Can you tell if a user has used the 'Incognito' mode in Google Chrome ??
I know there is not much traces to be found but to determine if the user has used it would demonstrate a certain level of knowledge/expertise.
Cheer
I don't have the answer but this is what I would suggest you do…
1) Create a vanilla Windows virtual machine (I use virtualbox but I'm losing faith since Sun bought Innotek and then Oracle bought Sun).
2) Install Google Chrome and the sysinternals tools on that machine.
3) Create a snapshot.
4) Run Chrome and browse around a bit in ordinary mode to create the standard files that Chrome uses.
5) Create another snapshot.
6) Start Chrome in normal mode.
7) Start Procmon and set the filter to track just about anything that moves on your (virtual) system.
8 ) Start an 'Incognito' Session in chrome and browse to just one page.
9 ) Stop Procmon and do an analysis of what happened to your system.
10) Make some hypotheses about what artefacts and actions Chrome does when in incognito mode.
11) Test your hypotheses by making predictions - 'if someone does x in Incognito mode on a (Windows) system then y will happen.
12) Test your predictions by running procmon and observing what actually happens vs what you predicted.
13) If you were right, publish your results (preferrably free for all to see) If not, go back to 10) and make another hypothesis that fits your observations.
Welcome to the scientific method (students of computer forensics take note).
If I had half a day to spare I would do it for you… Actually, thinking about it, for a small fee… ?
In truth, if you wanted to be truly scientific you should be monitoring the memory and disk access at a lower level than the operating system could do. If you want to filter all the insignificant bulls**t that is thus produced, be my guest.
Paul