Table 9 Portable web browsing artifacts
| Â | Artifacts | Discovered | Target Locations |
|---|---|---|---|
Google chrome portable - 24.0.1312.52 | Browser indicators | Y | NTFS Allocated and Unallocated Space; Prefetch; Pagefile; Memdump; $Logfile; Users\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations; ~\System Volume Information; AppData\Local\Temp; AppData\LocLow\Mic\CryptnetUrlCache; Win\AppCompat\Prog\RecentFileCache; Win\Mic.NET\Framework\log (fileslack); Win\Sys32\LogFiles\WUDF\ (fileslack) |
Browsing history | Y | NTFS Allocated and Unallocated Space; Memdump; Orphan Directory; Pagefile; Users\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations (Carved .lnk) | |
Usernames/email accounts | Y | [Orphan] directory and NTFS Unallocated Free/Slack Space | |
Images | Y | Carved (NTFS Unallocated Space and Orphan Directory) | |
Videos | N | N/A | |
Opera portable - 12.12 | Browser indicators | Y | NTFS Allocated and Unallocated Space; Pagefile; Memdump; $LogFile; ~\System Volume Information; NTUSER.DAT; AppData\Local\Mic\Win\UsrClass.dat; Users\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations (Carved .lnk); Win\Prefetch; Win\Sys32\LogFiles\SQM\SQMLogger |
Browsing history | Y | Memdump; AppData\Roaming\Mic\Win\Rec\CustomDestinations (Carved .lnk files with Last Access Times) | |
Usernames/email accounts | N | N/A | |
Images | Y | Carved from Memdump (Mostly partial images and difficult to view full content) | |
Videos | N | N/A | |
Mozilla fireFox portable - 18.0.1 | Browser indicators | Y | Memdump; SysVol Information file timestamp (Firefox Portable appinfo) |
Browsing history | Y | Memdump; SysVol Information (Email only) | |
Usernames/email accounts | Y | Memdump; SysVol Information (Email Account History) | |
Images | Y | Carved from Memdump (Mostly partial images and difficult to view full content) | |
Videos | N | N/A |