The missing privacy of private browsing

This is a draft of a conference paper, dealing with the traces left behind ‘private browsing’ sessions in popular browsers. Authors: Daniel Beravi, Mallory Coeur and Alexander Kent

Department of Computer and Systems Sciences

Cyber Forensics, Advanced Course

1

Abstract

All popular modern web browsers include a private browsing feature, offering to hide the traces of

the user’s web browsing session. This feature is interesting from an e-discovery point of view as it

can be considered a simple anti-forensic method. In this paper we explore the traces left on the local

machine after a private browsing session has been performed. We explore the traces left by current

versions of four of the most popular web browsers on a Windows 7 64bit system. In our tests three

of the four browsers leave some evidence of the private browsing activity.

Keywords

private, browsing, e-discovery, traces

2

3

Table of Contents

Introduction ................................................................................................................................. 4

Background .................................................................................................................................. 4

Research Problems ....................................................................................................................... 5

Project Method ............................................................................................................................ 5

Configuring the base testing environment .......................................................................................... 6

Identifying Browsing Artifacts ............................................................................................................. 6

Compare browser states with FTK ...................................................................................................... 7

Examine the files in the virtualized images ......................................................................................... 7

Results and Analysis ..................................................................................................................... 7

Chrome Incognito ......................................................................................................................... 7

Internet Explorer InPrivate .................................................................................................................. 7

Opera Private Browsing ....................................................................................................................... 8

Downloaded Files ................................................................................................................................ 8

Flash Plug-ins ....................................................................................................................................... 8

Java ...................................................................................................................................................... 8

Other Findings ..................................................................................................................................... 9

Conclusions .................................................................................................................................. 9

Future Research ........................................................................................................................... 9

References ................................................................................................................................. 10

4

Introduction

Private browsing modes are a feature in all popular web browsers. With the possibility for so much everyday computing activity to take place within the web browser context, artifacts produced by the web browser on local storage can be of very high importance in an e-discovery situation. We propose to explore the artifacts left by popular web browsers to identify if a private browsing session has taken place and to recover the activities performed within that session. We intend to explore what traces of the ‘private’ browsing experience are left on the local machine. We will also investigate whether it is possible to identify if any private browsing has been performed on a system recently. The issue of online privacy has caught the attention of the media and general recently. Stories in popular media are highlighting the tracking behaviors of Facebook and Google (USA Today, 2012) (The Economist). It is also an area of lively discussion in media and technology circles, with technical and policy proposals for a ‘do not track’ web header (Do Not Track, 2012). It is also being legally defined by the European Commission; European law requiring website to get informed consent from users before storing web cookies will soon come into effect (Internet Commissioner’s Office, 2012).

Background

Private browsing features are marketed for benign purposes (buying gifts, preparing surprises) but a criminal might see private browsing as a convenient way to cover their tracks. In such situation, we can consider private browsing as a simple anti-forensic method. These features typically claim to not record a user’s browsing history, cookies from visited sites, search history and other evidence of the browsing activity (Ulmer, 2010). A study (Aggarwal et al., 2010) found that there was significant disparity in the usage of private browsing between vendor’s marketing and users’ use; usage data show a heavy bias toward adult content. Private Browsing may be considered ‘mild’ as an anti-forensic method but its ubiquitous availability and high UI visibility in web browsers makes it more likely to be used than other, more involved methods. Private browsing was originally introduced in Safari in 2005, since then all of the popular desktop browsers (w3counter, 2012) have introduced a similar feature. The private browsing features affect the recording behavior of the web browser; history of pages visited, search history, information filled in forms, cookies and other mechanisms that allow a site to store data on a user’s machine. It is important to consider that this does not usually affect the network behavior of the browser; traces of browsing activity will still exist within the network (DNS cache, proxy servers, web and application servers, switches and routing equipment). Despite wide implementation of a private browsing feature, it has been found that there is no consensus between browsers vendors as to what the goals of private browsing should be (Aggarwal et al. 2010). This inconsistency largely affects the remote aspects of privacy and, by extension, the ability for websites visited to track users. We have experienced for instance that, Internet Explorer will still give cookies stored locally to sites requesting them whilst the browser is in private mode. Chrome in contrast, will not give cookies stored during no-private browsing to sites during private browsing.

5

Browser plug-ins and extensions are also important to consider as their position on in the browser makes them a potential break in the privacy of private browsing. Extensions typically have access every URL visited by the user. Additionally extensions may contain native code which limits analysis of their behavior (Aggarwal et al., 2010). Some plug-ins, such as Adobe Flash Player, offers their own systems for storing cookie-like data on user’s machines. In versions prior to 10.1 the Flash Player plug-ins did not change behavior when the host browser was in private mode; Flash local storage and caching was still available and used. Since version 10.1 Adobe Flash Player has recognized private browsing modes in host browsers (Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, Apple Safari) (Adobe Systems, 2010). Upon identifying that the host browser is running in a private browsing mode the Flash plug-ins will itself stop locally storing cookies databases and caching site data (Xu, 2010). Similar research has been performed before, (Said et al. 2011), (Mahendrakar et al. 2010) and (Aggarwal et al. 2010). We believe our research is of value as the browser and operating system landscape changes rapidly. Two of these papers are investigating behavior under Windows XP and each browser we test has had at least one major version release since the previous research.

Research Problems

We propose two complementary research questions:

Can we develop a method to identify if Private Browsing has taken place on a system under investigation?

How much information about the Private browsing session can we recover?

Evidence of the existence of private browsing is interesting in the context of e-discovery first because it will inform the investigator that there is more information to be found, but also as with finding ‘Evidence Eliminator’ software on a computer under investigation, evidence of private browsing implies the user is trying to hide something. We are limiting our study to a specific scenario, the evidence that can be gathered from a computer recovered in powered down state. We examine the contents of the hard disk to find evidence of the private browsing session.

Project Method

For this paper we were considering just the local machine. We have tested Firefox, Internet Explorer, Opera, Safari and Chrome, under the Windows 7 operating system running within a virtualized environment.

6

We have done our research in the following steps:

1. Configure a base testing environment 2. Loaded the disk images in FTK 3. Analyze and report the results by FTK

Configuring the base testing environment

We created a virtual machine in the VirtualBox virtualization environment. The virtual machine was assigned 3GB ram and two processor cores. We created a blank 25GB NTFS disk image for our virtual machine. On this we installed Windows 7 Professional 64bit. Once the Windows installation was complete we installed the browsers and plug-ins. Software versions installed:

Window 7 64bit SP1 IE 9.0.8112.16421 Firefox 12.0 Google Chrome 19.0.1084.46 Opera 11.64 Flash plugin 11.2.202.235 Adobe Reader plugin 10.1.3

Once all software installed and patched to current versions (as of 19/5/2012). The virtual machine was shut down. The state of the machine at this point is our ‘base state’ for later comparison. This machine is no booted up or manipulated in any way. The base .vdi disk image created was then duplicated five times, once for each browser (retaining the original ‘base’, six disk images in total).

Identifying Browsing Artifacts Open each browser-specific VM in turn and perform a predefined script of browsing steps in Private Browsing / Incognito / InPrivate mode. For each step the key browsing artifact is identified in square brackets [].

1. Login to email:

a. https://mail.google.com account: cyfoproject@gmail.com (password: cyfoproject) [SSL Certificate and Cookie]

Open some email messages:

a. Message 1 read message and open PDF in browser [PDF Plug-ins] b. Message 2 read and download attached .zip file (trash .zip file after 100%

downloaded) [File Download] c. Reply to message 2 “that’s great i have been looking for these papers !” [Form Input]

Logout of gmail

7

http://maps.bing.com - Search “Sykyvtvar” [Form Input] - Zoom in, browse around [Map Tiles Cached] http://html5demos.com/database [HTML5 Local Database] http://html5demos.com/storage [HTML Local Storage] http://www.kongregate.com/games/Ironhidegames/kingdom-rush [Flash Plugin] http://java.sun.com/applets/jdk/1.4/demo/applets/NervousText/example1.html [Java] Make some searches in the browser search bar (not on the web page) [Browser Search History]

a. “how to keep secrets” b. “private browsing”

After browsing script completed the browser application is closed and the virtual machine shutdown. The resulting VM states are the browser comparison states.

Compare browser states with FTK

VirtualBox VM disk images (.VDI) were converted to raw disk image format (.DD) using vboxmanage.exe utility. It is important to note that this utility is officially ‘unsupported’ so it’s validity as a forensic tool needs verifying. These disk images were then added as evidence in FTK 3.4.1 for analysis.

Examine the files in the virtualized images

We predominantly used keyword searching to find evidence of the private browsing. This was

augmented and validated by comparing file attributes between browser VM disks and the base

image.

Results and Analysis

Chrome Incognito

In the ‘$Log File’ at the root level of the Chrome.dd disk image we found references to ‘Incognito-

database’. These appear to flag that Incognito mode has been used.

Internet Explorer InPrivate

Deleted temporary internet items relating to the InPrivate browsing session were found.

8

These files were found in the common ‘temporary internet items’ folder:

Cached .htm files

Search terms

SWF files

index.dat

The SWF was ordered by time created the first temporary internet file found is the ‘InPrivate is

turned on’ alert page displayed. This identifies the moment the user began their private browsing

session.

The index.dat file in this folder describes the contents of this cache folder says ‘[IE Empty

Cache]’ but the file modified timestamp matches the moment the InPrivate browsing window

was closed (and thus the session ended).

Firefox Private Browsing

No traces found.

Opera Private Browsing

The search terms entered while private browsing was found in ‘dcache4.url’ file in an Opera cache folder. No other traces of the private browsing session were found.

Downloaded Files

Traces of the deleted downloaded files are found on each browser VM image. For example ‘$RBWQQ80.rar’ was found in the $Recycle.Bin on Chrome.dd. This is not a surprise as the files have been explicitly downloaded to the user they must be written to the user’s local storage. That they are then deleted just renders them in same state as any deleted file – easily recoverable until those blocks on the disk are overwritten.

Flash Plug-ins

Adobe explicitly explained that flash should comply with privacy browsing modes -> problem with IE : Flash non compliant OR problem with IE caching -> not related to Flash Each image contains 5 .swf files except the internet explorer disk that contains 24 of them. The file KingdomRush_v1.071s_sl_Kongregate_nopremium[1].swf (23.62MB) seems to be an exact copy of the flash games that was played during the testing scenario. Even though it has been deleted it can be retrieved and restored.

Java Cached .jar files were found in each browser VM. These files were found in a Java cache folder. It appears the java plugin is not affected by private browsing modes in host browsers.

9

Other Findings

The virtual machine images which we worked with were 25GB each. Relative to current hard drive capacities this is a trivial size. At time of writing the most popular hard drive sold at a large online retailer has capacity of 2TB (Amazon, 2012), some 80x that of our VM image. Even with this apparently modest size the time taken to perform the necessary duplication, imagining, extraction and indexing were significant. Average processing times :

Virtual Machine duplication : ~40 minutes Virtual machine conversion (.vid -> raw) : ~40 minutes Adding a disk as evidence in FTK : ~4 hours Live search on several disks on FTK : ~10 hours

The problem of data volume versus data throughput and data processing speed is large and will affect many e-discovery and cyber forensic efforts.

Conclusions

We found evidence the user’s web browsing activity supposedly hidden by private browsing in Internet Explorer, Opera, Chrome. The volume and nature of this evidence varies by browser with Internet Explorer revealing the most information, Opera just a subset and Chrome merely evidence that Incognito browsing had been performed. Firefox was the only browser to leave no trace of private browsing on the local hard drive. We can answer our two research problems browser by browser. Can we identify if Private Browsing has taken place on a system under investigation? How much information about the Private browsing session can we recover? For Google Chrome we were able to find evidence flagging that Incognito browsing has taken place, but we were unable to find any evidence of the content of this private browsing. Internet Explorer, we were able to find distinct markers of both the beginning and end of the InPrivate browsing session and a great deal of information about the content of the session. The apparent success of finding a ‘end of private browsing session’ marker with Internet Explorer is of limited value as we believe any further browsing performed in Internet Explorer (InPrivate or not) would eradicate this evidence. Firefox eluded us entirely. We found no evidence of private browsing at all. Opera kept almost all of the browsing session hidden but we found cached search queries made whilst private browsing.

Future Research

In similar research traces of a private browsing session in Firefox were found in the system’s pagefile.sys (Said et al., 2011). That we didn’t find any results and that pagefile.sys is the Windows

10

virtual memory store suggests that data was written here during their testing as the test system ran out of RAM. Further research into the effects of different system configurations (amount of RAM, flash based storage) on private browsing artifacts is necessary. Current private browsing features focus predominantly on local privacy. A more holistic ‘private browsing’ which prevents online tracking and perhaps offers some anonymity would be a desirable feature for a web browser. Combining privacy and anonymity increasing methods; private browsing, TOR, modified cookie behavior, ‘do not track’ headers, would appear to be a valuable avenue of exploration.

References

Adobe Systems, 2010, Flash Player Developer Center: Private browsing in Flash Player 10.1, [online] Available at: <http://www.adobe.com/devnet/flashplayer/articles/privacy_mode_fp10_1.html> [Accessed 26th May 2012].

Aggarwal G., Bursztein E., Jackson, Boneh D., 2010, An Analysis of Private Browsing Modes in Modern Browsers, CMU, Stanford University,<http://static.usenix.org/event/sec10/tech/full_papers/Aggarwal.pdf> [Accessed 26th May 2012]

Amazon Services LLC, 2012, Hard drives computers and accessories, [online] Available at: <http://www.amazon.co.uk/s/ref=amb_link_157554467_10?rh=n%3A340831031%2Ck%3Ahard+drives&keywords=hard+drives&ie=UTF8> [Accessed 26th May 2012]

Do Not Track, 2011, Do Not Track - Universal Web Tracking Opt Out, [online] Available at: <http://donottrack.us> [Accessed 26th May 2012]

The Economist, 2012, Online Advertising - Don't keep on trackin', [online] Available at: <http://www.economist.com/blogs/babbage/2012/05/online-advertising?fsrc=gn_ep> [Accessed 26th May 2012]

Mozilla Foundation, 2011, Private Browsing - Browse the web without saving information about the sites you visit, [online] Available at: <http://support.mozilla.org/en-US/kb/Private-Browsing> [Accessed 22nd May 2012]

Fox S., 2010. 'Porn mode' browsing not really that private, [online] Available at: <http://www.msnbc.msn.com/id/38834872/ns/technology_and_science-security/t/porn-mode-browsing-not-really-private> [Accessed 26th May 2012]

Internet Commissioner’s Office, 2012. Updated guidance on the EU cookie law, [online] Available at: <http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx> [Accessed 26th May 2012]

Mahendrakar A, Irving J, Patel S. 2010. Forensic Analysis of Private Browsing Mode in Popular Browsers, Carnegie Mellon University, <http://mocktest.net/paper.pdf> [Accessed 26th May 2012]

Said H, Mutawa NA, Awadhi IA, Guimaraes M. 2011. Forensic Analysis of Private Browsing Artifacts, Zayed University, <http://www.mendeley.com/research/forensic-analysis-private-browsing-artifacts> [Accessed 26th May 2012]

11

Hamilton, Ulmer., 2010. Understanding Private Browsing.Mozilla.org Community Blog [blog] 23 August, Available at: <http://blog.mozilla.org/metrics/2010/08/23/understanding-private-browsing> [Accessed 26th May 2012]

USA Today, 2011. Facebook tracking is under scrutiny, [online] Available at: <http://www.usatoday.com/tech/news/story/2011-11-15/facebook-privacy-tracking-data/51225112/1> [Accessed 26th May 2012]

w3counter, 2012. W3Counter - Global Web Stats. [online] Available at: <http://www.w3counter.com/globalstats.php?year=2012&month=4> [Accessed 26th May 2012]

Xu J., 2010. Private browsing in Flash Player 10.1. [online] Available at: <http://www.adobe.com/devnet/flashplayer/articles/privacy_mode_fp10_1.html> [Accessed 26th May 2012]

Hamilton, Ulmer., 2010. Understanding Private Browsing. Mozilla.org Community Blog [blog] 23 August, Available at: <http://blog.mozilla.org/metrics/2010/08/23/understanding-private-browsing> [Accessed 26th May 2012]

Zeigler, Andy., 2008 IE8 and Privacy. Blogs.msdn.com IE Blog [blog] 26 August, Available at: <http://blogs.msdn.com/b/ie/archive/2008/08/25/ie8-and-privacy.aspx> [Accessed 26th May 2012]