At this point in our research, we are using a forensic imaging tool called FTK Imager, which allows us to image the browsing data we generated on our virtual machine. We began the imaging process by powering on the virtual machines to a given snapshot and them immediately powering them down. After using VMware to download two virtual disks per virtual machine, we imaged the disks in FTK imager, specifying the file format we would use to examine the artifacts. Originally, the four browsers we chose to analyze were Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, and Apple’s Safari; however, the most recent edition of Safari is unavailable for Windows. The most recent version of Safari for Windows is Safari 5.1.7, which was last updated in 2012. We made the decision instead to use an OS X Yosemite virtual machine to run the most recent version of Safari to guarantee the best results for our report.
Analysis of Incognito Mode Progress
In recent weeks we have advanced greatly in our research. We have finished our data generation, and have begun analyzing our data through FTK 5.5. We intend to analyze the private browser session and the matching public session in order to compare any differences easily. In our brief trial run for Google Chrome’s incognito mode, we were able to find a small number of artifacts in the resulting image in FTK, so we have high hopes that we will have similar findings with our other images. While we have currently obtained private browsing data from Google Chrome, we might have to perform a RAM dump of the VM when it was running the private browsing session in order to find possible artifacts that are lost when a private browsing session has ended.
Please check back to see our progress. We are excited to share our findings with you. If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at firstname.lastname@example.org.