Web browser artefacts in private and portable modes: a forensic investigation
Issue Date
2016-04Subjects
web browser forensicsportable applications
private browsing
incognito mode
physical memory
Windows
Chrome
Firefox
Opera
OSForensics
Internet Explorer
web browsers
browser artefacts
portable browsers
user privacy
volatile memory
recoverable artefacts
record recovery
evidence recovery
G400 Computer Science
Metadata
Show full item recordAbstract
Web browsers are essential tools for accessing the internet. Extra complexities are added to forensic investigations when recovering browsing artefacts as portable and private browsing are now common and available in popular web browsers. Browsers claim that whilst operating in private mode, no data is stored on the system. This paper investigates whether the claims of web browsers discretion are true by analysing the remnants of browsing left by the latest versions of Internet Explorer, Chrome, Firefox, and Opera when used in a private browsing session, as a portable browser, and when the former is running in private mode. Some of our key findings show how forensic analysis of the file system recovers evidence from IE while running in private mode whereas other browsers seem to maintain better user privacy. We analyse volatile memory and demonstrate how physical memory by means of dump files, hibernate and page files are the key areas where evidence from all browsers will still be recoverable despite their mode or location they run from.Citation
Flowers, C., Mansour, A. and Al-Khateeb, H.M. (2016) ‘Web browser artefacts in private and portable modes: a forensic investigation’, Int. J. Electronic Security and Digital Forensics, 8 (2) pp.99–117Publisher
InderscienceAdditional Links
http://www.inderscience.com/info/inarticle.php?artid=75583Type
ArticleLanguage
enISSN
1751-9128EISSN
1751-9128ae974a485f413a2113503eed53cd6c53
10.1504/IJESDF.2016.075583