Private Browsing: A Window of Forensic Opportunity
1. Private Browsing:A window of
Forensic Opportunity1
Howard Chivers
Presented by Aung Thu Rha Hein (g5536871)
[1] H. Chivers,Dept. of Computer Science, University of York
“Private browsing: A window of forensic opportunity,” Digit. Investig., 2013.
2. Outline
■ Introduction
■ Background
○ Digital Forensic
○ Browser Architecture
○ Private Browsing
■ Private Browsing: A window of Forensic Opportunity
■ Conclusion
■ References
3. Introduction
Motivation
■ Browser is the most used application
■ Digital artifacts from browsers are valuable
■ Private browsing becomes barrier in forensic analysis
4. Introduction
Problem Statements
■ Is it possible to discover digital artifacts from private
browsing sessions?
■ Different browsers have different architecture…
■ Is it possible to develop a common forensic
methodology for all browsers?
5. Introduction
Research Objectives
■ To analyze the possibility of browser forensic
■ To measure the privacy level & capability of private
browsing
■ Propose a methodology for analyzing public & private
browsing artifacts
6. Background
Digital Forensic
■ Basic methodology
■ 3 methodologies & the detailed process varies
○ Basic Forensic Methodology
○ Cyber Tool Online Search For Evidence (CTOSE)
○ Data Recovery UK (DRUK)
9. Background
Private Browsing
■ no traces of browsing activity after session ends
■ architecture and capability varies from browser
■ Goal & Threat model:
○ Local attackers
○ Web attackers
10. Background
Private Browsing/2
Browser
(Private Mode)
Private
Browsing
Indicator
Browsing
History
Usernames/E
mail accounts
Images Videos
IE 8.0 X
Google Chrome
23.0.1271.95
X X
Mozilla Firefox
17.0.1
X X
Apple Safari 5.1.7 X X
[1] D. Ohana and N. Shashidhar, “Do private and portable web browsers leave incriminating evidence?: a forensic analysis of
residual artifacts from private and portable web browsing sessions,” EURASIP J. Inf. Secur., pp. 135–142, May 2013.
11. Background
Related Works
[1]Keith J. Jones, “Forensic Analysis of Internet Explorer Activity Files.”,2003
[2]Gaurav Aggarwal and Collin Jackson, “An Analysis of Private Browsing Modes
in Modern Browsers,” USENIX Security Symposium, 2010.
[3]Aditya Mahendrakar and James Irving, “Forensic Analysis of Private Browsing
Mode in Popular Browsers,” 2010.
12. Background
Related Works/2
[4]H. Said, N. Al Mutawa, I. Al Awadhi, and M. Guimaraes, “Forensic analysis of private
browsing artifacts,” in 2011 International Conference on Innovations in Information
Technology (IIT), 2011, pp. 197–202.
[5] D. J. Ohana and N. Shashidhar, “Do Private and Portable Web Browsers Leave
Incriminating Evidence? A Forensic Analysis of Residual Artifacts from Private and
Portable Web Browsing Sessions,” 2013, pp. 135–142.
[6] H. Chivers, “Private browsing: A window of forensic opportunity,” Digital Investigation,
2013.
14. Private Browsing: A window of Forensic
Opportunity
Objectives
■ Forensic capability of IE 10’s Inprivate browsing
■ architecture changes in IE 10
○ replace binary historical formats with with new database
technology, Extensible Storage Engine(ESE)
■ To study the internal behaviour of InPrivate browsing
15. Private Browsing: A window of Forensic
Opportunity/2
Extensible Storage Engine (ESE)
■ allow applications to retrieve data via Indexed & Sequential Access
The Propagation of
Transaction Data into Disk Files
16. Private Browsing: A window of Forensic
Opportunity/3
HTTP/HTML Data Storage
■ each datatypes store in separate database tables
■ also separated by integrity level(private or public)
Data Type Description
Cookies maintain stages of HTTP exchanges
Web Storage allows to store name:value data
Indexed Database Storage store large arbitrary objects with
indexes (internet.edb)
17. Private Browsing: A window of Forensic
Opportunity/4
Windows
8 pro
IE 10.0.9..
FTK Imager
E01.img
ESECarve
Result
python
script
Method
Analyzed Result
■ 3 Inprivate experiments: scoping exercise, A controlled comparison
with ample system memory & a mixed load scenario
VMWARE
18. Private Browsing: A window of Forensic
Opportunity/5
Browser Data Structures
■ Users%USERPROFILE%AppDataLocalMicrosoftWindowsWebCache
■ contains containers table
■ index to container_nn
■ Metro App have several containers
19. Private Browsing: A window of Forensic
Opportunity/6
Identifying InPrivate Browsing records
■ records are stored in same database
■ identify private browsing records by marker (type field)
■ browsing records are deleted after session overs
■ records still remain in log file (xxx.log)
■ log files removed when browsers opens again
20. Private Browsing: A window of Forensic
Opportunity/7
Recovery Success
Disk Map of Recovered Inprivate browsing records
21. Conclusion
■ research works on browser forensic
■ possibility of forensic analysis on private browsing
■ InPrivate browsing and internal behaviour
Thank You &
Questions?
22. Reference
Research papers
[1] H. Chivers, “Private Brows. A Wind. forensic Oppor. Digit. Investig., 2013.
Digital Investig., 2013.
[2] G. Aggarwal and E. Bursztein, “An Analysis of Private Browsing Modes in
Modern Browsers.,” USENIX Secur. …, 2010.
[3] Aditya Mahendrakar and James Irving, “Forensic Analysis of Private Browsing
Mode in Popular Browsers,” 2010.
[4] D. Ohana and N. Shashidhar, “Do private and portable web browsers leave
incriminating evidence?: a forensic analysis of residual artifacts from
private and portable web browsing sessions,” EURASIP J. Inf. Secur., pp. 135–
142, May 2013.