thatportable web browsing artifacts are primarily storedwhere the installation folder is located (removable disk)Residual artifacts such as USB identifiers and portableprograms can be discovered by analyzing the WindowsRegistry and Windows Prefetch files Furthermorethey state that if the removable disk is not accessibleto the investigator it is impossible to trace any furtherinformation In regard to portable software discoverabilitythe researchers stated that it was difficult to determineportable web browser usage on a host machine The majorityof these statements were made without the basis ofany true experimental findings Therefore every oneof these statements will be fully tested in our researchto determine authoritative answers We plan to recoversignificant residual artifacts located on host machinestesting several different portable web browsers Eventhough USB identifiers are important to obtain it iseven more important to establish an affirmative linkbetween user and session

33 Flash driveIn comparison to current portable software Sandisk andMicrosoft worked together many years ago on a projectcalled U3 Technology [5] Essentially the idea was to

allow consumers to carry a portable disk containingpersonalized files and web browsers U3 flash driveswere pre-installed with a U3 Launchpad similar to anOS start menu with various programs installed Thereare two partitions to the U3 flash drive structure one is amass storage device and the other is a virtual CD-ROMThe virtual partition was actually an ISO image which waswhy information was read but not written to the diskAccording to one study [6] U3 devices created a folder onhost machines and recorded user activity Once the diskwas ejected a cleanup program was executed and automat-ically removed all user activity from that system Byanalyzing the Windows Prefetch files researchers were ableto identify which programs were run from the U3 deviceIn another study on battling U3 anti-forensics [7] U3

identifiers were discovered as well by analyzing theWindows Registry and Prefetch directory The majority oftraces were located within slack space and free space ofthe hard drive For this reason our research experimentswill be conducted using separate physical hard drives toincorporate the possibility of discovering data within theseareas Even though sufficient evidence was obtained tosupport which U3 programs were launched it was stillextremely difficult for researchers to identify othersignificant artifacts We will probably face the samebarriers in our research Overall the U3 portable diskprovided a sense of privacy and personalization to usersOver time there had been numerous complaints aboutU3 devices such as potential incompatibility and malware-like behavior SanDisk began phasing out support for U3Technology in late 2009 [3] and the U3 disk has beendiscontinued

4 Major browsers and private browsingIn this section we discuss four major web browsers andtheir private browsing implementations

41 Microsoft Internet ExplorerMicrosoft Internet Explorer (IE) is one of the mostcommonly used web browsers on Windows machinesA list of areas where most IE web browsing artifactsare located is as follows

Cookies (Indexdat) History (Indexdat) Registry (typed URLs search queries auto-complete

protected storage) NTUSERdat Temporary Internet Files and Indexdat Entries Downloads

IE also offers users a private browsing feature calledInPrivate Browsing According to Microsoft [8] InPrivateBrowsing enables users to surf the Internet without leaving

Ohana and Shashidhar EURASIP Journal on Information Security 2013 20136 Page 4 of 13httpjiseurasipjournalscomcontent201316

a trace on their computer However while using InPrivateBrowsing some information such as cookies and tempor-ary files are temporarily stored so that web pages will workcorrectly Once the browsing session is ended all of thatdata is discarded Table 2 shows a list of areas affectedby InPrivate Browsing and is available to the publicon Microsofts webpage In regard to web browserextensions IE disables all toolbars and extensionsduring InPrivate Browsing sessions to ensure betterprivacy IE also does not clear toolbars and extensionsafter a private session is ended

42 Google chromeGoogle Chrome is another very popular web browserthat can be found on both Windows and Mac operatingsystems A list of common areas where Chrome webbrowsing artifacts can be located is as follows

JSON (JavaScript Object Notation) structure - textbased open standard design for human readable data

Downloads Bookmarks Web data Keyword search terms Keywords URL database History index (YYY-MM) Current and last sessions Top sites database Media cache

Chrome also offers something called Incognito modefor users to browse the Internet in a private settingAccording to Google [9] Incognito mode does notrecord any browsing or download histories and allcreated cookies will be removed when exiting a sessioncompletely Additionally Google states that if users are

Table 2 Microsoft IE InPrivate browsing features

Data How InPrivate browsing affects data

Cookies Contained in working memory butcleared after session

Temporary internet files Stored on disk but deleted aftersession

Webpage history Not stored

Form data and passwords Not stored

Anti-phishing cache Temporary information is encryptedand stored

Address bar and auto-complete

Not stored

Automatic cache restore Restore is successful only if tab crashesand not entire session

Document object modelstorage

Discarded after session

working in Chrome OS surfing the Internet underguest browsing essentially does the same thing Oncethe guest session is closed all browsing information iscompletely erased

43 Mozilla FirefoxMozilla Firefox is another popular web browser that canbe found on multiple platforms Web browsers such asChrome and Firefox can also be found on mobile devicessuch as Androids iPads etc A list of common areas whereFirefox web browsing artifacts can be located is as follows

Sqlite database structure Prefsjs (user preferences) Signonstxt (encrypted data for website

authentication) Formhistorysqlite Cookiessqlite Firefox cache Placessqlite (bookmarks and history) Downloadssqlite

Just like all other major web browsers Firefox offers adiscreet browsing mode called Private Browsing Accordingto Mozilla [10] Private Browsing mode allows users to surfthe Internet without saving any information about visitedsites or pages Table 3 shows a list of areas affected byPrivate Browsing and is available to the public on Mozillaswebpage Mozilla makes it clear that private browsingmodes do not make users anonymous from web sitesISPs and networks In other words Private Browsing ismerely affected in the Application Layer recognized in theOS Aside from other privacy features there is an optionto enable the Do-Not-Track feature in Firefox whichrequests that websites do not track user browsingbehavior This request is honored voluntarily and AppleSafari offers the same In the experimental phase of our

Table 3 Mozilla private browsing features

Data How private browsing affects data

Visited pages Will not be added in History menuLibrary history or other bar list

Form and search bar entries Nothing entered will be saved for FormAuto-complete

Passwords No new passwords will be saved

Download list entries No downloaded files will be listed underDownloads

Cookies Does not save

Cached web content Not saved

Flash cookies Latest version of Flash must be used toprevent saving

Offline web content anduser data

Not saved

Figure 1 PortableApps launchpadFigure 2 Hard drive setup with labels

Ohana and Shashidhar EURASIP Journal on Information Security 2013 20136 Page 5 of 13httpjiseurasipjournalscomcontent201316

research these types of features will be optimized for fullprivacy

44 Apple safariThe Apple Safari web browser is primarily used onMaciOS operating systems but is also available forWindows A list of common areas where Safari webbrowsing artifacts can be located is as follows

plist (Propert List) structure Cookiesplist Bookmarksplist Historyplist WebpageIconsdb Keychainsplist Downloadsplist

Apples latest version of the Safari web browser forWindows is Safari 517 [11] When Safari launched 60they did not update the Windows versions Most peoplehave assumed that Apple is moving away from Windowscompatibility According to Apple Private Browsing modeensures that web pages are not added to the history listcookie changes are discarded searches are not added to

the search fields and websites cannot modify informationstored on the computer

5 Portable softwareIn this section we discuss several major web browsersthat are made available in portable formats and wereused for this research

51 Portable application and web browsersTo allow for certain portable browsers to work a freeprogram called PortableApps [12] was used for thisresearch PortableApps is similar to the previouslymentioned U3 Launchpad in that it allows you totake portable applications with you as you go It isbased on an open source platform and will work withalmost any portable storage device Figure 1 showshow the launchpad is structured In our study theapplication was installed on a USB flash drive Threeportable web browsers were selected through PortableAppsMozilla Firefox Portable 1801 [13] Google ChromePortable 240131252 [14] and Opera Portable 1212[15] The reason Apple Safari Portable was not selectedbecause it was not in fact portable The most updatedversion located was not a standalone executable programand it had to be installed onto the machine According

Figure 3 DaemonFS monitoring example

Ohana and Shashidhar EURASIP Journal on Information Security 2013 20136 Page 6 of 13httpjiseurasipjournalscomcontent201316

to Mozilla the Portable Edition leaves no personalinformation behind on the machine it runs on [13]All the portable browsers were essentially designedfor users to carry customized browsers without leavingtraces on machines That is why artifacts such as webbrowsing history passwords and auto-fill forms are storedwhere the portable browser installation folder is locatedPrivacy modes can also be enabled to help block flashcookies and other artifacts from storing within theinstallation folder

6 Implementations and experimentsIn this section we provide a brief overview of privateand portable web browsing sessions that will be analyzedusing computer forensics

61 Tools and setupThe following tools were used for the assessmentsacquisitions examinations and analysis

Table 4 Browser analysis during normal browsing sessions

Browser Primary changes

Internet explorer 80 Temp File Directory files (Concreated modified and delete

Google chrome 230127195 Directory ChromeUser DataDefaultSession Storage) files

Firefox 1701 Directory FirefoxProfiles (Cacmodified and deleted

Safari 517 Directory AppleComputerSafiles are created modified an

Hardware

1- Desktop (PC - forensic workstation - 4-GB RAM) 1- Laptop (PC - forensic workstation - 6-GB RAM) 8ndash160 GB SATA Hard Drives (one dedicated drive

for lab) 1- USB Flash Drive (8 GB) 1- USB External Drive (1 TB WD Passport) 1- SATA to USB Adapter 1- Tableau USB Write Blocker (IDESATA) Antistatic Bags and Antistatic Wrist Strap

Software

Microsoft Windows 7 Professional (64) Internet Explorer Firefox Safari Chrome VMware - virtualization software DaemonFS - file integrity monitoring program Disk Wipe - to replace data on disk with zeros Nirsoft Internet Tools - history cache and

cookie viewers

tentIE HistoryIE5 Cookies Recovery Custom Destinations Indexdat) ared

(Safe Browsing Whitelist Default Cache Current Session DefaultHistoryare created modified and deleted

he jumpListCache etc) and Win CustomDestinations files are created

fari (Cache History Webpage Previews Cookies WebpageIconsdb)d deleted

Table 5 Browser analysis during private browsing sessions

Private browser Noticeable change

IE InPrivate Browsing Everything gets deleted when exiting the browser and the entire session is terminated

Google Chrome Incognito Mode Safe Browsing databases Cookies and History are modified no changes during session but thechrome_shutdown_mstxt is replaced with a new timestamp when session ends

Firefox Private Browsing Safe Browsing database gets modified nothing appears to be written while surfing but whensession ends some FirefoxProfile files are modified

Safari Private Browsing Only NTuserdat appears to be modified

Ohana and Shashidhar EURASIP Journal on Information Security 2013 20136 Page 7 of 13httpjiseurasipjournalscomcontent201316

Live View - Java based tool to convert dd to vmdk PortableApps - portable application Launchpad Firefox Portable Chrome Portable Opera Portable FTK Imager - used to create forensic images FTK Imager Lite - portable version AccessData FTK version 32 (Licensed) - used to

analyze forensic images and organize information

The key to our research was for us to conduct a stan-dardized test across multiple controlled environmentsTherefore all the experiments were handled in a forensic-ally sound manner as if we were handling real evidencePhotographs were taken forensic images were createdprocedures were properly documented and evidence wassafely preservedWe began by taking every hard drive and removing

residual data using Disk Wipe [16] Each disk wasconnected to a secondary forensic workstation (laptop)through a SATA to USB Adapter The Disk Wipe toolprovides several different wiping options and writes overdata with zeros The first disk was tested by examining itforensically after wiping it with only one pass Sincethere was some residual data that was found a DoDAlgorithm was selected next to wipe the disk using threepasses this method proved to be more efficient Afterevery disk was successfully wiped each one was installedwith Windows 7 Professional - 64 bits The 64-bitversion was used so that more random-access memory(RAM) could later be testedNext each disk was installed with only one specific

Internet browser pre-loaded from an external hard driveexcept for the portable applications The web browsersinstalled were Microsoft Internet Explorer Mozilla FirefoxApple Safari and Google Chrome Each browser wasconfigured to launch automatically into private browsing

Table 6 Browser analysis using portable web browsers

Portable browser Host machine activity

Opera portable Temp files appear to be created on disk a

Firefox portable MozillaRoaming directory was modified

Google chrome portable Folder called GoogleChromePortable hadand Portable Chrome Cache

Safari portable Setup files are portable but must be insta

mode except for Safari which had to be done manually Itis important to note since prior research [1] showedbrowser plug-ins and extensions to cause weakness toprivate browsing sessions none were installed It is alsoimportant to note that everything was pre-configuredbefore connecting to the Internet Figure 2 shows the harddrives being configured and labeled

62 Preliminary analysisWhile the disks were being properly developed a baselinewas established using a laptop with VMware and a fileintegrity monitoring program called DaemonFS [17] Thisassisted with having a general idea for which areas weremodified and accessed during normal private andportable web browsing sessions Once DaemonFS waslaunched it was set to monitor all activity within thelocal hard drive (root) After the logical parameterwas set each web browser was individually launchedand tested using a series of standardized steps Figure 3shows how the log is generated during activity Thesesteps included article searches image searches videosearches email account logins bank account logins andonline purchase attempts See Tables 4 5 and 6 for results

63 Private ate browsing experimentsAuthor1 has a background in law enforcement and hasexperience analyzing digital media for a vast array ofcrimes The Internet activities used for these experimentswere adapted from an abundance of information to includepast experience and knowledge It is important to note thatthese principles can still be applied to all aspects ofInternet forensics regardless of whether or not the scoperelates to a crime These types of browsing sessions canvery well be conducted without any criminal intent Theoverall purpose of digital forensics is to help establish and

nd then are deleted when session ends

and a few temp files under Local AppData were createddeleted

files created modified and deleted including Sys32WinevtLogs

lled on system (not standaloneexe) therefore will not be used for testing

Ohana and Shashidhar EURASIP Journal on Information Security 2013 20136 Page 8 of 13httpjiseurasipjournalscomcontent201316

articulate an affirmative link between A (artifact) and B(person place or thing) By collecting and analyzingenough data evidentiary content can be producedTo begin the main experiments each disk was separately

utilized as a single primary drive Every step was manuallyrecorded with timestamps for future reference points Forthe first four disks only private browsing sessions weretested using the installed web browsers For the purpose ofthese experiments a lsquobrowsing sessionrsquo will refer to allactivity conducted on one specific web browser Once aprivate browsing session was launched the same series ofsteps were performed for each browser Table 7 shows thedetails of these standardized sessionsAfter each browsing session was complete the web

browser process tree was terminated (verified) and theRAM was dumped into a file using FTK Imager Lite(installed on USB) Not only was the memory dumpedbut Registry files were obtained the pagefilesys wasextracted and an ad1 image file of the RAM wascreated as well The location of the RAM dump was storedon the target machines Desktop due to reasons that willlater be explained This would probably not be preferred ina real setting unless it was absolutely necessary In anyevent it is always important to document the footprintsleft behind on a live environment Initially the data wasextracted to an external hard drive The machine was thenunplugged from the back and the disk was carefullyremoved As noted a few extra things were done topreserve sound results The working memory wasdumped before and after every disk session to ensurethat residual data was not left over in the RAM fromthe session before In addition several Internet toolsfrom Nirsoft [18] such as cache viewer history viewerand cookie viewer were executed after each browsingsession was terminated and yielded negative resultsMeaning nothing could be discovered using these toolsafter private browsing sessions were used

Table 7 Internet sessions used for experiments

Website Standardized steps

Google Search for various images sites and forums targeteand images

Yahoo Search for various sites and forums targeted for crim

YouTube Search for how-to videos on different types hacking (

Gmail Send email with attachments

Hotmail Send email with attachments

Yahoo Mail Send email with attachments

SHSU Mail Send email with attachments

Online Banking Log into several accounts (stores cookies and certifi

Ammunition-to-Go Attempt to purchase large amounts (2000+) of am

Online Firearms Store Search for high capacity magazines and various we

Craigslist Search for different types of items for sale that mig

64 Portable browsing experimentThe next three disks were used in conjunction withportable web browsers running from a USB flash driveThe flash drive was installed with a program calledPortableApps Essentially PortableApps allows you torun different programs from a flash drive similar toan OS Start menu After setting up the Launchpad threeportable web browsers were installed on the flash driveMozilla Firefox Portable Google Chrome Portable andOpera Portable Again each hard disk was separately usedas a primary hard drive but this time without any otherweb browsers installed Each portable web browser wasindividually launched while performing the same series ofstandardized steps as the first four disks (Table 7)Whenever a disk was complete it was carefully placed intoan antistatic bag and into a cool dry place for storage Inaddition an antistatic wrist band was used while handlingall internal electronic components

65 Forensic acquisition and analysisThe last hard disk was developed with Windows 7 andFTK 32 to make it a dedicated computer forensic worksta-tion AccessDatas Forensic Toolkit (FTK) [19] is a court ac-cepted program used for examining computers and mobiledevices at the forensic level Each disk was individuallyconnected to the Desktop using a hardware-based writeblocker (Tableau) to protect any data from being altered bythe computer Digital evidence preservation is the most im-portant factor next to chain of custody when it comes toforensic integrity Using FTK Imager a bit stream image ofeach evidence disk was created as a compressed E01 imagefile and was verified by several different hashes Each imagetook anywhere from 3 to 5 h to complete Next individualimages were forensically examined analyzed and classifiedby FTK 32 One disk image took up to 72 h to process andthe disks with the installed browsers took the longest

d for criminal activity click on top five links savedownload different files

inal activity click on top five links savedownload available files

social media bank accounts and WiFi connections) click on links to open

cates)

munition (various high powered rounds) by searching and adding to cart

apons

ht be flagged as stolen

Table 8 Private web browsing artifacts

Artifacts Discovered Target locations

Microsoft internet explorer80 (InPrivate browsing)

Private browsingindicator

Y Memdump FreeSlack Space (lsquoStart InPrivate Browsingrsquo - prior to URL history)$I30 (hellipContentIE5- lsquoinprivate [1]rsquo- prior to list of jpegs) Pagefile

Browsing history Y Memdump Free space File slack (Temporary Internet Folder RoaminghellipCustomDestinations) SysVol Info $LogFile $J AppDatahellipIERecoveryActive

Usernamesemailaccounts

Y Memdump Freespace Temporary Internet Folder UserAppDatahellipIERecoveryActive

Images Y Memdump (partial photos) Free space (full content) File slack (full content)

Videos N NA

Google chrome 230127195(Incognito)

Incognitoindicators

Y Memdump ChromehellipInstallerchrome7z amp chromedll (timestamp matches)$I30 (safebrowsing timestamp) AppDataLocalGoogleChromeUser Datachrome_shutdown_mstxt (always updates with timestamp) AppDataLocalGoogleChromeUser DataDefaultExtension Statelog (declarative_rulesincognitodeclaritiveWebRequest- timestamp matches session start) ~SysVol Information (new incognitowindow with timestamps) AppDataRoamingMicrosoftWindowsRecentCustomDestinations (new incognito window with timestamps) ChromeUserDataSafebrowsingcookiesdb (modified timestamp)

Browsing history Y Memdump SysVol Info (matching timestamps) Pagefilesys (downloaded file)

Usernamesemailaccounts

N NA

Images Y Carved from Memdump (Mostly partial images)

Videos N NA

Mozilla Firefox 1701(Private browsing)

Private browsingindicators

Y Memdump (browsing mode) SysVolume Information (Enter Private Browsingand Windowrsquos User listed below- file timestamp accurate)

Browsing history Y Memdump Free space- AppDatahellipTemp WinPrefetch (rtf temp file downloaddiscovered) AppDatahellipFirefoxProfiles (blacklistxml- matching timestamps)FirefoxProfiles (file timestamps update)

Usernamesemailaccounts

N NA

Images Y Carved from Memdump (Mostly partial images)

Videos N NA

Apple Safari 517(Private browsing)

Private browsingindicators

Y Memdump ~SysVol Information (comappleSafariPrivateBrowsing timestamp)

Browsing history Y Memdump FreeSlack Space (URL History) AppDataLocalAppleCompSafariWebpageIconsdbgt gt tables AppDataLocalAppleCompSafari (databasestimestamp updates) AppDatahellipAppleCompSafari amp Preferences(several plist timestamp updates) Pagefile (URLs and modified timestamps update)

Usernamesemailaccounts

N NA

Images Y Carved from Memdump (Mostly partial images)

Videos N NA

Ohana and Shashidhar EURASIP Journal on Information Security 2013 20136 Page 9 of 13httpjiseurasipjournalscomcontent201316

Aside from the default processing options in FTKadditional refinements were selected to carve differenttypes of data and parse complex information Once FTKfinished processing the evidence files numerous hourswere spent sifting through the data We found that itwas also beneficial to use a program called Live View[20] to have a better understanding of the artifactsfound Live View is an open source program that canconvert a raw image to a virtual disk The disk must bebooted into safe mode for the virtual machine to workcorrectly without having to activate Windows By usingtwo screens simultaneously one with a live virtual

environment and the other with the forensic image inFTK it allowed us to fully grasp and understand theconnections See Tables 8 and 9 for complete results

66 Results analysisPrivate browsing modes and portable web browsers doin fact leave incriminating evidence but it depends onthe browser Some web browsers left enough informationto establish an affirmative link and some did not Out ofthe four major web browsers Internet Explorer providedthe most residual artifacts but not where commonartifacts are typically sought This was fairly consistent

Table 9 Portable web browsing artifacts

Artifacts Discovered Target Locations

Google chromeportable - 240131252

Browser indicators Y NTFS Allocated and Unallocated Space Prefetch Pagefile Memdump $LogfileUsersAppDataRoamingMicrosoftWindowsRecentCustomDestinations ~SystemVolume Information AppDataLocalTemp AppDataLocLowMicCryptnetUrlCacheWinAppCompatProgRecentFileCache WinMicNETFrameworklog (fileslack)WinSys32LogFilesWUDF (fileslack)

Browsing history Y NTFS Allocated and Unallocated Space Memdump Orphan Directory PagefileUsersAppDataRoamingMicrosoftWindowsRecentCustomDestinations (Carved lnk)

Usernamesemailaccounts

Y [Orphan] directory and NTFS Unallocated FreeSlack Space

Images Y Carved (NTFS Unallocated Space and Orphan Directory)

Videos N NA

Opera portable - 1212 Browser indicators Y NTFS Allocated and Unallocated Space Pagefile Memdump $LogFile ~System VolumeInformation NTUSERDAT AppDataLocalMicWinUsrClassdat UsersAppDataRoamingMicrosoftWindowsRecentCustomDestinations (Carved lnk) WinPrefetch WinSys32LogFilesSQMSQMLogger

Browsing history Y Memdump AppDataRoamingMicWinRecCustomDestinations (Carved lnk files withLast Access Times)

Usernamesemailaccounts

N NA

Images Y Carved from Memdump (Mostly partial images and difficult to view full content)

Videos N NA

Mozilla fireFoxportable - 1801

Browser indicators Y Memdump SysVol Information file timestamp (Firefox Portable appinfo)

Browsing history Y Memdump SysVol Information (Email only)

Usernamesemailaccounts

Y Memdump SysVol Information (Email Account History)

Images Y Carved from Memdump (Mostly partial images and difficult to view full content)

Videos N NA

Ohana and Shashidhar EURASIP Journal on Information Security 2013 20136 Page 10 of 13httpjiseurasipjournalscomcontent201316

with all the browsers For example the Indexdat (history)and Registry gt TypedURLs were empty but we were stillable to recover virtually all cached images URL historyand usernames with their associated accounts Everythingwas recoverable except for playable videos Even thoughmost of the data was recovered from RAM free spaceand slack space areas there were sufficient findings withinallocated space as well Figure 4 shows an lsquo[InPrivate]rsquoindicator within RAM prior to an online search for hackingIn regard to indicators there were a few areas wherelsquoInPrivatersquo and lsquoStart InPrivate Browsingrsquo were notedprior to a URL history log Figure 5 shows one of theseindicators within allocated space It was also noted thatthe Microsoft lsquoPrivacIErsquo directory was found emptyThe three remaining browsers were a little more difficult

to recover residual artifacts from It appeared that theoverall best way to recover residual data was to obtain theevidence from RAM or working memory but that is not

Figure 4 [InPrivate] search for lsquohow + to + hack +helliprsquo within RAM (Hex

always possible for investigators For Google ChromeIncognito artifacts there were many browsing indicatorsand changes in timestamps to show Chrome usage Howeverit was difficult to establish an affirmative link between theuser and session because none of the usernames and otherhistorical information was accessible the same resulted forMozilla Firefox In both of these cases any documents thatwere temporarily opened from the Internet were recoverableThis information is important because browsing indicatorsalong with timestamps may be able to explain whysomething like as URL history is not there For example ifa live search using regular expressions was used to locateone of these hidden artifacts in an unfamiliar location aninvestigator can now understand why they were not foundin other common areasApple Safari seemed to fall in the middle by keeping

most things private while still leaving traces on themachine The easiest way to view the browsing history

view)

Figure 5 InPrivate indicator in FTK

Ohana and Shashidhar EURASIP Journal on Information Security 2013 20136 Page 11 of 13httpjiseurasipjournalscomcontent201316

for Safari private browsing sessions was to locate thelsquoWebpageIconsrsquo database under Safari artifacts This databaseprovided a good log of every visited URL along with otherpertinent information Figure 6 shows some of the databaseartifacts using FTK It is important to realize that thiscan be used to explain to courts as to why URL historywould be located here and nowhere else under Safari dataIt is not always about what is present but what is absentis also of valueWith regard to residual portable browsing artifacts it

appeared that everything was just as easily obtainedfrom the memory dumps as it was with the installedbrowsers However not everything was located on thetarget hard drives Out of the three portable webbrowsers tested Google Chrome Portable left the mostresidual artifacts on the host machine The recoveryseemed as if Chrome was installed on the machine itselfAlmost all artifacts to include images browsing historybrowsing method and usernames with associated accountswere located on the disk Also note these recoveredartifacts were obtained without the flash drive Theimportance for an investigator to distinguish that theseartifacts came from Google Chrome Portable is for tworeasons (a) to be able to explain why Chrome artifactswere not located under common areas and (b) to alert theinvestigator that further evidence may be found on a flash

Figure 6 Safari WebpageIcons database

drive that the investigator did not originally considerFigure 7 provides a comparison of all the browserstested and the strength of evidence which can be foundOpera Portable on the other hand did not leave as

much information as Chrome There were many portablebrowsing indicators but most history artifacts werelimited none of the usernames or accounts could berecovered Firefox Portable resulted in similar findingshowever some user activity was found to be recoverableAll of the usernames associated with their respected emailaccounts were recovered along with Firefox browsingindicatorsIn reference to carved images from RAM most of

them were distorted but a few of the images could beseen as a whole One solution was to try and match adistorted image from RAM with a whole image on thehard drive using FTKs fuzzy hash option This would bea great way to link carved contraband to working memoryartifacts and therefore strengthening evidence against theuser The program attempts to match files by determininga fundamental level of similarity between hashes Thismethod did not always work as hoped Some of thethumbnails stored in RAM were successfully matchedwith ones on the disk but none specific to user activityPerhaps on a machine with a much higher capacity ofRAM this would be more useful

Figure 7 Web browsers - strength of residual evidence

Ohana and Shashidhar EURASIP Journal on Information Security 2013 20136 Page 12 of 13httpjiseurasipjournalscomcontent201316

67 Additional forensic resultsAside from discovering hidden web browsing artifactsthere is another finding worth mentioning due to itssignificant linking of users and machines Every time theexternal hard drive (WD Passport) was connected toone of the machines via USB not only did it leaveunique identifiers but also a log of every folder locatedon the Passport This information was transferreddirectly to the Windows machine while remaining onthe hard drive and RAM For this reason a flash drivewas later used to dump the memory on the Desktop topreserve data integrity without further contaminationThe Passport files were discovered within several differentlocations on the hard drive One was within a log file calledthe Circular Kernal Context Logger (BootCKCLetl)and the other was within Tracefx files Most prob-ably the reason for the Tracefx files was due to theactivity of a USB device configured for ReadyBoost(virtual memory)This finding raises a number of questions and concerns

An investigator can easily document certain footprintssuch as plugging in devices and checking runningprocesses It is the unknown footprints which cancause a problem This could violate certain policy andprocedures that were once considered forensicallysound On the other hand it could provide an investigatorwith enough information to understand that the file pathsmay be pointing to an external device So not only willinformation from the Registry provide unique identifiersbut this could also be used to know what type ofcontraband may be on the lsquomissing evidencersquo This informa-tion would be extremely helpful when trying to establish anaffirmative link between user and target machine

7 Future workFuture work may include further RAM experimentsand more efficient methods to extract information

over an extended period of time instead of one con-trolled browsing session In addition forensic tools orcarving options may be developed to provide investi-gators with whether or not these browsing artifactsexist (01 = FalsePositive) and parse these artifactsaccordingly

8 ConclusionThe majority of recovered artifacts were discovered inRAM slackfree space and FTK [Orphan] directoriesThat being said information was still obtained withinallocated space Another commonality between thebrowsers was information contained within the SystemVolume Information directory The bottom line is thatour research clearly establishes authoritative answers towhich were never there before In addition some of ourauthoritative results contradict prior research statementsFor example one study [2] made the statement that itwould be impossible to trace residual information otherthan USB identifiers if a portable storage device was notaccessible to the investigator Our research clearly showsthat further data can still be recovered on host machineswithout the portable storage device being present Overallour research is a valuable resource pertaining to privateand portable web browsing artifacts Not every web browserwill leave incriminating evidence but some will dependingon the situation These residual artifacts may or may not beimportant to a case but on the other hand it may bethe only way to explain certain results Computerforensic investigators must treat digital environmentslike a real crime scene It is not only important todocument what is found but to also note what is notthere and ask why Our research now provides an alter-native way to perceive these types of findings andexplain the results We conclude that just becausesomething is not there does not mean it neverhappened

Ohana and Shashidhar EURASIP Journal on Information Security 2013 20136 Page 13 of 13httpjiseurasipjournalscomcontent201316

Competing interestsThe authors declare that they have no competing interests

Received 29 July 2013 Accepted 4 November 2013Published 21 November 2013

References1 G Aggarwal E Bursztein C Jackson D Boneh An analysis of private

browsing modes in modern browsers in Proc Of 19th Usenix SecuritySymposium ( Washington DC 2010) pp 11ndash13

2 JH Choi KG Lee J Park C Lee S Lee Analysis framework to detect artifacts ofportable web browser (Center for Information Security Technologies Seoul 2012)

3 SanDisk U3 Launchpad End of Life Notice 2010 Available httpkbsandiskcomappanswersdetaila_id5358~u3-launchpad-end-of-life-noticeAccessed 28 July 2012

4 C Soghoian Why private browsing modes do not deliver real privacy(Center for Applied Cyber security Research Bloomington 2011)

5 Wikipedia U3 2013 Available httpenwikipediaorgwikiU3Accessed 22 July 2012

6 R Tank PAH Williams The impact of U3 devices on forensic analysis(Australian Digital Forensics Conference Perth 2008)

7 T Bosschert Battling anti-forensics beating the U3 stick J Digit ForensicPract 1(4) 265ndash273 (2007)

8 Microsoft InPrivate Browsing 2012 Available httpwindowsmicrosoftcomen-USinternet-explorerproductsie-9featuresin-privateAccessed 03 September 2012

9 Google Incognito mode 2012 Available httpswwwgooglecomintlenchromebrowserfeatureshtmlprivacy Accessed 03 September 2012

10 Mozilla Private Browsing 2012 Available httpsupportmozillaorgen-USkbprivate-browsing-browse-web-without-saving-infoAccessed 03 September 2012

11 Apple Safari 51 Browse Privately 2012 Available httpsupportapplecomkbPH5000 Accessed 03 September 2012

12 PortableApps 2013 Available httpportableappscomAccessed 27 July 2012

13 PortableApps Mozilla Firefox Portable Edition 2013 Availablehttp portableappscomappsinternetfirefox_portable Accessed 27 July 2012

14 PortableApps Google Chrome Portable 2013 Available httpportableappscomappsinternetgoogle_chrome_portable Accessed 27 July 2012

15 PortableApps Opera Portable Edition 2013 Available httpportableappscomappsinternetopera_portable Accessed 27 July 2012

16 Disk Wipe Disk Wipe 2009 Available httpwwwdiskwipeorgAccessed 12 December 2012

17 DaemonFS Sourceforge DaemonFS 2010 Available httpsourceforgenetprojectsdaemonfs Accessed 27 July 2012

18 Nir Sofer NirSoft Freeware Utilities 2013 Available httpnirsoftnetAccessed 12 December 2012

19 AccessData FTK 2013 Available httpwwwaccessdatacomproductsdigital-forensicsftk Accessed 18 December 2012

20 Carnegie Mellon Live View 2006 Available httpliveviewsourceforgenetAccessed 18 December 2012

doi1011861687-417X-2013-6Cite this article as Ohana and Shashidhar Do private and portable webbrowsers leave incriminating evidence a forensic analysis of residualartifacts from private and portable web browsing sessions EURASIPJournal on Information Security 2013 20136

Submit your manuscript to a journal and benefi t from

7 Convenient online submission

7 Rigorous peer review

7 Immediate publication on acceptance

7 Open access articles freely available online

7 High visibility within the fi eld

7 Retaining the copyright to your article

Submit your next manuscript at 7 springeropencom