Private Browsing:A window of Forensic Opportunity1

Howard Chivers Presented by Aung Thu Rha Hein (g5536871)

[1] H. Chivers,Dept. of Computer Science, University of York “Private browsing: A window of forensic opportunity,” Digit. Investig., 2013.

Outline■ Introduction■ Background

○ Digital Forensic ○ Browser Architecture○ Private Browsing

■ Private Browsing: A window of Forensic Opportunity■ Conclusion■ References

IntroductionMotivation

■ Browser is the most used application■ Digital artifacts from browsers are valuable■ Private browsing becomes barrier in forensic analysis

IntroductionProblem Statements

■ Is it possible to discover digital artifacts from private browsing sessions?

■ Different browsers have different architecture…■ Is it possible to develop a common forensic

methodology for all browsers?

IntroductionResearch Objectives

■ To analyze the possibility of browser forensic■ To measure the privacy level & capability of private

browsing■ Propose a methodology for analyzing public & private

browsing artifacts

BackgroundDigital Forensic■ Basic methodology■ 3 methodologies & the detailed process varies

○ Basic Forensic Methodology○ Cyber Tool Online Search For Evidence (CTOSE)○ Data Recovery UK (DRUK)

BackgroundBrowser Architecture

BackgroundBrowser Architecture/2

BackgroundPrivate Browsing■ no traces of browsing activity after session ends■ architecture and capability varies from browser■ Goal & Threat model:

○ Local attackers○ Web attackers

BackgroundPrivate Browsing/2

Browser(Private Mode)

Private Browsing Indicator

Browsing History

Usernames/Email accounts

Images Videos

IE 8.0 X

Google Chrome 23.0.1271.95

X X

Mozilla Firefox 17.0.1

X X

Apple Safari 5.1.7 X X

[1] D. Ohana and N. Shashidhar, “Do private and portable web browsers leave incriminating evidence?: a forensic analysis of residual artifacts from private and portable web browsing sessions,” EURASIP J. Inf. Secur., pp. 135–142, May 2013.

BackgroundRelated Works

[1]Keith J. Jones, “Forensic Analysis of Internet Explorer Activity Files.”,2003

[2]Gaurav Aggarwal and Collin Jackson, “An Analysis of Private Browsing Modes

in Modern Browsers,” USENIX Security Symposium, 2010.

[3]Aditya Mahendrakar and James Irving, “Forensic Analysis of Private Browsing

Mode in Popular Browsers,” 2010.

BackgroundRelated Works/2

[4]H. Said, N. Al Mutawa, I. Al Awadhi, and M. Guimaraes, “Forensic analysis of private

browsing artifacts,” in 2011 International Conference on Innovations in Information

Technology (IIT), 2011, pp. 197–202.

[5] D. J. Ohana and N. Shashidhar, “Do Private and Portable Web Browsers Leave

Incriminating Evidence? A Forensic Analysis of Residual Artifacts from Private and

Portable Web Browsing Sessions,” 2013, pp. 135–142.

[6] H. Chivers, “Private browsing: A window of forensic opportunity,” Digital Investigation,2013.

Private Browsing: A window of Forensic

Opportunity

Private Browsing: A window of Forensic Opportunity

Objectives

■ Forensic capability of IE 10’s Inprivate browsing■ architecture changes in IE 10

○ replace binary historical formats with with new database technology, Extensible Storage Engine(ESE)

■ To study the internal behaviour of InPrivate browsing

Private Browsing: A window of Forensic Opportunity/2

Extensible Storage Engine (ESE)

■ allow applications to retrieve data via Indexed & Sequential Access

The Propagation of

Transaction Data into Disk Files

Private Browsing: A window of Forensic Opportunity/3HTTP/HTML Data Storage

■ each datatypes store in separate database tables■ also separated by integrity level(private or public)

Data Type Description

Cookies maintain stages of HTTP exchanges

Web Storage allows to store name:value data

Indexed Database Storage store large arbitrary objects with indexes (internet.edb)

Private Browsing: A window of Forensic Opportunity/4

Windows 8 pro

IE 10.0.9..

FTK Imager

E01.img

ESECarve

Result

python script

Method

Analyzed Result

■ 3 Inprivate experiments: scoping exercise, A controlled comparison with ample system memory & a mixed load scenario

VMWARE

Private Browsing: A window of Forensic Opportunity/5Browser Data Structures■ \Users\%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache

■ contains containers table■ index to container_nn■ Metro App have several containers

Private Browsing: A window of Forensic Opportunity/6Identifying InPrivate Browsing records

■ records are stored in same database ■ identify private browsing records by marker (type field)■ browsing records are deleted after session overs■ records still remain in log file (xxx.log)■ log files removed when browsers opens again

Private Browsing: A window of Forensic Opportunity/7Recovery Success

Disk Map of Recovered Inprivate browsing records

Conclusion■ research works on browser forensic■ possibility of forensic analysis on private browsing■ InPrivate browsing and internal behaviour

Thank You & Questions?

ReferenceResearch papers

[1] H. Chivers, “Private Brows. A Wind. forensic Oppor. Digit. Investig., 2013.Digital Investig., 2013.

[2] G. Aggarwal and E. Bursztein, “An Analysis of Private Browsing Modes in Modern Browsers.,” USENIX Secur. …, 2010.

[3] Aditya Mahendrakar and James Irving, “Forensic Analysis of Private Browsing Mode in Popular Browsers,” 2010.

[4] D. Ohana and N. Shashidhar, “Do private and portable web browsers leave incriminating evidence?: a forensic analysis of residual artifacts from private and portable web browsing sessions,” EURASIP J. Inf. Secur., pp. 135–142, May 2013.

ReferenceWeb Resources

1. http://www.html5rocks.com/en/tutorials/internals/howbrowserswork/#The_browsers_we_will_talk_about

2. https://archrometects.files.wordpress.com/2009/10/assignment-01-conceptual-architecture-of-google-chrome-archrometects.pdf

3. http://www.chromium.org/developers/design-documents4. https://docs.google.

com/document/d/1aBYEBd4b70YThMbuYskLIIyxltwlNxJTae89F1ULGcc/edit?usp=sharing