Apologies if this is a basic question, but what forensic ramifications does the Incognito function of the new Google Chrome browser present? Is there a way to recover the data or history from browsing in this manner?
[just posted the same contents to digital-detective]
My colleague Thijs Bosschert and I have been doing some quick research on this new browser, and especially on the Incognito feature.
First findings seem to indicate that Google has done a decent job when they implemented this feature. When you are browsing using the Incognito mode, there is no data written to the disk (so no history or cached files that have to be wiped - they were never on the disk). We are currently trying to find out whether there are any artifacts left in memory. So first impression this feature could make things a bit harder than the privacy feature in IE8.
One interesting finding is that in the regular browsing mode, Chrome creates a search index of the contents of a lot of the pages you visit. This allows you to do keyword searching in your own web history. On some of our tests, we found that content of https pages had been indexed as well, allowing us to retrieve our bank account details using a keyword search. However we are not yet entirely sure whether this is always done so that requires some more research. Note that this is in the regular browsing mode, not in the Incognito mode!
Furthermore, the browser will be a real pain if you are investigating proxy logs, as the auto-suggest feature below the location bar is generating an HTTP request to Google after every character you type in the location bar… Imagine, browsing through tons of proxy logs containing lines like/complete/search?client=chrome&output=chrome&hl=nl&q=dall within seconds from each other, until finally
/complete/search?client=chrome&output=chrome&hl=nl&q=di
/complete/search?client=chrome&output=chrome&hl=nl&q=dig
/complete/search?client=chrome&output=chrome&hl=nl&q=digi/complete/search?client=chrome&output=chrome&hl=nl&q=digital-detective.co.uk
For the web history, cookies, favicons and the storage of the 'favorites' thumbnails on the startup page they use a similar setup as Firefox 3 with a SQLite database, which makes it quite easy to query the history. However, as we have
We are still doing some more tests and will try to publish the results on our
Just did some browsing with Incognito and then took a memory capture using Winen and the webpage is referenced in the results.
Incognito - Can't recover, however either later tonight, or tomorrow I will have completed a forensic analysis software for Chrome. This will bring back a wealth of information from non-incognito browsing. If you have seen FireFox Forensics this will be the same, just specific to Google Chrome. If you have any questions on the databases used, I would be happy to help.