We are currently part way through the data generation process for our incognito browser research. We are testing four different browsers (Internet Explorer, Google Chrome, Safari, and Mozilla Firefox) in both public and private modes using a Windows 7 Virtual Machine. Ultimately, we aim to catalog how much evidence is left behind after an incognito browsing session has ended. We plan to compare evidence left behind by public browsing and private browsing. In public browsing, we will be collecting evidence from the cache, cookies, and web history, among other sources.
Analysis of private browsing
This week we began generating the data for each individual browser in both private and general browsing modes. With private mode, we assume the evidence will be more difficult to locate. Private browsing functions do not save data to the disk, cookies, cache, etc., so we need to view the session’s memory in order to collect data. We intend to do a volatility scan to collect evidence stored on RAM.
Throughout the data generation process so far, we have encountered a few problems. For consistency’s sake, we decided to use Windows 7 across the board, but unfortunately the more recent updates of Safari are limited to OSX. This means we need to use an older version of Safari than we originally anticipated.
We have had a few technological hiccups as well. While one of the team members was generating data for the Mozilla Firefox browser, the dedicated windows VM performed an update half-way through a data generation, meaning the VM had to restart as well. Had this been the generation for the private browsing we would have had to redo the whole generation, because the volatile memory gets wiped on shutdown.
Additionally, we recently decided to include a failed login attempt to American Express on our data generation script, with the hopes of finding evidence from this failed attempt.
Please check back to see our progress. We are excited to share our findings with you. If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at firstname.lastname@example.org.