AForensicExaminationOfWebBrowserPrivacyModes
AForensicExaminationOfWebBrowserPrivacyModes
net/publication/336534765
CITATIONS READS
3 210
10 authors, including:
Josh Edwick
Teesside University
1 PUBLICATION 3 CITATIONS
SEE PROFILE
All content following this page was uploaded by Ben Findlay on 11 May 2021.
A R T I C L E I N F O A B S T R A C T
Keywords: Private browsing facilities are part of many mainstream Internet browsing applications and arguably, there is now
Private browsing more awareness of their function and purpose by the average Internet user. As a result the potential for those
Internet engaging in malicious and/or illegal browsing behaviours, to do so in a ‘privatised’ way is increased. Many private
Digital forensics
browsing modes are designed to be ‘locally private’, preventing data denoting a user’s browsing actions from being
Internet history
Investigation
stored on their device. Such actions, potentially compromise the availability of any evidential data, provide an
investigatory headache. This work documents the examination of 30 web browsers to determine the presence of a
‘private mode’, and where available, the ‘privateness’ of said mode. Our test methodology is documented and results
and limitations described for the purpose of open, transparent scrutiny and evaluation from those operating in this
area.
1. Introduction Yet this is not the case, and there is a limited set of academic
commentaries which directly address the findability of PB session
‘Private browsing’ (PB) is a generalised term utilised to reference information following its utilisation. Whilst informal, forensic tool
mechanisms which are designed to prevent a user from having evidence of vendors and private organisations often pass comment via blog posts or
their web-browsing behaviour stored on their local device. From the corporate newsletters (see IntaForensics’s [3] discussion on mobile PB
outset, it is key to emphasise that in this context, private browsing refers and comments from Magnet Forensics [4]). As a result, there is a gap in
only to those platforms which offer local privacy, and these should be formalised knowledge with regards to definitively establishing how truly
distinguished from applications such as Tor (see https://www.torproject. private PB facilities are.
org/) which also focus on online-privacy, and facilities which prevent While this may seem trivial, this lack of clarity has a significant impact
remote tracking and monitoring, such as the W3C’s Tracking Preference on law enforcement forensic investigations and their approaches. Many
Expression (aka “Do Not Track”). Dependant on the browser in user, an investigations focus on locally resident data, ranging from traditional
associated PB facility is referred to in different terminology; ‘incognito ‘dead-analysis’ of devices to Sexual Harm Prevention Orders (SHPO) in
mode’ in Chrome, ‘InPrivate’ in Edge and the now unsupported Internet England and Wales (replacing previously implemented Sexual Offences
Explorer browser and a ‘private window’ in Firefox. Prevention Orders (SOPOs)) under the Sexual Offences Act 2003 (SOA),
Arguably, through the increased sensitivity and publicity around the latter posing an investigatory challenge with potential significant
privacy protection and the regulation of one’s digital footprint when consequences. This paper provides an analysis of 30 available web
online, PB technologies are likely to be in more frequent operation on a browsers to determine their potential PB capabilities. The implemented
user’s device. Whilst it remains difficult to attribute definitive usage PB test methodology is discussed in detail and results are presented
statistics to such actions, consensus surrounding online privacy provides highlighting those applications which offer a PB function and in turn
an insight. In 2016, the use of a PB window was identified as the most whether or not it is in fact private, following digital forensic analysis.
popular form of online privacy measure globally [1]. In the United States Finally, discussions and limitations are offered.
alone, around 33% of users are reported to utilise PB, where over 70%
admit to deleting their Internet History [2]. Whilst media coverage and 2. Private browsing
increased notability of PB services has resulted in both widespread
knowledge of it and understanding of its functionality, there remains an PB is a feature which has long since been on the radar of digital
assumed assertion that substantial assessments of its local privacy have forensic practitioners. The risk it poses is arguably straightforward; any
been undertaken, specifically from the context of a forensic examination. process which operates in a way which is designed to prevent potentially
* Corresponding author.
E-mail address: [email protected] (G. Horsman).
http://doi.org/10.1016/j.fsir.2019.100036
Received 20 June 2019; Received in revised form 5 September 2019; Accepted 11 September 2019
Available online 14 October 2019
2665-9107/© 2019 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
G. Horsman et al. FSIR 1 (2019) 100036
evidential content being stored on a local device (and therefore findable such potential for recovered artefacts. More bespoke browsers have been
through examination techniques) raises investigatory concerns. Whilst targeted in recent work with Wang et al. [11] providing an analysis of the
PB itself has many legitimate uses and is not anti-forensic per se [5], it can ‘Browsar’ application and [12] tackling ‘Epic Privacy Browser’.
be used with anti-forensic intent. Where Internet evidence forms the crux The use of volatile memory is often cited as a location of private
of an investigation, the absence of this content will pose regulatory issues. browsing history recovery [6,9,13–17], however it is necessary to note
As a result, determining the extent and success of PB technology supports that this work does not cover physical memory acquisition and analysis
law enforcement in their approach to digital examinations of Internet for PB content. Physical memory acquisition is still not common practice
content by helping to address the following points. at all scenes and as physical memory must be collected before power is
removed, in most cases this information may not be available to those
1 Where PB is suspected of occurring, knowing the success of a particular investigating PB behaviours. Therefore as previous works have noted PB
browser’s PB facility helps to prevent unnecessary data processing (and content is often in physical memory, this work opts to focus on examining
time wastage) where browsing data does not actually exist on a device. hard disk drive content.
2 Knowing where PB may ‘leak’ browsing session information improves
examination efficiency and prevents this content from being over- 3. Methodology
looked. This is particularly important where on-scene triage takes
place, seen in some cases where a SHPO has been imposed. Whilst studies of singular or small subsets of PB modes have been
3 Effective PB facilities require the acquisition and examination of carried out, this work offers a review of 30 browsers. We have opted for a
alternative sources of browser information such as Internet Service test platform of Windows 10 due to its wide-spread popularity, with a
Provider logged content. reported almost 70% market share [18]. All 30 browsers were located
using the Google search engine, demonstrating accessibility to those who
Private browsing modes have been the focus of much informal
have a device and Internet connection. Regarding the work carried out,
commentary and experimentation since their mainstream marketing and
this article offers the following contributions:
implementation. Whilst many academic studies have assessed the
‘privateness’ of these modes, there are arguably less studies which 1 A defined transparent methodology documenting test actions, the test
provide a definitive decision, backed with a documented transparent test platform and procedural tasks undertaken as part of the analysis. In
methodology designed to assess a service’s ability to prevent private data doing so, effective scrutiny and evaluation of the work by peers is
being stored from a browsing session. facilitated, allowing known or unknown constraints to be identified.
Research into PB must be continuous as web browser technology 2 A benchmark test to determine the privacy of 30 browsers within a set
continues to develop at a pace as vendors seek to enhance the user of documented known documented conditions. It is important to
experience and functionality for those operating their product. In define the circumstances of the tests in order to determine the
addition, browser vendors are often reactive to any reported issues boundaries of applicability of presented results, and where further
present in their software and seek to rectify this with the release of testing may be required.
frequent updates. Therefore, both minor and major software updates may
lead to PB data leakage if subsequent implementations have compromised 3.1. Context
its function and gone untested. Furthermore, development of the
operating system(s) in which PB are usable may lead to the passive Whilst the need to determine how effective PB services are, it is also
capturing of PB data. As a result, both differing versions of the browser necessary to offer context regarding the importance of knowing this
itself and the underlying platforms and operating systems should be information. The two main contexts to consider during a PB
continually tested in combination with each other in order to maintain investigation are on-scene and in-lab. On-scene triage is often
knowledge of the ‘privateness’ of a particular PB application. constrained by factors such as limited time and tool-type, which can
mean only a targeted (and subsequently limited) approach to finding
any potential evidential data is taken [19,20]. In comparison, in-lab
2.1. Some existing studies processes may provide for the use of more comprehensive examination
processes where time and resource constraints may be less (or indeed
Satvat et al. [6] provide an insight into the vulnerabilities of private not relevant). Therefore in the presented experimentation, consider-
browsing sessions across Firefox, Chrome, Internet Explorer and Safari. ation has been given to the processes which have been implemented as
The potential for plugin (also termed extension) vulnerabilities are noted, part of digital forensic analysis of PB data in order to replicate both
whilst limitations with residual data being held in physical memory are triage and comprehensive procedures.
noted. In addition, program crashes and manually initiated bookmarking
are noted as methods which may cause privacy leaks. Whilst the work did 3.2. Configuration
‘not observe any timestamp change of files under the profile directory
after a private browsing session’ it is difficult to infer from this statement Table 1 documents the five test search terms and subsequently visited
alone the effectiveness of the local privacy afforded by these browsers. URLs utilised as part of our experimentation process. Prior to testing, our
Testing took place on Mozilla Firefox (19.0), Apple Safari (5.1.7), Google test platform was confirmed as having no instances of these strings
Chrome (25.0.1364.97) and IE (10.0.9200.16521). Chivers’s [7] analysis present, following preliminary keyword searching to prevent contami-
of Internet Explorer version 10 indicated ‘that InPrivate browsing records nation and false positives.
can be reliably identified’ on a local machine, particularly where a All testing took place using a stock Windows 10 virtual machine (VM)
machine has been powered down during an InPrivate session. Whilst the which was installed based on a standard Windows 10 ISO file acquired
study provides some insight into the recoverability of private session data, from the academic software licence portal (https://onthehub.com/). A
it is confined to a single browser vendor and version. Work by Gabet et al. Windows 10 V M was subsequently prepared in which to perform testing.
[8] compared ‘three enhanced privacy web browsers (Dooble, Comodo Once prepared, this VM was forensically imaged and an elimination hash
Dragon and Epic) and three commonly used web browsers in anonymous database was produced. The VM was subsequently exported as an
browsing mode (Chrome, Edge and Firefox)’ with inconclusive results as appliance (OVA file) in order to deploy elsewhere. The decision to carry
which performed better from a privacy perspective. Muir et al. [9] out our testing via this method was to ensure a consistent, stock
indicate that records of session activity following use of the Tor Browser environment across all the browsers being tested
Bundle can be recovered with a focus noted for the NTUSER.DAT.log The stock VM appliance was deployed to each individual laboratory
transaction log. Yet Jadoon et al’s [10]. study of Tor makes no reference to machine and each was assigned a respective web browser to investigate.
2
G. Horsman et al. FSIR 1 (2019) 100036
3
G. Horsman et al. FSIR 1 (2019) 100036
Table 2
A breakdown of the results for the 30 chosen browser platforms (Table submitted as separate file).
Browser Version Release date Active Development? Download ink Private Function Is it
Private?
browsers with an operation 22 PB mode for testing. Of these 22 browsers, and Internet Explorer) cached images to the local machine during
following testing, five browsers were found to have ‘leaked’ PB session testing.
data.
From the five browsers seen to have leaked PB data; Avant, Comodo 5. Analysis and concluding thoughts
Dragon, Edge, Epic and Internet Explorer, a breakdown of keyword hit
locations for URL information is offered in Table 3 and the number of We note that the 30 targeted browsers performed as documented
hits offered in Table 4. It was found that a triage-style keyword search within the confines documented our methodology. As a caveat to the
(i.e. a simultaneous search of the evidence with no processing) was results offered, we feel that they must not be overstated and we cannot go
successful in recovering positive keyword hits in all cases where the as far as to say that those browsers which performed privately during our
performance of a volume snapshot followed by a keyword search was tests are confirmed and completely private in all circumstances. The
also successful. Whilst the more comprehensive examination and reason for such statements lie with the following points:
keyword search often resulted in larger numbers of keyword hits (see
Table 4), there were effectively no occasions where evidence was 1 Our chosen virtual machine platform ‘Virtual Box’ reports limited support
missed by just performing a simultaneous search with no prior for platform hibernation. As a result, it is possible that the browsers may
processing of the evidence. leak PB content to the Hiberfil.sys on non-virtual platforms.
2 The length of time a browsing session takes place for may also be a
4.1. Picture review factor, where both the Hiberfil.sys (as noted above) and system paging
via the Pagefile.sys may be forensically valuable. Varying the length of
In addition to keyword string matching for Internet history records, browsing sessions and examining the impact of prolonged PB sessions
each case has been carved for the presence of any cached imagery deriving on potential data leakage is an under-researched area and requires
from any of the test browsed websites using Griffeye’s DI Analyze Pro with further work within the digital forensic field.
LACE plug-in. All images were manually reviewed and those relevant 3 The impact of different hardware configurations should also be taken
highlighted with originating system locations noted in Table 5. into account where for example, different amounts of system RAM may
It should be noted that whilst five browser tests indicated PB result in different memory caching processes and subsequent volumes
website string data was recoverable, only three browsers (Avant, Epic of leakage.
4
G. Horsman et al. FSIR 1 (2019) 100036
Table 3
A breakdown of the keyword hit locations for URL information for the Avant, Comodo Dragon, Edge, Epic and Internet Explorer browsers (Table submitted as separate
file).
Basic:- Simulataneous Search
Avant $MFT
$Logfile
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default\Cache
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default\Code Cache\js
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default\Session Storage
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.temp\sessions\132208\webkit\Default\Local Storage\leveldb
Freespace
Comodo Dragon \Users\<USERNAME>\AppData\Local\Temp\7ZipSfx.001\ccav_installer.msi
Edge \Users\<USERNAME>\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{58D38B7A-
81AB-4A8E-ACED-5A32599E789B}.dat
Epic Freespace
\Users\<USERNAME>\AppData\Local\Epic Privacy Browser\User Data\Default
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser\UserData\Default\Cache
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser\UserData\Default\Media Cache
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser\UserData\Default\Session Storage
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser\UserData\Default\Local Storage\leveldb
\Windows\System32\sru\SRUDB.dat
Internet Explorer $MFT,
$Logfile
$Extend\$UsnJournal
\Users\<USERNAME>\AppData\Local\Microsoft\Windows\INetCache\Low\IE\
\Users\<USERNAME>\AppData\Local\Microsoft\Internet Explorer\Recovery\Active
\Users\<USERNAME>\AppData\Local\Microsoft\Windows\WebCache
\Users\<USERNAME>\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp
\Windows\System32\LogFiles\WMI
\Windows\Temp
Freespace
4 Virtualisation as a comparable platform raises some questions as whilst highlights that this leakage does not appear to occur in a virtual
it is frequently adopted as a testing platform to combat the difficulty of environment which does not support virtual memory. The precise cause of
testing on physical equipment, there remains a gap in research the leakage documented in Muir et al. has not been clearly established,
regarding the accuracy of its implementation. however it is immediately apparent that there are 2 common-sense,
obvious causes:
Notwithstanding that there may be external factors such as those
described in Muir et al. [9] which result in leakage of PB data to the disc A flaw in the browser design and development leading to data being
which have not been investigated here, the research conducted here leaked outwards from within, i.e. the browser is to blame
5
G. Horsman et al. FSIR 1 (2019) 100036
Table 5
volume snapshot
A breakdown of the cached image locations for the Avant, Epic and Internet
+ simultaneous
Explorer browsers (Table submitted as separate file).
Epic:- refine
Browser Name Location
search
725
250
450
100
100
900
424
341
Avant Freespace
88
62
72
\Users\<USERNAME>\AppData\Roaming\AvantProfiles\.
temp\sessions\132208\webkit\Default\Cache
simultaneous
Freespace
Epic Freespace
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser
search
Epic:-
\UserData\Default\Cache
721
250
445
900
420
337
88
96
71
58
72
\Users\<USERNAME>\AppData\Local\EpicPrivacyBrowser
\UserData\Default\Media Cache
A breakdown of the number of keyword hits for test URL information for the Avant, Comodo Dragon, Edge, Epic and Internet Explorer browsers (Table submitted as separate file).
\INetCache\Low\IE\
+ simultaneous
Freespace
Edge:- refine
search
27
28
22
20
22
29
11
8
8
8
5
The operating system taking more control over the browser than it
simultaneous
should, leading to data being extracted from without, i.e. the operating
system is to blame
search
Edge:-
27
28
22
20
22
29
11
Either way, the results of this research have assessed and clearly
8
8
8
5
browser.
+ simultaneous search
volume snapshot
26
28
Acknowledgement
0
0
0
0
0
0
0
0
simultaneous
search
References
8
0
1
0
0
0
1
0
0
0
0
refine volume snapshot
[1] Statista, Online Privacy Measures of Global Internet Users As of 2nd Quarter 2016
+ simultaneous search
268
130
156
232
intaforensics.com/2016/09/30/ios-10-private-browsing-how-private-is-it/
(Accessed: 26 January 2018), (2016) .
Browser Processing and Subsequent Number of Keyword Hits
forensic-implications-of-a-person-using-firefoxs-private-browsing/ (Accessed: 26
Explorer:-
search
[5] G. Horsman, D. Errickson, When finding nothing may be evidence of something: anti-
1383
916
879
349
490
319
482
268
128
156
200
[7] H. Chivers, Private browsing: a window of forensic opportunity, (Digit. Investig. 11 (1)
+ simultaneous
(2014) 20–29.
Avant:- refine
[8] R.M. Gabet, K.C. Seigfried-Spellar, M.K. Rogers, A comparative forensic analysis of
privacy enhanced web browsers and private browsing modes of common web
search
1192
483
936
172
182
954
720
117
107
178
[9] M. Muir, P. Leimich, W.J. Buchanan, A Forensic Audit of the Tor browser Bundle,
Digital Investigation, 2019.
[10] A.K. Jadoon, W. Iqbal, M.F. Amjad, H. Afzal, Y.A. Bangash, Forensic Analysis of Tor
simultaneous
Browser: A Case Study for Privacy and Anonymity on the Web, Forensic Science
International, 2019.
[11] F. Wang, J. Mickens, N. Zeldovich, Veil: private browsing semantics without browser-
Avant:-
search
1024
487
121
96
96
(NDSS) (2018) .
[12] A. Reed, M. Scanlon, N.A. Le-Khac, Private web browser forensics: a case study on epic
privacy browser, (Journal of Information Warfare 17 (1) (2018) .
blackbagtech.
pintofscience.
pintofscience
griffeye.com
comicseries.
[13] R. Dave, N.R. Mistry, M.S. Dahiya, Volatile memory based forensic artifacts and
tdfcon.com
co.uk
analysis, (Int. J. Res. Appl. Sci. Eng. Technol. 2 (1) (2014) 120–124.
mobilyze
blackbag
com
com
Browser
lunastar
griffeye
Table 4
tdfcon
[14] M.J.C. Huang, Y.L. Wan, C.P. Chiang, S.J. Wang, October. Tor browser forensics in
exploring invisible evidence, 2018 IEEE International Conference on Systems, Man,
and Cybernetics (SMC), IEEE, 2018, pp. 3909–3914.
6
G. Horsman et al. FSIR 1 (2019) 100036
[15] D.J. Ohana, N. Shashidhar, Do private and portable web browsers leave incriminating (Accessed: 26 May 2019) https://www.statista.com/statistics/268237/global-
evidence?: a forensic analysis of residual artifacts from private and portable web market-share-held-by-operating-systems-since-2009/.
browsing sessions, (EURASIP J. Inf. Secur. 2013 (1) (2013) 6. [19] S.L. Garfinkel, Digital media triage with bulk data analysis and bulk extractor,
[16] A. Ghafarian, S.A.H. Seno, Analysis of privacy of private browsing mode through (Comput. Secur. 32 (2013) 56–72.
memory forensics, (Int. J. Comput. Appl. 132 (16) (2015) . [20] G. Horsman, C. Laing, P. Vickers, A case-based reasoning method for locating
[17] A. Case, G.G. Richard III, Memory forensics: the path forward, (Digit. Investig. 20 evidence during digital forensic device triage, (Decis. Support Syst. 61 (2014)
(2017) 23–33. 69–78.
[18] Statista, Market Share Held by the Leading Computer (desktop/tablet/console)
Operating Systems Worldwide From January 2012 to February 2019, (2019) .