Comparingcontent.ie5

RESEARCHOpenAccessDoprivateandportablewebbrowsersleaveincriminatingevidence:aforensicanalysisofresidualartifactsfromprivateandportablewebbrowsingsessionsDonnyJOhana*andNarasimhaShashidharAbstractTheInternetisanessentialtoolforeverydaytasks.
Asidefromcommonuse,theoptiontobrowsetheInternetprivatelyisadesirableattribute.
However,thiscancreateaproblemwhenprivateInternetsessionsbecomehiddenfromcomputerforensicinvestigatorsinneedofevidence.
Ourprimaryfocusinthisresearchistodiscoverresidualartifactsfromprivateandportablewebbrowsingsessions.
Inaddition,theartifactsmustcontainmorethanjustfilefragmentsandenoughtoestablishanaffirmativelinkbetweenuserandsession.
Certainaspectsofthistopichavetriggeredmanyquestions,buttherehaveneverbeenenoughauthoritativeanswerstofollow.
Asaresult,weproposeanewmethodologyforanalyzingprivateandportablewebbrowsingartifacts.
Ourresearchwillservetobeasignificantresourceforlawenforcement,computerforensicinvestigators,andthedigitalforensicsresearchcommunity.
Keywords:Privatebrowsing;Portablewebbrowsers;Internetforensics;Portablebrowsing;Webbrowserartifacts;RAManalysis1.
IntroductionInthelast20years,theInternethasbecomedrasticallyessentialforeverydaytasksassociatedwithstationaryandmobilecomputerdevices.
AsidefromcommonInternetusage,peopledesiretheoptiontobrowsetheInternetwhilekeepingtheiruserinformationprivate.
Asaresult,newwebbrowsingfeatureswereslowlydevelopedforallmajorwebbrowsers,assertingtheoptionof'privatebrowsing.
'Thismethodworksbyeitherremovinginformationattheendofaprivatesessionorbynotwritingthedataatall.
Otherprivatebrowserfeaturesmayincludeconcealingadditionalinformationsuchascookiediscoverabilityfromwebsites.
Accordingtoonestudy[1]therearetwoprivatebrowsingobjectives.
ThefirstobjectiveistoallowuserstobrowsetheInternetwithoutleavinganytrace.
ThesecondistoallowuserstobrowsetheInternetwhilelimitingidentitydisco-verabilitytowebsites.
Whilebothofthesegoalsareimportant,ourresearchwillfocusondiscoveringinforma-tionfromlocalstoragedevicessincethemajorityofcom-puterinvestigationsinvolvesearchandseizureoflocalmachines.
OnealternativetousingprivatebrowsingmodesistosurftheInternetusingaportablewebbrowser,suchasonestoredonaUniversalSerialBus(USB)flashdrive.
Therefore,webbrowsingsessionsaremorelikelytobestoredontheportablestoragedeviceitselfinsteadofthecomputerorhostmachine.
Privateandportablewebbrowsingartifacts,suchasusernames,electroniccommunication,browsinghistory,images,andvideos,maycontainsignificantevidencetoanexaminer.
Priorresearchinthisareaisverylimited.
Referringbacktooneofthemainstudiesonprivatebrowsingmodes[1],thisresearchlacksanin-depthanalysisofdeletedandvolatileinformationpertainingtoprivatebrowsingsessions.
Inanotherstudyfocusedonportablewebbrowsers[2],manystatementsweremadewithoutthebasisoftrueexperimentalfindings.
Furthermore,therearevirtuallynopublishedstudiesonresidualartifactsfromcurrentportablewebbrowsersexistingonhostmachines.
*Correspondence:djo007@shsu.
eduDepartmentofComputerScience,SamHoustonStateUniversity,Huntsville,TX77340,USA2013OhanaandShashidhar;licenseeSpringer.
ThisisanopenaccessarticledistributedunderthetermsoftheCreativeCommonsAttributionLicense(http://creativecommons.
org/licenses/by/2.
0),whichpermitsunrestricteduse,distribution,andreproductioninanymedium,providedtheoriginalworkisproperlycited.
OhanaandShashidharEURASIPJournalonInformationSecurity2013,2013:6http://jis.
eurasipjournals.
com/content/2013/1/6Inthepast,similarstudieshavebeenconductedontheSanDiskU3flashdriveanditsportableapplications.
SinceU3-USBdeviceshadapre-installedread-onlypartition,itwaschallengingforforensicinvestigatorstodiscoverelectronicevidence.
Inthelatteryearof2009,SanDiskbeganphasingoutsupportforU3Technologyandithasbeendiscontinuedbecauseofmanyirresolvableissues[3].
Privateandportablewebbrowsingartifactscanbeextremelyvaluable.
Priorresearcheitherlackssignificantfindingsordoesnotprovidesufficientanswers.
Weplantoovercometheseshortcomingsbyanalyzingbothallocatedandunallocatedspaceonentirediskswhilemeasuringourresultsagainstmultiplewebbrowsers.
Furthermore,weplantoanalyzevolatiledatathatmaybeavailableinanincidentresponse.
Thispaperisorganizedasfollows:Section2providesalistofbackgroundterms.
Section3describespriorandrelatedworkinprivatebrowsingmodesandportablewebbrowsers.
Section4discussesthefourmajorbrowsersandtheirprivacycapabilities.
Section5discussesseveraldifferentportablewebbrowsers.
Section6detailstheimplementationandexperiments.
Sections7and8concludethepaperwithsomeopenquestions,futurework,anddiscussion.
2.
BackgrounddefinitionsInthissection,weprovidealistofbackgroundtermsanddefinitions(Table1)toassistreaderswithsomeoftheterminologyusedinthisresearch.
3.
Relatedwork3.
1.
PrivatebrowsingInthestudy[1]onprivatebrowsingmodesinmodernbrowsers,researcherspresentedalistofinconsistenciesbetweenprivatebrowsinggoalsandbrowserimplementa-tions.
Theyalsodefinedprivatebrowsingmodestohavetwoprimarygoals:privacyagainstthewebandprivacyagainstlocalmachines.
Meaning,theuser'sidentityshouldnotbeidentifiedovertheInternet(web),andtheuser'sactivityshouldnotberecordedonthemachine(local).
OneexampleisthatMozillaFirefoxandGoogleChromebothtakestepstoremainprivateagainstwebsitesduringprivatemode.
AppleSafariontheotherhandtakesmeasurestoonlyprotectagainstlocalmachines,butthroughourresearch,wewillexploitsomeofthevulnerabilitytothatmethod.
Theresearchersfoundthatallthewebbrowsers(tested)failedinonewayoranotherwhenanalyzingpolicies.
Thisismainlybecauseofcomplicationsintroducedbybrowserplug-insandextensions.
Itwasalsoshownthatextensionscanweakenprivatebrowsingmodesandthereforeactivitiescanstillberecorded.
OneexampleisthatGoogleChromedisablesallextensionsduringprivatebrowsingmodeandFirefoxdoesnot.
Withregardtoinconsistencieswithinasinglebrowser,theresearchersfoundthatcookiessetinpublicmodeinFirefox3.
6arenotavailabletothewebwhenbrowsingprivately,howeverSSLcertificatesandpasswordsare.
Ultimately,thisstudyestablishesagoodfoundationforprivatebrowsinganalysisbutlackssignificantfindings.
Theareasprimarilystudiedwerepolicyinconsistencies,Table1TermsanddefinitionsTerminologyDefinitionResidualartifactsRemainingdatasuchasfiles,images,documents,andwebcontentAffirmativelinkJudiciallydevisedstandardtoaidCourtsindeterminingsufficiencyofevidencebetweensubjectandoffenseISOimageAcomputerfilethatisanexactcopyofanexistingfile,CD,DVD,etc.
VirtualmachineSimulationofarealmachinePrefetchfiles(Windows)EachtimeanapplicationisrunonaWindowsmachine,aPrefetchfilereferencingtheloadedapplicationiscreatedtospeedboottime$I30/$MFTNewTechnologyFileSystem(NTFS)IndexAttribute/MasterFileTableBrowsercacheTemporaryInternetfiles(storage)forincreasingspeedRAMWorkingmemorythatisvolatilePagefile(paging)VirtualmemorydesignatedondiskMemdumpActionofdumpingvolatilememoryintoafiletoviewcontentsDrivefreespaceReferencingtheunallocatedspaceondiskSlackspace/fileslackUnusedspaceinadiskcluster(areabetweenendoffileandendofdiskcluster)SystemvolumeinformationVolumeshadowcopy(snapshots)forsystemrestore/backupFTKorphandirectoryContainsfilesthatnolongerhaveaparent,andtheparentfolderisoverwritten(using$MFTasareference)DatacarvingTherearemanydifferenttypesofdatacarvingtechniques(block-based,statistical,semantic,etc.
)butessentially,mostdatacarversextractcontentbylookingforfileheaders/footersandthen'carving'datablocksinbetweenOhanaandShashidharEURASIPJournalonInformationSecurity2013,2013:6Page2of13http://jis.
eurasipjournals.
com/content/2013/1/6browserextensionweaknesses,privatebrowsingusage,websiteuserdiscoverability,andFirefoxvulnerabilities.
Variousfilesandfolderswhichwereprivatelymodifiedandaccessedarepointedoutbytheresearchers,buttheydoretrievespecificdatathatisdeletedafteraprivatesessionisterminated.
Also,volatilememoryartifactswereignoredbecausetheywantedtoshowdiscoverabilityafterthememorywascleared.
Whenasmallexperimentwasconductedrunningamemoryleakingprogram,certainartifactsfromprivatebrowsingsessionswerediscoveredinthememory.
ThereasonforthiswasexplainedthatoperatingsystemsoftencacheDNSresolutions,andthereforebyanalyzingthecacheandTTLvalues,aninvestigatorcanlearnifandwhentheuservisitedaparticularsite.
Inaddition,theOperatingSystemcanswapmemorypagesleavingfurthertracesofuseractivity.
Incontrasttothisresearch,weplantoexamineallfourmajorwebbrowsersutilizingadifferentacquisitionmethod.
Ourgoalistoextractasmuchdataaspossible,includingdeletedandvolatiledata,toobtainsufficientinformationwithintheartifactsretrieved.
Oneresearcharticle[4]arguesthatbrowservendorsdeliverexactlywhattheyclaimbutconsumershavelimitedknowledgeastowhatprivatebrowsingmodescanactuallydo.
Comparingthisarticletothefirststudy[1]provesotherwise.
Thereareclearlyprivatepolicyinconsistencieswithinthefourmajorbrowsersaccordingtothedata.
3.
2.
PortablewebbrowsingOnestudyonportablewebbrowsers[2]explainedthatportablewebbrowsingartifactsareprimarilystoredwheretheinstallationfolderislocated(removabledisk).
Residualartifacts,suchasUSBidentifiersandportableprograms,canbediscoveredbyanalyzingtheWindowsRegistryandWindowsPrefetchfiles.
Furthermore,theystatethatiftheremovablediskisnotaccessibletotheinvestigator,itisimpossibletotraceanyfurtherinformation.
Inregardtoportablesoftwarediscoverability,theresearchersstatedthatitwasdifficulttodetermineportablewebbrowserusageonahostmachine.
Themajorityofthesestatementsweremadewithoutthebasisofanytrueexperimentalfindings.
Therefore,everyoneofthesestatementswillbefullytestedinourresearchtodetermineauthoritativeanswers.
Weplantorecoversignificantresidualartifactslocatedonhostmachinestestingseveraldifferentportablewebbrowsers.
EventhoughUSBidentifiersareimportanttoobtain,itisevenmoreimportanttoestablishanaffirmativelinkbetweenuserandsession.
3.
3.
FlashdriveIncomparisontocurrentportablesoftware,SandiskandMicrosoftworkedtogethermanyyearsagoonaprojectcalledU3Technology[5].
Essentially,theideawastoallowconsumerstocarryaportablediskcontainingpersonalizedfilesandwebbrowsers.
U3flashdriveswerepre-installedwithaU3Launchpad,similartoanOSstartmenuwithvariousprogramsinstalled.
TherearetwopartitionstotheU3flashdrivestructure:oneisamassstoragedeviceandtheotherisavirtualCD-ROM.
ThevirtualpartitionwasactuallyanISOimage,whichwaswhyinformationwasreadbutnotwrittentothedisk.
Accordingtoonestudy[6],U3devicescreatedafolderonhostmachinesandrecordeduseractivity.
Oncethediskwasejected,acleanupprogramwasexecutedandautomat-icallyremovedalluseractivityfromthatsystem.
ByanalyzingtheWindowsPrefetchfiles,researcherswereabletoidentifywhichprogramswererunfromtheU3device.
InanotherstudyonbattlingU3anti-forensics[7],U3identifierswerediscoveredaswellbyanalyzingtheWindowsRegistryandPrefetchdirectory.
Themajorityoftraceswerelocatedwithinslackspaceandfreespaceoftheharddrive.
Forthisreason,ourresearchexperimentswillbeconductedusingseparatephysicalharddrivestoincorporatethepossibilityofdiscoveringdatawithintheseareas.
EventhoughsufficientevidencewasobtainedtosupportwhichU3programswerelaunched,itwasstillextremelydifficultforresearcherstoidentifyothersignificantartifacts.
Wewillprobablyfacethesamebarriersinourresearch.
Overall,theU3portablediskprovidedasenseofprivacyandpersonalizationtousers.
Overtime,therehadbeennumerouscomplaintsaboutU3devicessuchaspotentialincompatibilityandmalware-likebehavior.
SanDiskbeganphasingoutsupportforU3Technologyinlate2009[3]andtheU3diskhasbeendiscontinued.
4.
MajorbrowsersandprivatebrowsingInthissection,wediscussfourmajorwebbrowsersandtheirprivatebrowsingimplementations.
4.
1.
MicrosoftInternetExplorerMicrosoftInternetExplorer(IE)isoneofthemostcommonlyusedwebbrowsersonWindowsmachines.
AlistofareaswheremostIEwebbrowsingartifactsarelocatedisasfollows:Cookies(Index.
dat)History(Index.
dat)Registry(typedURLs,searchqueries,auto-complete,protectedstorage)NTUSER.
datTemporaryInternetFilesandIndex.
datEntriesDownloads.
IEalsooffersusersaprivatebrowsingfeaturecalledInPrivateBrowsing.
AccordingtoMicrosoft[8],InPrivateBrowsingenablesuserstosurftheInternetwithoutleavingOhanaandShashidharEURASIPJournalonInformationSecurity2013,2013:6Page3of13http://jis.
eurasipjournals.
com/content/2013/1/6atraceontheircomputer.
However,whileusingInPrivateBrowsing,someinformationsuchascookiesandtempor-aryfilesaretemporarilystoredsothatwebpageswillworkcorrectly.
Oncethebrowsingsessionisended,allofthatdataisdiscarded.
Table2showsalistofareasaffectedbyInPrivateBrowsingandisavailabletothepubliconMicrosoft'swebpage.
Inregardtowebbrowserextensions,IEdisablesalltoolbarsandextensionsduringInPrivateBrowsingsessionstoensurebetterprivacy.
IEalsodoesnotcleartoolbarsandextensionsafteraprivatesessionisended.
4.
2.
GooglechromeGoogleChromeisanotherverypopularwebbrowserthatcanbefoundonbothWindowsandMacoperatingsystems.
AlistofcommonareaswhereChromewebbrowsingartifactscanbelocatedisasfollows:JSON(JavaScriptObjectNotation)structure-textbasedopenstandarddesignforhumanreadabledataDownloadsBookmarksWebdataKeywordsearchtermsKeywordsURLdatabaseHistoryindex(YYY-MM)CurrentandlastsessionsTopsitesdatabaseMediacache.
ChromealsoofferssomethingcalledIncognitomodeforuserstobrowsetheInternetinaprivatesetting.
AccordingtoGoogle[9],Incognitomodedoesnotrecordanybrowsingordownloadhistories,andallcreatedcookieswillberemovedwhenexitingasessioncompletely.
Additionally,GooglestatesthatifusersareworkinginChromeOS,surfingtheInternetunderguestbrowsingessentiallydoesthesamething.
Oncetheguestsessionisclosed,allbrowsinginformationiscompletelyerased.
4.
3.
MozillaFirefoxMozillaFirefoxisanotherpopularwebbrowserthatcanbefoundonmultipleplatforms.
WebbrowserssuchasChromeandFirefoxcanalsobefoundonmobiledevicessuchasAndroids,iPads,etc.
AlistofcommonareaswhereFirefoxwebbrowsingartifactscanbelocatedisasfollows:SqlitedatabasestructurePrefs.
js(userpreferences)Signons.
txt(encrypteddataforwebsiteauthentication)Formhistory.
sqliteCookies.
sqliteFirefoxcachePlaces.
sqlite(bookmarksandhistory)Downloads.
sqlite.
Justlikeallothermajorwebbrowsers,FirefoxoffersadiscreetbrowsingmodecalledPrivateBrowsing.
AccordingtoMozilla[10],PrivateBrowsingmodeallowsuserstosurftheInternetwithoutsavinganyinformationaboutvisitedsitesorpages.
Table3showsalistofareasaffectedbyPrivateBrowsingandisavailabletothepubliconMozilla'swebpage.
Mozillamakesitclearthatprivatebrowsingmodesdonotmakeusersanonymousfromwebsites,ISP's,andnetworks.
Inotherwords,PrivateBrowsingismerelyaffectedintheApplicationLayerrecognizedintheOS.
Asidefromotherprivacyfeatures,thereisanoptiontoenabletheDo-Not-TrackfeatureinFirefoxwhichrequeststhatwebsitesdonottrackuserbrowsingbehavior.
ThisrequestishonoredvoluntarilyandAppleSafarioffersthesame.
IntheexperimentalphaseofourTable2MicrosoftIEInPrivatebrowsingfeaturesDataHowInPrivatebrowsingaffectsdataCookiesContainedinworkingmemorybutclearedaftersessionTemporaryinternetfilesStoredondiskbutdeletedaftersessionWebpagehistoryNotstoredFormdataandpasswordsNotstoredAnti-phishingcacheTemporaryinformationisencryptedandstoredAddressbarandauto-completeNotstoredAutomaticcacherestoreRestoreissuccessfulonlyiftabcrashesandnotentiresessionDocumentobjectmodelstorageDiscardedaftersessionTable3MozillaprivatebrowsingfeaturesDataHowprivatebrowsingaffectsdataVisitedpagesWillnotbeaddedinHistorymenu,Libraryhistory,orotherbarlistFormandsearchbarentriesNothingenteredwillbesavedforFormAuto-completePasswordsNonewpasswordswillbesavedDownloadlistentriesNodownloadedfileswillbelistedunderDownloadsCookiesDoesnotsaveCachedwebcontentNotsavedFlashcookiesLatestversionofFlashmustbeusedtopreventsavingOfflinewebcontentanduserdataNotsavedOhanaandShashidharEURASIPJournalonInformationSecurity2013,2013:6Page4of13http://jis.
eurasipjournals.
com/content/2013/1/6research,thesetypesoffeatureswillbeoptimizedforfullprivacy.
4.
4.
ApplesafariTheAppleSafariwebbrowserisprimarilyusedonMac/iOSoperatingsystemsbutisalsoavailableforWindows.
AlistofcommonareaswhereSafariwebbrowsingartifactscanbelocatedisasfollows:.
plist(PropertList)structureCookies.
plistBookmarks.
plistHistory.
plistWebpageIcons.
dbKeychains.
plistDownloads.
plistApple'slatestversionoftheSafariwebbrowserforWindowsisSafari5.
1.
7[11].
WhenSafarilaunched6.
0,theydidnotupdatetheWindowsversions.
MostpeoplehaveassumedthatAppleismovingawayfromWindowscompatibility.
AccordingtoApple,PrivateBrowsingmodeensuresthatwebpagesarenotaddedtothehistorylist,cookiechangesarediscarded,searchesarenotaddedtothesearchfields,andwebsitescannotmodifyinformationstoredonthecomputer.
5.
PortablesoftwareInthissection,wediscussseveralmajorwebbrowsersthataremadeavailableinportableformatsandwereusedforthisresearch.
5.
1.
PortableapplicationandwebbrowsersToallowforcertainportablebrowserstowork,afreeprogramcalledPortableApps[12]wasusedforthisresearch.
PortableAppsissimilartothepreviouslymentionedU3Launchpadinthatitallowsyoutotakeportableapplicationswithyouasyougo.
Itisbasedonanopensourceplatformandwillworkwithalmostanyportablestoragedevice.
Figure1showshowthelaunchpadisstructured.
Inourstudy,theapplicationwasinstalledonaUSBflashdrive.
ThreeportablewebbrowserswereselectedthroughPortableApps:MozillaFirefoxPortable18.
0.
1[13],GoogleChromePortable24.
0.
1312.
52[14],andOperaPortable12.
12[15].
ThereasonAppleSafariPortablewasnotselectedbecauseitwasnotinfactportable.
Themostupdatedversionlocatedwasnotastandaloneexecutableprogramandithadtobeinstalledontothemachine.
AccordingFigure1PortableAppslaunchpad.
Figure2Harddrivesetupwithlabels.
OhanaandShashidharEURASIPJournalonInformationSecurity2013,2013:6Page5of13http://jis.
eurasipjournals.
com/content/2013/1/6toMozilla,thePortableEditionleavesnopersonalinformationbehindonthemachineitrunson[13].
Alltheportablebrowserswereessentiallydesignedforuserstocarrycustomizedbrowserswithoutleavingtracesonmachines.
Thatiswhyartifacts,suchaswebbrowsinghistory,passwords,andauto-fillforms,arestoredwheretheportablebrowserinstallationfolderislocated.
Privacymodescanalsobeenabledtohelpblockflashcookiesandotherartifactsfromstoringwithintheinstallationfolder.
6.
ImplementationsandexperimentsInthissection,weprovideabriefoverviewofprivateandportablewebbrowsingsessionsthatwillbeanalyzedusingcomputerforensics.
6.
1.
ToolsandsetupThefollowingtoolswereusedfortheassessments,acquisitions,examinations,andanalysis:Hardware1-Desktop(PC-forensicworkstation-4-GBRAM)1-Laptop(PC-forensicworkstation-6-GBRAM)8–160GBSATAHardDrives(onededicateddriveforlab)1-USBFlashDrive(8GB)1-USBExternalDrive(1TBWDPassport)1-SATAtoUSBAdapter1-TableauUSBWriteBlocker(IDE/SATA)AntistaticBagsandAntistaticWristStrapSoftwareMicrosoftWindows7Professional(64)InternetExplorer,Firefox,Safari,ChromeVMware-virtualizationsoftwareDaemonFS-fileintegritymonitoringprogramDiskWipe-toreplacedataondiskwithzerosNirsoftInternetTools-history,cache,andcookieviewersFigure3DaemonFSmonitoringexample.
Table4BrowseranalysisduringnormalbrowsingsessionsBrowserPrimarychangesInternetexplorer8.
0TempFileDirectoryfiles(Content.
IE,History.
IE5,Cookies,Recovery,CustomDestinations,Index.
dat)arecreated,modified,anddeletedGooglechrome23.
0.
1271.
95DirectoryChrome\UserData(SafeBrowsingWhitelist,Default\Cache,CurrentSession,Default\History,Default\SessionStorage)filesarecreated,modified,anddeletedFirefox17.
0.
1DirectoryFirefox\Profiles(Cache,jumpListCache,etc.
)andWinCustomDestinations,filesarecreated,modified,anddeletedSafari5.
1.
7DirectoryAppleComputer\Safari(Cache,History,WebpagePreviews,Cookies,WebpageIcons.
db)filesarecreated,modified,anddeletedOhanaandShashidharEURASIPJournalonInformationSecurity2013,2013:6Page6of13http://jis.
eurasipjournals.
com/content/2013/1/6LiveView-Javabasedtooltoconvert.
ddto.
vmdkPortableApps-portableapplicationLaunchpadFirefoxPortable,ChromePortable,OperaPortableFTKImager-usedtocreateforensicimagesFTKImagerLite-portableversionAccessDataFTKversion3.
2(Licensed)-usedtoanalyzeforensicimagesandorganizeinformationThekeytoourresearchwasforustoconductastan-dardizedtestacrossmultiplecontrolledenvironments.
Therefore,alltheexperimentswerehandledinaforensic-allysoundmannerasifwewerehandlingrealevidence.
Photographsweretaken,forensicimageswerecreated,procedureswereproperlydocumented,andevidencewassafelypreserved.
WebeganbytakingeveryharddriveandremovingresidualdatausingDiskWipe[16].
Eachdiskwasconnectedtoasecondaryforensicworkstation(laptop)throughaSATAtoUSBAdapter.
TheDiskWipetoolprovidesseveraldifferentwipingoptionsandwritesoverdatawithzeros.
Thefirstdiskwastestedbyexaminingitforensicallyafterwipingitwithonlyonepass.
Sincetherewassomeresidualdatathatwasfound,aDoDAlgorithmwasselectednexttowipethediskusingthreepasses;thismethodprovedtobemoreefficient.
Aftereverydiskwassuccessfullywiped,eachonewasinstalledwithWindows7Professional-64bits.
The64-bitversionwasusedsothatmorerandom-accessmemory(RAM)couldlaterbetested.
Next,eachdiskwasinstalledwithonlyonespecificInternetbrowserpre-loadedfromanexternalharddrive,exceptfortheportableapplications.
ThewebbrowsersinstalledwereMicrosoftInternetExplorer,MozillaFirefox,AppleSafari,andGoogleChrome.
EachbrowserwasconfiguredtolaunchautomaticallyintoprivatebrowsingmodeexceptforSafari,whichhadtobedonemanually.
Itisimportanttonote,sincepriorresearch[1]showedbrowserplug-insandextensionstocauseweaknesstoprivatebrowsingsessions,nonewereinstalled.
Itisalsoimportanttonotethateverythingwaspre-configuredbeforeconnectingtotheInternet.
Figure2showstheharddrivesbeingconfiguredandlabeled.
6.
2.
PreliminaryanalysisWhilethediskswerebeingproperlydeveloped,abaselinewasestablishedusingalaptopwithVMwareandafileintegritymonitoringprogramcalledDaemonFS[17].
Thisassistedwithhavingageneralideaforwhichareasweremodifiedandaccessedduringnormal,private,andportablewebbrowsingsessions.
OnceDaemonFSwaslaunched,itwassettomonitorallactivitywithinthelocalharddrive(root).
Afterthelogicalparameterwasset,eachwebbrowserwasindividuallylaunchedandtestedusingaseriesofstandardizedsteps.
Figure3showshowthelogisgeneratedduringactivity.
Thesestepsincludedarticlesearches,imagesearches,videosearches,emailaccountlogins,bankaccountlogins,andonlinepurchaseattempts.
SeeTables4,5,and6forresults.
6.
3.
PrivateatebrowsingexperimentsAuthor1hasabackgroundinlawenforcementandhasexperienceanalyzingdigitalmediaforavastarrayofcrimes.
TheInternetactivitiesusedfortheseexperimentswereadaptedfromanabundanceofinformationtoincludepastexperienceandknowledge.
ItisimportanttonotethattheseprinciplescanstillbeappliedtoallaspectsofInternetforensicsregardlessofwhetherornotthescoperelatestoacrime.
Thesetypesofbrowsingsessionscanverywellbeconductedwithoutanycriminalintent.
TheoverallpurposeofdigitalforensicsistohelpestablishandTable5BrowseranalysisduringprivatebrowsingsessionsPrivatebrowserNoticeablechangeIEInPrivateBrowsingEverythinggetsdeletedwhenexitingthebrowserandtheentiresessionisterminatedGoogleChromeIncognitoModeSafeBrowsingdatabases,Cookies,andHistoryaremodified,nochangesduringsessionbutthechrome_shutdown_ms.
txtisreplacedwithanewtimestampwhensessionendsFirefoxPrivateBrowsingSafeBrowsingdatabasegetsmodified,nothingappearstobewrittenwhilesurfing,butwhensessionends,someFirefox\ProfilefilesaremodifiedSafariPrivateBrowsingOnlyNTuser.
datappearstobemodifiedTable6BrowseranalysisusingportablewebbrowsersPortablebrowserHostmachineactivityOperaportableTempfilesappeartobecreatedondiskandthenaredeletedwhensessionendsFirefoxportableMozilla\Roamingdirectorywasmodified,andafewtempfilesunderLocalAppDatawerecreated/deletedGooglechromeportableFoldercalledGoogleChromePortablehadfilescreated,modified,anddeleted,includingSys32\Winevt\Logs,andPortableChromeCacheSafariportableSetupfilesareportablebutmustbeinstalledonsystem(notstandalone.
exe)thereforewillnotbeusedfortestingOhanaandShashidharEURASIPJournalonInformationSecurity2013,2013:6Page7of13http://jis.
eurasipjournals.
com/content/2013/1/6articulateanaffirmativelinkbetweenA(artifact)andB(person,place,orthing).
Bycollectingandanalyzingenoughdata,evidentiarycontentcanbeproduced.
Tobeginthemainexperiments,eachdiskwasseparatelyutilizedasasingleprimarydrive.
Everystepwasmanuallyrecordedwithtimestampsforfuturereferencepoints.
Forthefirstfourdisks,onlyprivatebrowsingsessionsweretestedusingtheinstalledwebbrowsers.
Forthepurposeoftheseexperiments,a'browsingsession'willrefertoallactivityconductedononespecificwebbrowser.
Onceaprivatebrowsingsessionwaslaunched,thesameseriesofstepswereperformedforeachbrowser.
Table7showsthedetailsofthesestandardizedsessions.
Aftereachbrowsingsessionwascomplete,thewebbrowserprocesstreewasterminated(verified)andtheRAMwasdumpedintoafileusingFTKImagerLite(installedonUSB).
NotonlywasthememorydumpedbutRegistryfileswereobtained,thepagefile.
syswasextracted,andan.
ad1imagefileoftheRAMwascreatedaswell.
ThelocationoftheRAMdumpwasstoredonthetargetmachine'sDesktopduetoreasonsthatwilllaterbeexplained.
Thiswouldprobablynotbepreferredinarealsettingunlessitwasabsolutelynecessary.
Inanyevent,itisalwaysimportanttodocumentthefootprintsleftbehindonaliveenvironment.
Initially,thedatawasextractedtoanexternalharddrive.
Themachinewasthenunpluggedfromthebackandthediskwascarefullyremoved.
Asnoted,afewextrathingsweredonetopreservesoundresults.
Theworkingmemorywasdumpedbeforeandaftereverydisksession,toensurethatresidualdatawasnotleftoverintheRAMfromthesessionbefore.
Inaddition,severalInternettoolsfromNirsoft[18],suchascacheviewer,historyviewer,andcookieviewer,wereexecutedaftereachbrowsingsessionwasterminatedandyieldednegativeresults.
Meaning,nothingcouldbediscoveredusingthesetoolsafterprivatebrowsingsessionswereused.
6.
4.
PortablebrowsingexperimentThenextthreediskswereusedinconjunctionwithportablewebbrowsersrunningfromaUSBflashdrive.
TheflashdrivewasinstalledwithaprogramcalledPortableApps.
Essentially,PortableAppsallowsyoutorundifferentprogramsfromaflashdrivesimilartoanOSStartmenu.
AftersettinguptheLaunchpad,threeportablewebbrowserswereinstalledontheflashdrive:MozillaFirefoxPortable,GoogleChromePortable,andOperaPortable.
Again,eachharddiskwasseparatelyusedasaprimaryharddrivebutthistimewithoutanyotherwebbrowsersinstalled.
Eachportablewebbrowserwasindividuallylaunchedwhileperformingthesameseriesofstandardizedstepsasthefirstfourdisks(Table7).
Wheneveradiskwascomplete,itwascarefullyplacedintoanantistaticbagandintoacooldryplaceforstorage.
Inaddition,anantistaticwristbandwasusedwhilehandlingallinternalelectroniccomponents.
6.
5.
ForensicacquisitionandanalysisThelastharddiskwasdevelopedwithWindows7andFTK3.
2tomakeitadedicatedcomputerforensicworksta-tion.
AccessData'sForensicToolkit(FTK)[19]isacourtac-ceptedprogramusedforexaminingcomputersandmobiledevicesattheforensiclevel.
EachdiskwasindividuallyconnectedtotheDesktopusingahardware-basedwriteblocker(Tableau),toprotectanydatafrombeingalteredbythecomputer.
Digitalevidencepreservationisthemostim-portantfactornexttochainofcustody,whenitcomestoforensicintegrity.
UsingFTKImager,abitstreamimageofeachevidencediskwascreatedasacompressedE01imagefileandwasverifiedbyseveraldifferenthashes.
Eachimagetookanywherefrom3to5htocomplete.
Next,individualimageswereforensicallyexamined,analyzed,andclassifiedbyFTK3.
2.
Onediskimagetookupto72htoprocessandthediskswiththeinstalledbrowserstookthelongest.
Table7InternetsessionsusedforexperimentsWebsiteStandardizedstepsGoogleSearchforvariousimages,sites,andforumstargetedforcriminalactivity;clickontopfivelinks;save/downloaddifferentfilesandimagesYahoo!
Searchforvarioussitesandforumstargetedforcriminalactivity;clickontopfivelinks;save/downloadavailablefilesYouTubeSearchforhow-tovideosondifferenttypeshacking(socialmedia,bankaccounts,andWiFiconnections);clickonlinkstoopenGmailSendemailwithattachmentsHotmailSendemailwithattachmentsYahoo!
MailSendemailwithattachmentsSHSUMailSendemailwithattachmentsOnlineBankingLogintoseveralaccounts(storescookiesandcertificates)Ammunition-to-GoAttempttopurchaselargeamounts(2,000+)ofammunition(varioushighpoweredrounds)bysearchingandaddingtocartOnlineFirearmsStoreSearchforhighcapacitymagazinesandvariousweaponsCraigslistSearchfordifferenttypesofitemsforsalethatmightbeflaggedasstolenOhanaandShashidharEURASIPJournalonInformationSecurity2013,2013:6Page8of13http://jis.
eurasipjournals.
com/content/2013/1/6AsidefromthedefaultprocessingoptionsinFTK,additionalrefinementswereselectedtocarvedifferenttypesofdataandparsecomplexinformation.
OnceFTKfinishedprocessingtheevidencefiles,numeroushourswerespentsiftingthroughthedata.
WefoundthatitwasalsobeneficialtouseaprogramcalledLiveView[20]tohaveabetterunderstandingoftheartifactsfound.
LiveViewisanopensourceprogramthatcanconvertarawimagetoavirtualdisk.
ThediskmustbebootedintosafemodeforthevirtualmachinetoworkcorrectlywithouthavingtoactivateWindows.
Byusingtwoscreenssimultaneously,onewithalivevirtualenvironmentandtheotherwiththeforensicimageinFTK,itallowedustofullygraspandunderstandtheconnections.
SeeTables8and9forcompleteresults.
6.
6.
ResultsanalysisPrivatebrowsingmodesandportablewebbrowsersdoinfactleaveincriminatingevidence,butitdependsonthebrowser.
Somewebbrowsersleftenoughinformationtoestablishanaffirmativelinkandsomedidnot.
Outofthefourmajorwebbrowsers,InternetExplorerprovidedthemostresidualartifactsbutnotwherecommonartifactsaretypicallysought.
ThiswasfairlyconsistentTable8PrivatewebbrowsingartifactsArtifactsDiscoveredTargetlocationsMicrosoftinternetexplorer8.
0(InPrivatebrowsing)PrivatebrowsingindicatorYMemdump;Free/SlackSpace('StartInPrivateBrowsing'-priortoURLhistory);$I30(…\Content.
IE5-'inprivate[1]'-priortolistof*.
jpeg's);PagefileBrowsinghistoryYMemdump;Freespace;Fileslack(TemporaryInternetFolder,Roaming\…\CustomDestinations);SysVolInfo;$LogFile;$J;AppData\…\IE\Recovery\ActiveUsernames/emailaccountsYMemdump;Freespace;TemporaryInternetFolder;User\AppData…\IE\Recovery\ActiveImagesYMemdump(partialphotos);Freespace(fullcontent);Fileslack(fullcontent)VideosNN/AGooglechrome23.
0.
1271.
95(Incognito)IncognitoindicatorsYMemdump;Chrome\…\Installer\chrome.
7z&chrome.
dll(timestampmatches);$I30(safebrowsingtimestamp)AppData\Local\Google\Chrome\UserData\chrome_shutdown_ms.
txt(alwaysupdateswithtimestamp);AppData\Local\Google\Chrome\UserData\Default\ExtensionState\*.
log(declarative_rules.
incognito.
declaritiveWebRequest-timestampmatchessessionstart);~\SysVolInformation(newincognitowindowwithtimestamps);AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations(newincognitowindowwithtimestamps);Chrome\UserData\Safebrowsingcookies.
db(modifiedtimestamp)BrowsinghistoryYMemdump;SysVolInfo(matchingtimestamps);Pagefile.
sys(downloadedfile)Usernames/emailaccountsNN/AImagesYCarvedfromMemdump(Mostlypartialimages)VideosNN/AMozillaFirefox17.
0.
1(Privatebrowsing)PrivatebrowsingindicatorsYMemdump(browsingmode);SysVolumeInformation(EnterPrivateBrowsingandWindow'sUserlistedbelow-filetimestampaccurate)BrowsinghistoryYMemdump;Freespace-AppData\…\Temp;Win\Prefetch(.
rtftempfiledownloaddiscovered);AppData\…\Firefox\Profiles(blacklist.
xml-matchingtimestamps);Firefox\Profiles\(filetimestampsupdate)Usernames/emailaccountsNN/AImagesYCarvedfromMemdump(Mostlypartialimages)VideosNN/AAppleSafari5.
1.
7(Privatebrowsing)PrivatebrowsingindicatorsYMemdump;~\SysVolInformation(com.
apple.
Safari.
PrivateBrowsingtimestamp)BrowsinghistoryYMemdump;Free/SlackSpace(URLHistory);AppData\Local\AppleComp\Safari\WebpageIcons.
db>>tables;AppData\Local\AppleComp\Safari\(databasestimestampupdates);AppData\…\AppleComp\Safari&Preferences\(several*.
plisttimestampupdates)Pagefile(URL'sandmodifiedtimestampsupdate)Usernames/emailaccountsNN/AImagesYCarvedfromMemdump(Mostlypartialimages)VideosNN/AOhanaandShashidharEURASIPJournalonInformationSecurity2013,2013:6Page9of13http://jis.
eurasipjournals.
com/content/2013/1/6withallthebrowsers.
Forexample,theIndex.
dat(history)andRegistry>TypedURLswereempty,butwewerestillabletorecovervirtuallyallcachedimages,URLhistory,andusernameswiththeirassociatedaccounts.
Everythingwasrecoverableexceptforplayablevideos.
EventhoughmostofthedatawasrecoveredfromRAM,freespace,andslackspaceareas,thereweresufficientfindingswithinallocatedspaceaswell.
Figure4showsan'[InPrivate]'indicatorwithinRAMpriortoanonlinesearchforhacking.
Inregardtoindicators,therewereafewareaswhere'InPrivate'and'StartInPrivateBrowsing'werenotedpriortoaURLhistorylog.
Figure5showsoneoftheseindicatorswithinallocatedspace.
ItwasalsonotedthattheMicrosoft'PrivacIE'directorywasfoundempty.
Thethreeremainingbrowserswerealittlemoredifficulttorecoverresidualartifactsfrom.
ItappearedthattheoverallbestwaytorecoverresidualdatawastoobtaintheevidencefromRAMorworkingmemory,butthatisnotalwayspossibleforinvestigators.
ForGoogleChromeIncognitoartifacts,thereweremanybrowsingindicatorsandchangesintimestampstoshowChromeusage.
However,itwasdifficulttoestablishanaffirmativelinkbetweentheuserandsessionbecausenoneoftheusernamesandotherhistoricalinformationwasaccessible;thesameresultedforMozillaFirefox.
Inbothofthesecases,anydocumentsthatweretemporarilyopenedfromtheInternetwererecoverable.
ThisinformationisimportantbecausebrowsingindicatorsalongwithtimestampsmaybeabletoexplainwhysomethinglikeasURLhistoryisnotthere.
Forexample,ifalivesearchusingregularexpressionswasusedtolocateoneofthesehiddenartifactsinanunfamiliarlocation,aninvestigatorcannowunderstandwhytheywerenotfoundinothercommonareas.
AppleSafariseemedtofallinthemiddlebykeepingmostthingsprivatewhilestillleavingtracesonthemachine.
TheeasiestwaytoviewthebrowsinghistoryTable9PortablewebbrowsingartifactsArtifactsDiscoveredTargetLocationsGooglechromeportable-24.
0.
1312.
52BrowserindicatorsYNTFSAllocatedandUnallocatedSpace;Prefetch;Pagefile;Memdump;$Logfile;Users\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations;~\SystemVolumeInformation;AppData\Local\Temp;AppData\LocLow\Mic\CryptnetUrlCache;Win\AppCompat\Prog\RecentFileCache;Win\Mic.
NET\Framework\log(fileslack);Win\Sys32\LogFiles\WUDF\(fileslack)BrowsinghistoryYNTFSAllocatedandUnallocatedSpace;Memdump;OrphanDirectory;Pagefile;Users\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations(Carved.
lnk)Usernames/emailaccountsY[Orphan]directoryandNTFSUnallocatedFree/SlackSpaceImagesYCarved(NTFSUnallocatedSpaceandOrphanDirectory)VideosNN/AOperaportable-12.
12BrowserindicatorsYNTFSAllocatedandUnallocatedSpace;Pagefile;Memdump;$LogFile;~\SystemVolumeInformation;NTUSER.
DAT;AppData\Local\Mic\Win\UsrClass.
dat;Users\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations(Carved.
lnk);Win\Prefetch;Win\Sys32\LogFiles\SQM\SQMLoggerBrowsinghistoryYMemdump;AppData\Roaming\Mic\Win\Rec\CustomDestinations(Carved.
lnkfileswithLastAccessTimes)Usernames/emailaccountsNN/AImagesYCarvedfromMemdump(Mostlypartialimagesanddifficulttoviewfullcontent)VideosNN/AMozillafireFoxportable-18.
0.
1BrowserindicatorsYMemdump;SysVolInformationfiletimestamp(FirefoxPortableappinfo)BrowsinghistoryYMemdump;SysVolInformation(Emailonly)Usernames/emailaccountsYMemdump;SysVolInformation(EmailAccountHistory)ImagesYCarvedfromMemdump(Mostlypartialimagesanddifficulttoviewfullcontent)VideosNN/AFigure4[InPrivate]searchfor'how+to+hack+…'withinRAM(Hexview).
OhanaandShashidharEURASIPJournalonInformationSecurity2013,2013:6Page10of13http://jis.
eurasipjournals.
com/content/2013/1/6forSafariprivatebrowsingsessionswastolocatethe'WebpageIcons'databaseunderSafariartifacts.
ThisdatabaseprovidedagoodlogofeveryvisitedURLalongwithotherpertinentinformation.
Figure6showssomeofthedatabaseartifactsusingFTK.
ItisimportanttorealizethatthiscanbeusedtoexplaintocourtsastowhyURLhistorywouldbelocatedhereandnowhereelseunderSafaridata.
Itisnotalwaysaboutwhatispresent,butwhatisabsentisalsoofvalue.
Withregardtoresidualportablebrowsingartifacts,itappearedthateverythingwasjustaseasilyobtainedfromthememorydumpsasitwaswiththeinstalledbrowsers.
However,noteverythingwaslocatedonthetargetharddrives.
Outofthethreeportablewebbrowserstested,GoogleChromePortableleftthemostresidualartifactsonthehostmachine.
TherecoveryseemedasifChromewasinstalledonthemachineitself.
Almostallartifactstoincludeimages,browsinghistory,browsingmethod,andusernameswithassociatedaccounts,werelocatedonthedisk.
Alsonote,theserecoveredartifactswereobtainedwithouttheflashdrive.
TheimportanceforaninvestigatortodistinguishthattheseartifactscamefromGoogleChromePortableisfortworeasons:(a)tobeabletoexplainwhyChromeartifactswerenotlocatedundercommonareasand(b)toalerttheinvestigatorthatfurtherevidencemaybefoundonaflashdrivethattheinvestigatordidnotoriginallyconsider.
Figure7providesacomparisonofallthebrowserstestedandthestrengthofevidencewhichcanbefound.
OperaPortable,ontheotherhand,didnotleaveasmuchinformationasChrome.
Thereweremanyportablebrowsingindicatorsbutmosthistoryartifactswerelimited;noneoftheusernamesoraccountscouldberecovered.
FirefoxPortableresultedinsimilarfindings;however,someuseractivitywasfoundtoberecoverable.
AlloftheusernamesassociatedwiththeirrespectedemailaccountswererecoveredalongwithFirefoxbrowsingindicators.
InreferencetocarvedimagesfromRAM,mostofthemweredistortedbutafewoftheimagescouldbeseenasawhole.
OnesolutionwastotryandmatchadistortedimagefromRAMwithawholeimageontheharddriveusingFTK'sfuzzyhashoption.
Thiswouldbeagreatwaytolinkcarvedcontrabandtoworkingmemoryartifactsandthereforestrengtheningevidenceagainsttheuser.
Theprogramattemptstomatchfilesbydeterminingafundamentallevelofsimilaritybetweenhashes.
Thismethoddidnotalwaysworkashoped.
SomeofthethumbnailsstoredinRAMweresuccessfullymatchedwithonesonthediskbutnonespecifictouseractivity.
PerhapsonamachinewithamuchhighercapacityofRAM,thiswouldbemoreuseful.
Figure5InPrivateindicatorinFTK.
Figure6SafariWebpageIconsdatabase.
OhanaandShashidharEURASIPJournalonInformationSecurity2013,2013:6Page11of13http://jis.
eurasipjournals.
com/content/2013/1/66.
7.
AdditionalforensicresultsAsidefromdiscoveringhiddenwebbrowsingartifacts,thereisanotherfindingworthmentioningduetoitssignificantlinkingofusersandmachines.
Everytimetheexternalharddrive(WDPassport)wasconnectedtooneofthemachinesviaUSB,notonlydiditleaveuniqueidentifiersbutalsoalogofeveryfolderlocatedonthePassport.
ThisinformationwastransferreddirectlytotheWindowsmachinewhileremainingontheharddriveandRAM.
Forthisreason,aflashdrivewaslaterusedtodumpthememoryontheDesktoptopreservedataintegritywithoutfurthercontamination.
ThePassportfileswerediscoveredwithinseveraldifferentlocationsontheharddrive.
OnewaswithinalogfilecalledtheCircularKernalContextLogger(BootCKCL.
etl),andtheotherwaswithinTrace*.
fxfiles.
Mostprob-ablythereasonfortheTrace*.
fxfileswasduetotheactivityofaUSBdeviceconfiguredforReadyBoost(virtualmemory).
Thisfindingraisesanumberofquestionsandconcerns.
Aninvestigatorcaneasilydocumentcertainfootprintssuchaspluggingindevicesandcheckingrunningprocesses.
Itistheunknownfootprintswhichcancauseaproblem.
Thiscouldviolatecertainpolicyandproceduresthatwereonceconsideredforensicallysound.
Ontheotherhand,itcouldprovideaninvestigatorwithenoughinformationtounderstandthatthefilepathsmaybepointingtoanexternaldevice.
SonotonlywillinformationfromtheRegistryprovideuniqueidentifiersbutthiscouldalsobeusedtoknowwhattypeofcontrabandmaybeonthe'missingevidence.
'Thisinforma-tionwouldbeextremelyhelpfulwhentryingtoestablishanaffirmativelinkbetweenuserandtargetmachine.
7.
FutureworkFutureworkmayincludefurtherRAMexperiments,andmoreefficientmethodstoextractinformationoveranextendedperiodoftimeinsteadofonecon-trolledbrowsingsession.
Inaddition,forensictoolsorcarvingoptionsmaybedevelopedtoprovideinvesti-gatorswithwhetherornotthesebrowsingartifactsexist(0/1=False/Positive),andparsetheseartifactsaccordingly.
8.
ConclusionThemajorityofrecoveredartifactswerediscoveredinRAM,slack/freespace,andFTK[Orphan]directories.
Thatbeingsaid,informationwasstillobtainedwithinallocatedspace.
AnothercommonalitybetweenthebrowserswasinformationcontainedwithintheSystemVolumeInformationdirectory.
Thebottomlineisthatourresearchclearlyestablishesauthoritativeanswerstowhichwerenevertherebefore.
Inaddition,someofourauthoritativeresultscontradictpriorresearchstatements.
Forexample,onestudy[2]madethestatementthatitwouldbeimpossibletotraceresidualinformation,otherthanUSBidentifiers,ifaportablestoragedevicewasnotaccessibletotheinvestigator.
Ourresearchclearlyshowsthatfurtherdatacanstillberecoveredonhostmachineswithouttheportablestoragedevicebeingpresent.
Overall,ourresearchisavaluableresourcepertainingtoprivateandportablewebbrowsingartifacts.
Noteverywebbrowserwillleaveincriminatingevidencebutsomewill,dependingonthesituation.
Theseresidualartifactsmayormaynotbeimportanttoacase,butontheotherhanditmaybetheonlywaytoexplaincertainresults.
Computerforensicinvestigatorsmusttreatdigitalenvironmentslikearealcrimescene.
Itisnotonlyimportanttodocumentwhatisfoundbuttoalsonotewhatisnotthereandaskwhy.
Ourresearchnowprovidesanalter-nativewaytoperceivethesetypesoffindingsandexplaintheresults.
Weconcludethatjustbecausesomethingisnottheredoesnotmeanitneverhappened.
Figure7Webbrowsers-strengthofresidualevidence.
OhanaandShashidharEURASIPJournalonInformationSecurity2013,2013:6Page12of13http://jis.
eurasipjournals.
com/content/2013/1/6CompetinginterestsTheauthorsdeclarethattheyhavenocompetinginterests.
Received:29July2013Accepted:4November2013Published:21November2013References1.
GAggarwal,EBursztein,CJackson,DBoneh,Ananalysisofprivatebrowsingmodesinmodernbrowsers,inProc.
Of19thUsenixSecuritySymposium(,Washington,DC,2010),pp.
11–132.
JHChoi,KGLee,JPark,CLee,SLee,Analysisframeworktodetectartifactsofportablewebbrowser(CenterforInformationSecurityTechnologies,Seoul,2012)3.
SanDisk,U3LaunchpadEndofLifeNotice,2010.
Available:http://kb.
sandisk.
com/app/answers/detail/a_id/5358/~/u3-launchpad-end-of-life-notice.
Accessed28July20124.
CSoghoian,Whyprivatebrowsingmodesdonotdeliverrealprivacy(CenterforAppliedCybersecurityResearch,Bloomington,2011)5.
Wikipedia,U3,2013.
Available:http://en.
wikipedia.
org/wiki/U3.
Accessed22July20126.
RTank,PAHWilliams,TheimpactofU3devicesonforensicanalysis(AustralianDigitalForensicsConference,Perth,2008)7.
TBosschert,Battlinganti-forensics:beatingtheU3stick.
JDigitForensicPract1(4),265–273(2007)8.
Microsoft,InPrivateBrowsing,2012.
Available:http://windows.
microsoft.
com/en-US/internet-explorer/products/ie-9/features/in-private.
Accessed03September20129.
Google,Incognitomode,2012.
Available:https://www.
google.
com/intl/en/chrome/browser/features.
html#privacy.
Accessed03September201210.
Mozilla,PrivateBrowsing,2012.
Available:http://support.
mozilla.
org/en-US/kb/private-browsing-browse-web-without-saving-info.
Accessed03September201211.
Apple,Safari5.
1:BrowsePrivately,2012.
Available:http://support.
apple.
com/kb/PH5000.
Accessed03September201212.
PortableApps,,2013.
Available:http://portableapps.
com/Accessed27July201213.
PortableApps,MozillaFirefox,PortableEdition,2013.
Available:http://portableapps.
com/apps/internet/firefox_portable.
Accessed27July201214.
PortableApps,GoogleChromePortable,2013.
Available:http://portableapps.
com/apps/internet/google_chrome_portable.
Accessed27July201215.
PortableApps,Opera,PortableEdition,2013.
Available:http://portableapps.
com/apps/internet/opera_portable.
Accessed27July201216.
DiskWipe,DiskWipe,2009.
Available:http://www.
diskwipe.
org/.
Accessed12December201217.
DaemonFS,Sourceforge:DaemonFS,2010.
Available:http://sourceforge.
net/projects/daemonfs/.
Accessed27July201218.
NirSofer,NirSoftFreewareUtilities,2013.
Available:http://nirsoft.
net.
Accessed12December201219.
AccessData,FTK,2013.
Available:http://www.
accessdata.
com/products/digital-forensics/ftk.
Accessed18December201220.
CarnegieMellon,LiveView,2006.
Available:http://liveview.
sourceforge.
net.
Accessed18December2012doi:10.
1186/1687-417X-2013-6Citethisarticleas:OhanaandShashidhar:Doprivateandportablewebbrowsersleaveincriminatingevidence:aforensicanalysisofresidualartifactsfromprivateandportablewebbrowsingsessions.
EURASIPJournalonInformationSecurity20132013:6.
Submityourmanuscripttoajournalandbenetfrom:7Convenientonlinesubmission7Rigorouspeerreview7Immediatepublicationonacceptance7Openaccess:articlesfreelyavailableonline7Highvisibilitywithintheeld7RetainingthecopyrighttoyourarticleSubmityournextmanuscriptat7springeropen.
comOhanaandShashidharEURASIPJournalonInformationSecurity2013,2013:6Page13of13http://jis.
eurasipjournals.
com/content/2013/1/6