A Forensic Analysis of Residual Artifacts From Private and Portable Web Browsing Sessions

Posted by Kaidi Wang

Introduction

Nowadays, people are enjoying the convenience internet brings to us. But sometimes they don't want to leave their footprint in internet. So most browsers have developed the features to provide us with private browsing mode. But do you believe in it? How difficult would it be to trace you for forensic analyst?

As is mentioned in [1], the private mode works mainly in two ways: removing information after session or not writing the data at all. Two goals of the method include browsing internet without leaving any trace and browsing the internet anonymously.

To meet the privacy demand, portable browsers came out, which are installed on USB flash drive. But do they really leave nothing in the target computer?

The web browsing artifacts such as usernames, browsing history may contain significant evidence to examiner. So if we are able to find residual artifacts in the target computer, it may provide pivotal evidence on court even if criminals delete browsing history or use portable browsers. This blog would give you a brief introduction of a paper named 《 Do private and portable web browsers leave incriminating evidence?: a forensic analysis of residual artifacts from private and portable web browsing sessions 》.

Background

To make it easier for you to understand the research, I list some terms and definitions in the table below.

Term	Definition
Residual artifacts	Remaining data such as files, images, documents, and web content
ISO image	A computer file that is an exact copy of an existing file, CD, DVD, etc.
Browser cache	Temporary Internet files (storage) for increasing speed
RAM	Working memory that is volatile
Slack space/file slack	Unused space in a disk cluster (area between end of file and end of disk cluster)

Related Work

According to [2], private browsing modes have two main goals: leave no trace to web and leave no trace to local machine. Also, extensions can weaken private browsing modes. However, the study ignored volatile memory, which is introduced when operating system caches DNS solutions. By analysing cache and TTL values, a examiner can learn if the user visited some websites and when.

[3] explained that portable browsers mainly store browsing artifacts in installation folder. Even if it is possible to discover residual artifacts by analysing Windows Registry and Windows Prefetch files, investigators cannot trace any further information if the portable disk is not available to them. However, this statement is against our experiment.

Sandisk and Microsoft worked together many year ago on a project called U3 technology, which meant to allow users to carry a portable disk containing personalized files and browsers. There are two partions to the U3 flash drive structure: mass storage device and virtual CD-ROM. In [4], U3 identifiers were discovered by analysing Windows Registry and Windows Prefetch files. The majority of traces were located within slack space and free space of the hard drive.

Major Browsers and Private Browsing

Lists of areas where the browsers' web browsing artifacts are located can be found in the original paper. I just summarize the private browsing features in the blog according to the paper.

IE offers users a private browsing feature called InPrivate Browsing. When users use InPrivate Browsing, temporary files and cookies would be temporarily stored and discarded after session ends.

Google Chrome

Chrome offers Incognito Mode to allow users browse internet in a private setting. According to Google [5], Incognito mode does not record any browsing or download histories, and all created cookies will be removed when exiting a session completely.

Mozilla Firefox

Firefox offers a discreet browsing mode called Private Browsing. Mozilla explained that Private Browsing mode allows users to surf the Internet without saving any information about visited sites or pages but don't make users anonymous from web sites, ISP's and networks.

Apple Safari

According to Apple, Private Browsing mode ensures that web pages are not added to the history list, cookie changes are discarded, searches are not added to the search fields, and websites cannot modify information stored on the computer.

Implementations and Experiments

Tools and Setup

Hardware

1- Desktop (PC - forensic workstation - 4-GB RAM)

1- Laptop (PC - forensic workstation - 6-GB RAM)

8–160 GB SATA Hard Drives (one dedicated drive for lab)

1- USB Flash Drive (8 GB)

1- USB External Drive (1 TB WD Passport)

1- SATA to USB Adapter

1- Tableau USB Write Blocker (IDE/SATA)

Antistatic Bags and Antistatic Wrist Strap

Software

Microsoft Windows 7 Professional (64)

Internet Explorer, Firefox, Safari, Chrome

VMware - virtualization software

DaemonFS - file integrity monitoring program

Disk Wipe - to replace data on disk with zeros

Nirsoft Internet Tools - history, cache, and cookie viewers

Live View - Java based tool to convert .dd to .vmdk

PortableApps - portable application Launchpad

Firefox Portable, Chrome Portable, Opera Portable

FTK Imager - used to create forensic images

FTK Imager Lite - portable version

AccessData FTK version 3.2 (Licensed) - used to analyze forensic images and organize information

To conduct a standardized test across multiple controlled environments was the key to the research. At the beginning, all disks were wiped using Disk Wipe and DoD Algorithm. After that, all disks were installed with Windows 7 Professional - 64 bits.

Next, each disk was installed with only one specific Internet browser pre-loaded from an external hard drive as shown in picture below.

Preliminary Analysis

While the disks were being developed, DaemonFS installed on a laptop with VMware would monitor the file integrity. After the logical parameter was set, each web browser was individually launched and tested using a series of standardized steps. These steps included article searches, image searches, video searches, email account logins, bank account logins, and online purchase attempts. Results are shown in tables below.

Browser analysis during normal browsing sessions
Browser	Primary Changes
IE 8.0	Temp File Directory files (Content.IE, History.IE5, Cookies, Recovery, Custom Destinations, Index.dat) are created, modified, and deleted
Google chrome 23.0.1271.95	Directory Chrome\User Data (Safe Browsing Whitelist, Default\ Cache, Current Session, Default\History, Default\Session Storage) files are created, modified, and deleted
Firefox 17.0.1	Directory Firefox\Profiles (Cache, jumpListCache, etc.) and Win CustomDestinations, files are created, modified, and deleted
Safari 5.1.7	Directory AppleComputer\Safari (Cache, History, Webpage Previews, Cookies, WebpageIcons.db) files are created, modified, and deleted

Browser analysis during private browsing sessions
Private browser	Noticeable change
IE InPrivate Browsing	Everything gets deleted when exiting the browser and the entire session is terminated
Google Chrome Incognito Mode	Safe Browsing databases, Cookies, and History are modified, no changes during session but the chrome_shutdown_ms.txt is replaced with a new timestamp when session ends
Firefox Private Browsing	Safe Browsing database gets modified, nothing appears to be written while surfing, but when session ends, some Firefox\Profile files are modified
Safari Private Browsing	Only NTuser.dat appears to be modified

Private Browsing Experiment

To begin the main experiments, each disk was separately utilized as a single primary drive. After each session was completed, the RAM would be dumped into a file using FTK imager Lite as shown in picture below. Not only was the memory dumped but Registry files were obtained, the pagefile.sys was extracted, and an .ad1 image file of the RAM was created as well.

Portable Browsing Experiment

Next three disks were used with portable browsers running from a USB flash drive. The flash drive was installed with PortableApps which allows to run differen programs from flash drive. Each hard disk was used as the primary hard drive and the browsers perform the same session steps as the previous experiment. When a disk was complete, it is sealed into a antistatic bag and into a cool dry place for storage. The procedure is shown in picture below.

Forensic Acquisition and Analysis

The last hard disk was developed with Windows 7 and FTK 3.2 to make it a dedicated computer forensic workstation. Each disk was individually connected to the Desktop using a hardware-based write blocker (Tableau), to protect any data from being altered by the computer. Using FTK Imager, a bit stream image of each evidence disk was created as a compressed E01 image file and was verified by several different hashes. This was illustrated in picture below.

Result Analysis

Private browsing mode and portable browsers do leave incriminating evidence. But it depends on browsers. The general result is shown in figure below.

Installed IE

Out of the four browsers, IE provided the most residual artifacts. Everything was recoverable except for palyable videos. Most of the data was found in slack space and RAM. But sufficient data was found in allocated spaces as well. There was a [InPrivate] indicator in RAM prior to online search hacking as shown in figure below.

The overall best way to recover residual artifacts is to obtain RAM or working memory, which is not always possible.

Installed Chrome & Firefox

For Chrome Incognito artifacts, there were many browsing indicators and timestamp changes. However, it is difficult to establish affirmative link between user and the session because none of username and other historical information was accessible. The same resulted for Firefox.

Installed Apple Safari

The easiest way to view the browsing history for private sessions was to locate the ‘WebpageIcons’ database under Safari artifacts. This database provided a good log of every visited URL along with other pertinent information.

Google Chrome Portable

Google Chrome Portable left the most residual artifacts on the host machine. The recovery seemed as if Chrome was installed on the machine itself. Almost all artifacts to include images, browsing history, browsing method, and usernames with associated accounts, were located on the disk. Also note, these recovered artifacts were obtained without the flash drive.

Opera Portable & Firefox

here were many portable browsing indicators but most history artifacts were limited; none of the usernames or accounts could be recovered. Firefox Portable resulted in similar findings; however, some user activity was found to be recoverable. All of the usernames associated with their respected email accounts were recovered along with Firefox browsing indicators.

Conclusion

The majority of recovered artifacts were discovered in RAM, slack/free space, and FTK [Orphan] directories. That being said, information was still obtained within allocated space. Our research clearly shows that further data can still be recovered on host machines without the portable storage device being present. These residual artifacts may or may not be important to a case, but on the other hand it may be the only way to explain certain results.

Reference

[1] Ohana, D. J., & Shashidhar, N. (2013). Do private and portable web browsers leave incriminating evidence?: a forensic analysis of residual artifacts from private and portable web browsing sessions. EURASIP Journal on Information Security, 2013(1), 6.

[2] Burzstein, G. A. E., Jackson, C., & Boneh, D. (2010, August). An analysis of private browsing modes in modern browsers. In Proceedings of the 19th USENIX Security Symposium.

[3] Choi, J. H., Lee, K. G., Park, J., Lee, C., & Lee, S. (2012). Analysis framework to detect artifacts of portable web browser. Information Technology Convergence, Secure and Trust Computing, and Data Management, 207-214.

[4] Bosschert, T. (2007). Battling anti-forensics: beating the U3 stick. Journal of Digital Forensic Practice, 1(4), 265-273.

[5] Google, Incognito mode, 2012.