Skip to main content

Table 8 Private web browsing artifacts

From: Do private and portable web browsers leave incriminating evidence?: a forensic analysis of residual artifacts from private and portable web browsing sessions

 

Artifacts

Discovered

Target locations

Microsoft internet explorer 8.0 (InPrivate browsing)

Private browsing indicator

Y

Memdump; Free/Slack Space (‘Start InPrivate Browsing’ - prior to URL history); $I30 (…\Content.IE5- ‘inprivate [1]’- prior to list of *.jpeg's); Pagefile

Browsing history

Y

Memdump; Free space; File slack (Temporary Internet Folder, Roaming\…\Custom Destinations); SysVol Info; $LogFile; $J; AppData\…\IE\Recovery\Active

Usernames/email accounts

Y

Memdump; Freespace; Temporary Internet Folder; User\AppData…\IE\Recovery\Active

Images

Y

Memdump (partial photos); Free space (full content); File slack (full content)

Videos

N

N/A

Google chrome 23.0.1271.95 (Incognito)

Incognito indicators

Y

Memdump; Chrome\…\Installer\chrome.7z & chrome.dll (timestamp matches); $I30 (safebrowsing timestamp) AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt (always updates with timestamp); AppData\Local\Google\Chrome\User Data\Default\Extension State\*.log (declarative_rules.incognito.declaritiveWebRequest- timestamp matches session start); ~\SysVol Information (new incognito window with timestamps); AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations (new incognito window with timestamps); Chrome\UserData\Safebrowsingcookies.db (modified timestamp)

Browsing history

Y

Memdump; SysVol Info (matching timestamps); Pagefile.sys (downloaded file)

Usernames/email accounts

N

N/A

Images

Y

Carved from Memdump (Mostly partial images)

Videos

N

N/A

Mozilla Firefox 17.0.1 (Private browsing)

Private browsing indicators

Y

Memdump (browsing mode); SysVolume Information (Enter Private Browsing and Window’s User listed below- file timestamp accurate)

Browsing history

Y

Memdump; Free space- AppData\…\Temp; Win\Prefetch (.rtf temp file download discovered); AppData\…\Firefox\Profiles (blacklist.xml- matching timestamps); Firefox\Profiles\ (file timestamps update)

Usernames/email accounts

N

N/A

Images

Y

Carved from Memdump (Mostly partial images)

Videos

N

N/A

Apple Safari 5.1.7 (Private browsing)

Private browsing indicators

Y

Memdump; ~\SysVol Information (com.apple.Safari.PrivateBrowsing timestamp)

Browsing history

Y

Memdump; Free/Slack Space (URL History); AppData\Local\AppleComp\Safari\WebpageIcons.db> > tables; AppData\Local\AppleComp\Safari\ (databases timestamp updates); AppData\…\AppleComp\Safari & Preferences\(several *.plist timestamp updates) Pagefile (URL's and modified timestamps update)

Usernames/email accounts

N

N/A

Images

Y

Carved from Memdump (Mostly partial images)

Videos

N

N/A