Investigation on Pr...
Clear all

Investigation on Private Browsing Modes

2 Posts
2 Users
Posts: 18
Active Member
Topic starter


I am currently doing an investigation on the private browsing modes in common main stream web browsers.

I have used a test bed website to generate evidence in public mode and private mode. I am using individual virtual machines (W7) to generate the evidence. So far i have looked at Internet Explorer.

The key areas i have looked into using Encase7 are
Temporary Internet Files/Sessions
Internet Explorer History Files
Internet Explorer Recovery Files (Active and Last Active)
Content from Temp Folder
Cookies Folder
Recent Destinations Folder

I have found more related evidence from the public mode OS, than the Private mode OS.

I want to add more depth to my investigation, i want to be specific to what evidence is created and how it is created. Before i move on to the next browser can anyone provide me with some guidance on how to improve my investigation to add depth and if there is anywhere else i need to look to identify evidence.

Posted : 17/01/2012 4:46 pm
Posts: 272
Reputable Member

I find in investigations like this that process monitor is your friend and that a close look at the file and registry access proves to be very fruitful.

Another technique is to image the machine when it is in the 'clean' state and image it again once you have performed your inquiries. The two images can be compared at the byte level to see which artifacts are new and which have been removed or altered.


Posted : 17/01/2012 5:43 pm
Share to...