Private Browsing Forensic Analysis Project Help
Hi, I am a final year BSc Forensic Computing student. I am currently in the middle of doing my final Year Project on the forensic analysis private browsing modes in Firefox, Chrome and IE.
So far my idea is to take memory images and acquire the page file during and after private browsing sessions. I can then analyse the memory to see if artifacts are recoverable. Then take hard drive images and see if artifacts are available on there. Any ideas on other testing I could do?
Thanks in advance!
So far my idea is to take memory images and acquire the page file during and after private browsing sessions. I can then analyse the memory to see if artifacts are recoverable.
Why the page file? How do you ensure your artifacts (however you identify them) end up there? (I don't need an answer, but you probably need to be able to explain in your report.)
Any ideas on other testing I could do?
Use some kind of process monitoring tool (on Windows Process Monitor from Sysinternals may be suitable) to identify file system and registry activity during different usage scenarios.
Thanks for the replies. After doing a bit of research, I did get the idea of using the process monitoring tool to monitor how the browser reacts in private browsing mode. After having a quick look, it looks like IE creates some temp files but deletes them when the browsing session closes. I also noticed a lot of registry interactions when in private browsing mode, any idea on how to start to analyse these?
Also, will it be forensically OK to load up a copy of the hard drive image (VM image) taken and analyse it in a virtual machine. E.g. by looking at the DNS cache or looking at temp files, etc?
I know this will change the MAC times of the files/folders, will this be acceptable?
Also, No i don't know iDan but may have too get in touch with him to discuss ideas.
Jad would be another person to speak to. He's the creator of ief by magnet forensics.
Also, a question I wanted to research but haven't found time is to try determine the last time someone used private browsing. I know ie for example will store the websites accessed but no times. Maybe the last write time of the file that info is stored will indicate the last time private browsing mode was activated.
Yes I have been looking in to ways how someone will be able to tell were private browsing is used. I have used a process monitor to look at which files have been modified whilst in private browsing modes, I will now examine the files too see if there is any way to determine private browsing use. Anyone have any advice on how this can be done?
Also, does anyone were the file location for the DNS cache is in Windows?
I know that will hold results for websites acceded in private mode, but cant seem to locate the file!
Thanks for the help.