See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/336534765

A forensic examination of web browser privacy-modes

Article in Forensic Science International Reports · October 2019

DOI: 10.1016/j.fsir.2019.100036

CITATIONS READS

3 210

10 authors, including:

Graeme Horsman Ben Findlay

Teesside University Teesside University
69 PUBLICATIONS 406 CITATIONS 4 PUBLICATIONS 9 CITATIONS

SEE PROFILE SEE PROFILE

Josh Edwick
Teesside University
1 PUBLICATION 3 CITATIONS

SEE PROFILE

All content following this page was uploaded by Ben Findlay on 11 May 2021.

The user has requested enhancement of the downloaded file.

 Forensic Science International: Reports 1 (2019) 100036

Contents lists available at ScienceDirect

Forensic Science International: Reports

journal homepage: www.elsevier.com/locate/fsir

A forensic examination of web browser privacy-modes

Graeme Horsman * , Ben Findlay, Josh Edwick, Alisha Asquith, Katherine Swannell,
Dean Fisher, Alexander Grieves, Jack Guthrie, Dylan Stobbs, Peter McKain
Teesside University, Middlesbrough, Tees Valley, TS1 3BX, United Kingdom

A R T I C L E I N F O A B S T R A C T

Keywords: Private browsing facilities are part of many mainstream Internet browsing applications and arguably, there is now
Private browsing more awareness of their function and purpose by the average Internet user. As a result the potential for those
Internet engaging in malicious and/or illegal browsing behaviours, to do so in a ‘privatised’ way is increased. Many private
Digital forensics
browsing modes are designed to be ‘locally private’, preventing data denoting a user’s browsing actions from being
Internet history
Investigation
stored on their device. Such actions, potentially compromise the availability of any evidential data, provide an
investigatory headache. This work documents the examination of 30 web browsers to determine the presence of a
‘private mode’, and where available, the ‘privateness’ of said mode. Our test methodology is documented and results
and limitations described for the purpose of open, transparent scrutiny and evaluation from those operating in this
area.

1. Introduction Yet this is not the case, and there is a limited set of academic
commentaries which directly address the findability of PB session
‘Private browsing’ (PB) is a generalised term utilised to reference information following its utilisation. Whilst informal, forensic tool
mechanisms which are designed to prevent a user from having evidence of vendors and private organisations often pass comment via blog posts or
their web-browsing behaviour stored on their local device. From the corporate newsletters (see IntaForensics’s [3] discussion on mobile PB
outset, it is key to emphasise that in this context, private browsing refers and comments from Magnet Forensics [4]). As a result, there is a gap in
only to those platforms which offer local privacy, and these should be formalised knowledge with regards to definitively establishing how truly
distinguished from applications such as Tor (see https://www.torproject. private PB facilities are.
org/) which also focus on online-privacy, and facilities which prevent While this may seem trivial, this lack of clarity has a significant impact
remote tracking and monitoring, such as the W3C’s Tracking Preference on law enforcement forensic investigations and their approaches. Many
Expression (aka “Do Not Track”). Dependant on the browser in user, an investigations focus on locally resident data, ranging from traditional
associated PB facility is referred to in different terminology; ‘incognito ‘dead-analysis’ of devices to Sexual Harm Prevention Orders (SHPO) in
mode’ in Chrome, ‘InPrivate’ in Edge and the now unsupported Internet England and Wales (replacing previously implemented Sexual Offences
Explorer browser and a ‘private window’ in Firefox. Prevention Orders (SOPOs)) under the Sexual Offences Act 2003 (SOA),
Arguably, through the increased sensitivity and publicity around the latter posing an investigatory challenge with potential significant
privacy protection and the regulation of one’s digital footprint when consequences. This paper provides an analysis of 30 available web
online, PB technologies are likely to be in more frequent operation on a browsers to determine their potential PB capabilities. The implemented
user’s device. Whilst it remains difficult to attribute definitive usage PB test methodology is discussed in detail and results are presented
statistics to such actions, consensus surrounding online privacy provides highlighting those applications which offer a PB function and in turn
an insight. In 2016, the use of a PB window was identified as the most whether or not it is in fact private, following digital forensic analysis.
popular form of online privacy measure globally [1]. In the United States Finally, discussions and limitations are offered.
alone, around 33% of users are reported to utilise PB, where over 70%
admit to deleting their Internet History [2]. Whilst media coverage and 2. Private browsing
increased notability of PB services has resulted in both widespread
knowledge of it and understanding of its functionality, there remains an PB is a feature which has long since been on the radar of digital
assumed assertion that substantial assessments of its local privacy have forensic practitioners. The risk it poses is arguably straightforward; any
been undertaken, specifically from the context of a forensic examination. process which operates in a way which is designed to prevent potentially

* Corresponding author.
E-mail address: [email protected] (G. Horsman).

http://doi.org/10.1016/j.fsir.2019.100036
Received 20 June 2019; Received in revised form 5 September 2019; Accepted 11 September 2019
Available online 14 October 2019
2665-9107/© 2019 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
G. Horsman et al. FSIR 1 (2019) 100036

evidential content being stored on a local device (and therefore findable such potential for recovered artefacts. More bespoke browsers have been
through examination techniques) raises investigatory concerns. Whilst targeted in recent work with Wang et al. [11] providing an analysis of the
PB itself has many legitimate uses and is not anti-forensic per se [5], it can ‘Browsar’ application and [12] tackling ‘Epic Privacy Browser’.
be used with anti-forensic intent. Where Internet evidence forms the crux The use of volatile memory is often cited as a location of private
of an investigation, the absence of this content will pose regulatory issues. browsing history recovery [6,9,13–17], however it is necessary to note
As a result, determining the extent and success of PB technology supports that this work does not cover physical memory acquisition and analysis
law enforcement in their approach to digital examinations of Internet for PB content. Physical memory acquisition is still not common practice
content by helping to address the following points. at all scenes and as physical memory must be collected before power is
removed, in most cases this information may not be available to those
1 Where PB is suspected of occurring, knowing the success of a particular investigating PB behaviours. Therefore as previous works have noted PB
browser’s PB facility helps to prevent unnecessary data processing (and content is often in physical memory, this work opts to focus on examining
time wastage) where browsing data does not actually exist on a device. hard disk drive content.
2 Knowing where PB may ‘leak’ browsing session information improves
examination efficiency and prevents this content from being over- 3. Methodology
looked. This is particularly important where on-scene triage takes
place, seen in some cases where a SHPO has been imposed. Whilst studies of singular or small subsets of PB modes have been
3 Effective PB facilities require the acquisition and examination of carried out, this work offers a review of 30 browsers. We have opted for a
alternative sources of browser information such as Internet Service test platform of Windows 10 due to its wide-spread popularity, with a
Provider logged content. reported almost 70% market share [18]. All 30 browsers were located
using the Google search engine, demonstrating accessibility to those who
Private browsing modes have been the focus of much informal
have a device and Internet connection. Regarding the work carried out,
commentary and experimentation since their mainstream marketing and
this article offers the following contributions:
implementation. Whilst many academic studies have assessed the
‘privateness’ of these modes, there are arguably less studies which 1 A defined transparent methodology documenting test actions, the test
provide a definitive decision, backed with a documented transparent test platform and procedural tasks undertaken as part of the analysis. In
methodology designed to assess a service’s ability to prevent private data doing so, effective scrutiny and evaluation of the work by peers is
being stored from a browsing session. facilitated, allowing known or unknown constraints to be identified.
Research into PB must be continuous as web browser technology 2 A benchmark test to determine the privacy of 30 browsers within a set
continues to develop at a pace as vendors seek to enhance the user of documented known documented conditions. It is important to
experience and functionality for those operating their product. In define the circumstances of the tests in order to determine the
addition, browser vendors are often reactive to any reported issues boundaries of applicability of presented results, and where further
present in their software and seek to rectify this with the release of testing may be required.
frequent updates. Therefore, both minor and major software updates may
lead to PB data leakage if subsequent implementations have compromised 3.1. Context
its function and gone untested. Furthermore, development of the
operating system(s) in which PB are usable may lead to the passive Whilst the need to determine how effective PB services are, it is also
capturing of PB data. As a result, both differing versions of the browser necessary to offer context regarding the importance of knowing this
itself and the underlying platforms and operating systems should be information. The two main contexts to consider during a PB
continually tested in combination with each other in order to maintain investigation are on-scene and in-lab. On-scene triage is often
knowledge of the ‘privateness’ of a particular PB application. constrained by factors such as limited time and tool-type, which can
mean only a targeted (and subsequently limited) approach to finding
any potential evidential data is taken [19,20]. In comparison, in-lab
2.1. Some existing studies processes may provide for the use of more comprehensive examination
processes where time and resource constraints may be less (or indeed
Satvat et al. [6] provide an insight into the vulnerabilities of private not relevant). Therefore in the presented experimentation, consider-
browsing sessions across Firefox, Chrome, Internet Explorer and Safari. ation has been given to the processes which have been implemented as
The potential for plugin (also termed extension) vulnerabilities are noted, part of digital forensic analysis of PB data in order to replicate both
whilst limitations with residual data being held in physical memory are triage and comprehensive procedures.
noted. In addition, program crashes and manually initiated bookmarking
are noted as methods which may cause privacy leaks. Whilst the work did 3.2. Configuration
‘not observe any timestamp change of files under the profile directory
after a private browsing session’ it is difficult to infer from this statement Table 1 documents the five test search terms and subsequently visited
alone the effectiveness of the local privacy afforded by these browsers. URLs utilised as part of our experimentation process. Prior to testing, our
Testing took place on Mozilla Firefox (19.0), Apple Safari (5.1.7), Google test platform was confirmed as having no instances of these strings
Chrome (25.0.1364.97) and IE (10.0.9200.16521). Chivers’s [7] analysis present, following preliminary keyword searching to prevent contami-
of Internet Explorer version 10 indicated ‘that InPrivate browsing records nation and false positives.
can be reliably identified’ on a local machine, particularly where a All testing took place using a stock Windows 10 virtual machine (VM)
machine has been powered down during an InPrivate session. Whilst the which was installed based on a standard Windows 10 ISO file acquired
study provides some insight into the recoverability of private session data, from the academic software licence portal (https://onthehub.com/). A
it is confined to a single browser vendor and version. Work by Gabet et al. Windows 10 V M was subsequently prepared in which to perform testing.
[8] compared ‘three enhanced privacy web browsers (Dooble, Comodo Once prepared, this VM was forensically imaged and an elimination hash
Dragon and Epic) and three commonly used web browsers in anonymous database was produced. The VM was subsequently exported as an
browsing mode (Chrome, Edge and Firefox)’ with inconclusive results as appliance (OVA file) in order to deploy elsewhere. The decision to carry
which performed better from a privacy perspective. Muir et al. [9] out our testing via this method was to ensure a consistent, stock
indicate that records of session activity following use of the Tor Browser environment across all the browsers being tested
Bundle can be recovered with a focus noted for the NTUSER.DAT.log The stock VM appliance was deployed to each individual laboratory
transaction log. Yet Jadoon et al’s [10]. study of Tor makes no reference to machine and each was assigned a respective web browser to investigate.

2
G. Horsman et al. FSIR 1 (2019) 100036

Table 1 X-Ways Forensics 19.7 to perform a Simultaneous Search (aka keyword

Documented test web browser data (Table submitted as separate file). search covering both standard Ansi, Unicode-UTF8 and Unicode-UTF16
Search Term URL Visited formatted text). This process was done, in order to mimic a triage process
which could be carried out on-scene offender processing, such as those
"blackbag mobilyze" https://www.blackbagtech.com/software-products/mobi-
lyze.html instances where an offender is a managed sex offender. Typically a
"griffeye" https://www.griffeye.com/ Simultaneous Search will provide faster results regarding keyword hits,
"lunastar comic cast" http://lunastar.thecomicseries.com/ but will not effectively handle content which for example has been
"TDFCon" http://www.tdfcon.com/ compressed/encoded etc. Following a basic Simultaneous Search a Refine
"pintofscience" https://pintofscience.co.uk/
Volume Snapshot (aka evidence processing) was completed, followed by
a Simultaneous Search. This process takes longer but provides for a more
comprehensive examination where compressed volumes for example are
Prior to interacting with the VM itself, the web address of each browser uncompressed making them searchable, thereby mimicking a more
was identified on an external machine to limit the searching required comprehensive, in-lab examination.
within the VM itself in order to find and download the relevant browser The digital forensic image was also loaded into Griffeye Analyze DI
installer files. Once installed, each test browser within each VM was used Pro 18.5. The standard processing options, along with the LACE Carver
to execute the same test browsing actions (described in Table 1). A series v.12.8.56, were selected. The previously discussed elimination-hash
of prescribed browsing tasks were carried out in each VM. By performing database was then used to eliminate irrelevant files to allow for more
exactly the same tasks in each VM, this allowed for consistent and reliable efficient and accurate identification of any images of pertinence (Fig. 1).
searching and investigation of the evidence subsequently. The VM was
shutdown following the standard method. The decision to perform a 4. Results
standard, shutdown as opposed to a hard power-off was taken in order to
mimic what was considered to be normal behaviour by a person utilising Table 2 offers an overview of the performance of those browsers
private browsing over a protracted period of time. tested. Of the 30 browsers tested, one was paywalled (Puffin), four
Each VM hard drive (.vmdk) was then forensically imaged into Expert encountered runtime issues (Lynx, Links, Falkon, Konqueror) and three
Witness Format (.E01) for subsequent examination and loaded into did not have PB modes (GreenBrowser, Netsurf and Sleipnir). This left 22

Fig. 1. Methodology used for PB study.

3
G. Horsman et al. FSIR 1 (2019) 100036

Table 2
A breakdown of the results for the 30 chosen browser platforms (Table submitted as separate file).
Browser Version Release date Active Development? Download ink Private Function Is it
Private?

Avant 12.5.0.0 2019-05-18 Yes http://www.avantbrowser.com/download. Yes No

aspx?uil=en
Brave 0.65.118 No Date Yes https://brave.com/ Yes Yes
Chrome 76.0.3789.0 Frequent Yes https://www.google.co.uk/chrome/ Yes Yes
Chromium 76.0.3805 No Date Unknown https://www.chromium.org/getting-involved/ Yes Yes
download-chromium
Comodo IceDragon 64.0.4.15 January 2019 Yes https://browser.comodo.com/ Yes Yes
Comodo Dragon 73.0.3683.75 No Date Yes https://browser.comodo.com/ Yes No
Dooble 1.56e November April 2019 Github https://textbrowser.github.io/dooble/ Yes Yes
2017
Edge 44.17763.1.0 No Date Yes Proprietary Yes No
Epic 62.0.3202.94 No Date Unknown https://www.epicbrowser.com/ Private when No
proxy is on
Falkon 3.1.0  64 No Date No (both x64 and 32 bit will https://www.falkon.org/download/ N/A N/A
not run)
FireFox 67 Frequent Yes https://www.mozilla.org/en-GB/firefox/new/ Yes Yes
GreenBrowser 6.9.1223 Dec 2016 No https://greenbrowser.en.softonic.com/ No N/A
IE 11.55.17763.0 No Date No Proprietary Yes No
Konqueror N/A N/A N/A https://konqueror.org/ N/A N/A
Links Flagged as Flagged as Flagged as malicious http://links.twibright.com/ N/A N/A
malicious malicious
Lynx 2.8.9 2018 Will not run on Windows 10 https://lynx.invisible-island.net/current/ N/A N/A
#major_docs
Maxthon 5.2.7.2000 2018 Yes http://www.maxthon.com/mx5/ Yes Yes
Midori 0.5.11 No Date Yes https://www.midori-browser.org/download/ Yes Yes
Netsurf 3.8 2017 no (last reported update in https://www.netsurf-browser.org/ No N/A
2018)
Opera 15 4-1-2019 Yes https://www.opera.com/download Yes Yes
Pale Moon 28.5.0 April 2019 Yes https://www.palemoon.org/ Yes Yes
Puffin Paywalled Paywalled Paywalled https://www.puffin.com/ N/A N/A
Seamonkey 2.49.4 July 2018 no (last reported update in https://www.seamonkey-project.org/releases/ Yes Yes
2018)
Sleipnir 6.3.7 Unknown Unknown https://sleipnir.en.softonic.com/ No N/A
SlimJet 22.0.4.0 No Date last reported update in https://www.slimjet.com/ Yes Yes
March 2019
Tor Browser 60.7.0esr No Date Yes https://www.torproject.org/download/ Yes Yes
(64bit)
Torch 65.0.0.1617 No Date Yes https://torchbrowser.com/tour Yes Yes
(32 bit)
UC Browser 7.0.185.1002 2018 Yes https://www.ucweb.com/ Yes Yes
Vivaldi 2.5.1525.46 No Date Yes https://vivaldi.com/features/ Yes Yes
WaterFox 56.2.10 No Date Yes https://www.waterfox.net/releases/ Yes Yes

browsers with an operation 22 PB mode for testing. Of these 22 browsers, and Internet Explorer) cached images to the local machine during
following testing, five browsers were found to have ‘leaked’ PB session testing.
data.
From the five browsers seen to have leaked PB data; Avant, Comodo 5. Analysis and concluding thoughts
Dragon, Edge, Epic and Internet Explorer, a breakdown of keyword hit
locations for URL information is offered in Table 3 and the number of We note that the 30 targeted browsers performed as documented
hits offered in Table 4. It was found that a triage-style keyword search within the confines documented our methodology. As a caveat to the
(i.e. a simultaneous search of the evidence with no processing) was results offered, we feel that they must not be overstated and we cannot go
successful in recovering positive keyword hits in all cases where the as far as to say that those browsers which performed privately during our
performance of a volume snapshot followed by a keyword search was tests are confirmed and completely private in all circumstances. The
also successful. Whilst the more comprehensive examination and reason for such statements lie with the following points:
keyword search often resulted in larger numbers of keyword hits (see
Table 4), there were effectively no occasions where evidence was 1 Our chosen virtual machine platform ‘Virtual Box’ reports limited support
missed by just performing a simultaneous search with no prior for platform hibernation. As a result, it is possible that the browsers may
processing of the evidence. leak PB content to the Hiberfil.sys on non-virtual platforms.
2 The length of time a browsing session takes place for may also be a
4.1. Picture review factor, where both the Hiberfil.sys (as noted above) and system paging
via the Pagefile.sys may be forensically valuable. Varying the length of
In addition to keyword string matching for Internet history records, browsing sessions and examining the impact of prolonged PB sessions
each case has been carved for the presence of any cached imagery deriving on potential data leakage is an under-researched area and requires
from any of the test browsed websites using Griffeye’s DI Analyze Pro with further work within the digital forensic field.
LACE plug-in. All images were manually reviewed and those relevant 3 The impact of different hardware configurations should also be taken
highlighted with originating system locations noted in Table 5. into account where for example, different amounts of system RAM may
It should be noted that whilst five browser tests indicated PB result in different memory caching processes and subsequent volumes
website string data was recoverable, only three browsers (Avant, Epic of leakage.

4
G. Horsman et al. FSIR 1 (2019) 100036

Table 3
A breakdown of the keyword hit locations for URL information for the Avant, Comodo Dragon, Edge, Epic and Internet Explorer browsers (Table submitted as separate
file).
Basic:- Simulataneous Search

Browser Name Location

Avant $MFT
$Logfile
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default\Cache
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default\Code Cache\js
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default\Session Storage
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default\Local Storage\leveldb
Freespace
Comodo Dragon \Users\<USERNAME>\AppData\Local\Temp\7ZipSfx.001\ccav_installer.msi
Edge \Users\<USERNAME>\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{58D38B7A-
81AB-4A8E-ACED-5A32599E789B}.dat
Epic Freespace
\Users\<USERNAME>\AppData\Local\Epic Privacy Browser\User Data\Default
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser\UserData\Default\Cache
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser\UserData\Default\Media Cache
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser\UserData\Default\Session Storage
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser\UserData\Default\Local Storage\leveldb
\Windows\System32\sru\SRUDB.dat
Internet Explorer $MFT,
$Logfile
$Extend\$UsnJournal
\Users\<USERNAME>\AppData\Local\Microsoft\Windows\INetCache\Low\IE\
\Users\<USERNAME>\AppData\Local\Microsoft\Internet Explorer\Recovery\Active
\Users\<USERNAME>\AppData\Local\Microsoft\Windows\WebCache
\Users\<USERNAME>\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp
\Windows\System32\LogFiles\WMI
\Windows\Temp
Freespace

Advanced:- Refine Volume Snapshot

Browser Name Location
Avant $MFT
$Logfile
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default\ Web Data
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default\Cache
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default\Code Cache\js
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default\History
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default\Session Storage
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default\Local Storage\leveldb
Freespace
Comodo Dragon \Users\<USERNAME>\AppData\Local\Temp\7ZipSfx.001\ccav_installer.msi
Edge \Users\<USERNAME>\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{58D38B7A-
81AB-4A8E-ACED-5A32599E789B}.dat
Epic Freespace
\Users\<USERNAME>\AppData\Local\Epic Privacy Browser\User Data\Default
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser\UserData\Default\Cache
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser\UserData\Default\Media Cache
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser\UserData\Default\Session Storage
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser\UserData\Default\Local Storage\leveldb
\Windows\System32\sru\SRUDB.dat
Internet Explorer $MFT
$Logfile
$Extend\$UsnJournal
\Users\<USERNAME>\AppData\Local\Microsoft\Internet Explorer\Recovery\Active
\Users\<USERNAME>\AppData\Local\Microsoft\Windows\INetCache\Low\IE\
\Users\<USERNAME>\AppData\Local\Microsoft\Windows\WebCache
\Users\<USERNAME>\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp
\Windows\System32\LogFiles\WMI
\Windows\Temp
Freespace

4 Virtualisation as a comparable platform raises some questions as whilst highlights that this leakage does not appear to occur in a virtual
it is frequently adopted as a testing platform to combat the difficulty of environment which does not support virtual memory. The precise cause of
testing on physical equipment, there remains a gap in research the leakage documented in Muir et al. has not been clearly established,
regarding the accuracy of its implementation. however it is immediately apparent that there are 2 common-sense,
obvious causes:
Notwithstanding that there may be external factors such as those
described in Muir et al. [9] which result in leakage of PB data to the disc  A flaw in the browser design and development leading to data being
which have not been investigated here, the research conducted here leaked outwards from within, i.e. the browser is to blame

5
G. Horsman et al. FSIR 1 (2019) 100036

Table 5

volume snapshot
A breakdown of the cached image locations for the Avant, Epic and Internet

+ simultaneous
Explorer browsers (Table submitted as separate file).
Epic:- refine
Browser Name Location

search

725
250
450
100
100
900
424

341
Avant Freespace

88

62
72
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.
temp\sessions\132208\webkit\Default\Cache
simultaneous

Freespace
Epic Freespace
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser
search
Epic:-

\UserData\Default\Cache
721
250
445

900
420

337
88
96

71

58
72
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser
\UserData\Default\Media Cache
A breakdown of the number of keyword hits for test URL information for the Avant, Comodo Dragon, Edge, Epic and Internet Explorer browsers (Table submitted as separate file).

Internet Explorer \Users\<USERNAME>\AppData\Local\Microsoft\Windows

volume snapshot

\INetCache\Low\IE\
+ simultaneous

Freespace
Edge:- refine

search

27
28
22
20
22
29
11

8
8

8
5

 The operating system taking more control over the browser than it
simultaneous

should, leading to data being extracted from without, i.e. the operating
system is to blame
search
Edge:-

27
28
22
20
22
29
11

Either way, the results of this research have assessed and clearly
8
8

8
5

demonstrate the effectiveness of the PB function itself within each

Comodo Dragon:- refine

browser.
+ simultaneous search
volume snapshot

Declaration of Competing Interest

There are no conflicts of interest to report.

107

26

28

Acknowledgement
0

0
0
0

0
0

0
0
simultaneous

We would like to acknowledge the School of Science, Engineering &

Design for their support in running this event at Teesside University.
Dragon:-
Comodo

search

References
8
0
1
0
0
0
1

0
0

0
0
refine volume snapshot

[1] Statista, Online Privacy Measures of Global Internet Users As of 2nd Quarter 2016
+ simultaneous search

Available at: https://www.statista.com/statistics/617422/online-privacy-measures-

Internet Explorer:-

worldwide/ (Accessed: 26 May 2019), (2016) .

[2] Statista, Which of These Measures Do You Take With Regard to Your Online Privacy?
Available at: https://www.statista.com/statistics/714130/us-online-usage-privacy-
measures-usage/ (Accessed: 26 May 2019), (2017) .
[3] IntaForensics, IOS 10 Private Browsing: How Private Is It? Available at: https://www.
1395
944
886
351
490
377
482

268
130

156
232

intaforensics.com/2016/09/30/ios-10-private-browsing-how-private-is-it/
(Accessed: 26 January 2018), (2016) .
Browser Processing and Subsequent Number of Keyword Hits

[4] Magnet Forensics, Forensic Implications of a Person Using Firefox’s “Private

Browsing” Available at: https://www.magnetforensics.com/computer-forensics/
simultaneous

forensic-implications-of-a-person-using-firefoxs-private-browsing/ (Accessed: 26
Explorer:-

May 2019), (2013) .

Internet

search

[5] G. Horsman, D. Errickson, When finding nothing may be evidence of something: anti-
1383
916
879
349
490
319
482

268
128

156
200

forensic and digital tool marks, (Sci. Justice (2019) .

[6] K. Satvat, M. Forshaw, F. Hao, E. Toreini, On the privacy of private browsing–a forensic
approach, Data Privacy Management and Autonomous Spontaneous Security,
Springer, Berlin, Heidelberg, 2014, pp. 380–389.
volume snapshot

[7] H. Chivers, Private browsing: a window of forensic opportunity, (Digit. Investig. 11 (1)
+ simultaneous

(2014) 20–29.
Avant:- refine

[8] R.M. Gabet, K.C. Seigfried-Spellar, M.K. Rogers, A comparative forensic analysis of
privacy enhanced web browsers and private browsing modes of common web
search

browsers, (Int. J. Electron. Secur. Digit. Forensics 10 (4) (2018) 356–371.

1462

1192
483
936
172
182

954

720
117

107
178

[9] M. Muir, P. Leimich, W.J. Buchanan, A Forensic Audit of the Tor browser Bundle,
Digital Investigation, 2019.
[10] A.K. Jadoon, W. Iqbal, M.F. Amjad, H. Afzal, Y.A. Bangash, Forensic Analysis of Tor
simultaneous

Browser: A Case Study for Privacy and Anonymity on the Web, Forensic Science
International, 2019.
[11] F. Wang, J. Mickens, N. Zeldovich, Veil: private browsing semantics without browser-
Avant:-

search

1024

side assistance, (Proceedings of Network and Distributed System Security Symposium

276
618
143
144
642
642

487

121
96

96

(NDSS) (2018) .
[12] A. Reed, M. Scanlon, N.A. Le-Khac, Private web browser forensics: a case study on epic
privacy browser, (Journal of Information Warfare 17 (1) (2018) .
blackbagtech.

pintofscience.
pintofscience

griffeye.com
comicseries.

[13] R. Dave, N.R. Mistry, M.S. Dahiya, Volatile memory based forensic artifacts and
tdfcon.com

co.uk

analysis, (Int. J. Res. Appl. Sci. Eng. Technol. 2 (1) (2014) 120–124.
mobilyze
blackbag

com

com
Browser

lunastar
griffeye
Table 4

tdfcon

[14] M.J.C. Huang, Y.L. Wan, C.P. Chiang, S.J. Wang, October. Tor browser forensics in
exploring invisible evidence, 2018 IEEE International Conference on Systems, Man,
and Cybernetics (SMC), IEEE, 2018, pp. 3909–3914.

6
G. Horsman et al. FSIR 1 (2019) 100036

[15] D.J. Ohana, N. Shashidhar, Do private and portable web browsers leave incriminating (Accessed: 26 May 2019) https://www.statista.com/statistics/268237/global-
evidence?: a forensic analysis of residual artifacts from private and portable web market-share-held-by-operating-systems-since-2009/.
browsing sessions, (EURASIP J. Inf. Secur. 2013 (1) (2013) 6. [19] S.L. Garfinkel, Digital media triage with bulk data analysis and bulk extractor,
[16] A. Ghafarian, S.A.H. Seno, Analysis of privacy of private browsing mode through (Comput. Secur. 32 (2013) 56–72.
memory forensics, (Int. J. Comput. Appl. 132 (16) (2015) . [20] G. Horsman, C. Laing, P. Vickers, A case-based reasoning method for locating
[17] A. Case, G.G. Richard III, Memory forensics: the path forward, (Digit. Investig. 20 evidence during digital forensic device triage, (Decis. Support Syst. 61 (2014)
(2017) 23–33. 69–78.
[18] Statista, Market Share Held by the Leading Computer (desktop/tablet/console)
Operating Systems Worldwide From January 2012 to February 2019, (2019) .

View publication stats