Volume 5 Issue 6 June 2020 ISSN (Online) 2456-0774INTERNATIONAL JOURNAL OF ADVANCE SCIENTIFIC RESEARCHAND ENGINEERING TRENDSFORENSIC STUDY AND ANALYSIS OF DIFFERENTARTIFACTS OF WEB BROWSERS IN PRIVATEBROWSING MODERinchon Sanghkroo1, Dr. Deepak Raj Rao G.2 and Kumarshankar Raychaudhuri3M.Sc. (Forensic Science) Final Semester Student, Cyber Forensic Division, LNJN National Institute of Criminology and ForensicScience (MHA), Delhi, India 1Assistant Professor, Cyber Forensic Division, LNJN National Institute of Criminology and Forensic Science (MHA), Delhi, India 2Junior Research Fellow, Cyber Forensic Division, LNJN National Institute of Criminology and Forensic Science (MHA), Delhi, India [email protected], [email protected], ---------------------- --Abstract: - Web browsers today have become one of the most commonly used applications in digital devices, storing andmaintaining huge information on user activities. The privacy mode has been introduced to combat the privacy issues relatedwith browsers. This feature keeps the browsing activities of a user private by not storing or removing the traces of artifactsrelated to the browsing session on the system. In this study, we test the effectiveness of this claim and to ensure ways in which aforensic investigation may be done in such cases. The private modes of different browsers have been tested in Windows andMAC OS by performing pre-defined browsing activities in each of the browsers in both the operating systems. Moreover, thedefault locations of normal web browser artifacts are also examined to find whether artifacts of private browsing activities arestored in such locations or not.Keywords: - Private Browsing, Windows, MAC, Safari, Microsoft Edge, Brave ----------- --I INTRODUCTONIn a matter of a few years, the internet has grown to beone of the most powerful platforms; becoming not only theuniversal source of information, but also an essential means tocarry out day-to-day tasks. The access to this ocean of informationis done with the help of web browsers. Web browsers allow theusers to browse the internet and navigate through websites andweb pages, by communicating with the web servers over theinternet [1]. At present, its utilization encompasses far more thanjust browsing and downloading information; it is also used toperform numerous other functions such as social media, ebanking, online blogs, e-business or e-commerce, etc [2]. As aresult, web browsers store and maintain logs of an enormousamount of information on user activities on the system. This hasresulted in the users using the same device, to be informed of eachother’s activities, thereby, raising concerns over privacy whilebrowsing the internet.This issue with privacy of browsing sessions thus,further brought about the development of a new feature known asthe ‘private browsing’ mode. It has been defined as a “webbrowser mode in which information about visited websites is notsaved” [3]. It aims at keeping the user activities carried out duringa browsing session “private”, by not leaving traces or storing anyartifacts related to it on the end device. In this mode, the searchhistory and the sites visited, form data, cookies and cache fileswould either not be recorded or will be deleted from memory oncethe browser is closed [4]. However, this feature is limited to theend device and does not prevent internet service providers oremployers from viewing the online activities of the users. Whilethe majority of users may prefer private browsing mode for anumber of good reasons, it can also be exploited by criminals forcommitting numerous internet related crimes, who are alsoseeking ways to hide any traces of their activities. Thus, whileprivate browsing modes tend to be an immense way of addressingprivacy concerns, it has also become a painstaking task for Lawenforcement agencies and forensic investigators.The objective of our study is to examine and verify theassured level of privacy stated by the different browser vendors aswell as to find the extent to which a forensic investigation canuncover artifacts of evidentiary importance. For these purposes, aset of experiments is done on the private browsing mode of fiveselected web browsers, on two operating systems, namely,MacOS and Windows OS. These pre-defined browsing activitieswould remain specific to image viewing and downloading, videostreaming, search terms, logging into an e-mail account andviewing flight tickets from a travel website. With RAM being abig repository for such activities, an attempt is made to recoverWWW.IJASRET.COM30

Volume 5 Issue 6 June 2020 ISSN (Online) 2456-0774INTERNATIONAL JOURNAL OF ADVANCE SCIENTIFIC RESEARCHAND ENGINEERING TRENDSthese artifacts from the physical memory. Moreover, the defaultlocations where artifacts of the normal browsing sessions arestored would also be analyzed for the presence of any traces of theactivities carried out in the private mode of web browsers.II REVIEW OF LITERATURE AND BACKROUNDSTUDYPrivate browsing mode was introduced by Safari, thedefault browser for Apple devices, for the first time in 2005. Oneof the first studies on private mode of browsers [5] proposed thetwo main goals of private browsing as privacy against the webattacker and privacy against the local attacker. They examined theprivate browsing modes of four popular modern browsers andfound that while Mozilla Firefox and Google Chrome both takesteps during private browsing session to remain private againstwebsite, Apple Safari, on the other hand, focused mainly onattacks against local machines.Previous research has been performed on four of themost widely used web browsers, namely, Google Chrome,Mozilla Firefox, Internet Explorer and Apple Safari on differentversions of Windows Operating system. It has been reported thatalthough the private browsing mode left evidence of browsingactivities behind in all the four major browsers, yet, the type andthe amount of data recovered varied among the browsers [5,6,7].Most studies have concluded that Firefox [7,8] and Chrome [8,9]supports private browsing better than the other browsers. In themeanwhile, some studies have also pointed out that InternetExplorer provided the most residual artifacts [6,9]. However, ithas been asserted that private browsing mode offered a level ofprivacy which can be considered to be ‘sufficient for the averageuser’ [8]. A more comprehensive study [4] on the privacy claimsof Internet Explorer, Firefox, Chrome and Safari was conductedon different operating systems, namely, Windows, Mac OS X andLinux by monitoring the file system changes and examining thememory dump of the system. The results showed that, whenlooking at the changes made to the file system, only Chrome andFirefox did not write any changes to the file system. However,Safari wrote data to a single database file called WebpageIcons.dband Internet Explorer wrote data to the file system but thendeleted it when the browser was closed.Over the years, researchers have explored why privatebrowsing mode of browsers is unable to deliver real privacy andfound various factors contributing to the cause. Few studies havefound that the lack of understanding on the part of the consumersregarding the limitations of such feature [10,11], which may alsobe caused by the in-browser explanations of private browsingmode [12], played a big role; others held the complicationsintroduced by browser plug-ins and extensions accountable for it[5,13,14]. A more recent study [15] also focused on enhancedprivacy web browsers (Epic, Comodo Dragon and Dooble) andcompared it with the private browsing modes of commonbrowsers (Chrome, Edge and Firefox). They concluded that theenhanced privacy browsers performed about the same as thecommon browsers in anonymous browsing mode.Nevertheless, prior research has been carried out onolder versions of the web browsers. Therefore, it was found to benecessary to conduct new experiments to verify their findings onthe latest versions of the browsers. Moreover, most of the studieshave been carried out on Windows systems with very little to noroom for other operating systems. This study will, therefore,further look into whether the recovered artifacts, if any, areconsistent with another operating system, namely, MacOS.III EXPERIMENTAL DESIGNThis section elucidates the experimental set-up requiredto conduct the study, including the browsers, forensic tools andthe methodology followed by the research.A. Browsers UsedThe study was carried out on the following versions of the fivebrowsers:i. Incognito - Google Chrome Version 80.0.3987.87ii. Private Browsing - Apple Safari Version 13.0.4iii. In Private Browsing 80.0.361.109Microsoft Edge Versioniv. Private Browsing - Mozilla Firefox Version 72.0.2v. Private browsing - Brave Browser Version no longer develops Safari for Windows operatingsystem, with the latest Safari version for Windows being 5.1.7from 2011 which has become obsolete. Hence, for this study,Safari has been considered specifically for Mac operating systemonly.B. Tools UsedThe following tools have been used for carrying out theexperiments for the purpose of research:Oracle Virtual Box 6.0.16 - For the purpose of virtualization,VirtualBox [16] was used to replicate a (i) Windows 10 and (ii)MacOS Sierra environments. Prior to the testing, no browser wasused in the virtual machine. A snapshot of the virtual machinewas then taken in this state which acted as the base machine.From this base state, one of the browsers was installed through itsinstaller and the pre-defined activities were carried out in theprivate browsing mode. For the next browser, the machine wasthereafter restored back to the base machine.AccessData FTK Imager Lite - FTK Imager Lite containsthe minimum files necessary to run FTK Imager without installingit on the system. It is used for acquiring the live image of memoryon a Windows system [17].OSXPmem - Mac OS X Physical Memory acquisition tool is anopen source tool to acquire physical memory on Mac systems[18].WinHex 19.9 - WinHex is a universal hexadecimal editor whichcan be used to inspect and edit all kinds of files, recover deletedfiles, etc [19]. It was used to analyze the physical memory imagesof both the operating systems.WWW.IJASRET.COM31

Volume 5 Issue 6 June 2020 ISSN (Online) 2456-0774INTERNATIONAL JOURNAL OF ADVANCE SCIENTIFIC RESEARCHAND ENGINEERING TRENDSDB Browser for Sqlite - DB Browser for SQLite (DB4S) is adatabase tool which can be used to create, view and edit databasefiles compatible with SQLite [20]. It was used to view thedatabase files in which the browsers store their artefacts, mainlyfor MacOS systems.D. Methodology1.The browser was firstly launched in its respective privatebrowsing mode and populated with the pre-defined browsingactivities given in Table 1.2.The physical memory was then captured without closing thebrowser window using memory tools for further analysis. ForWindows OS, FTK Imager Lite was used whereas forMacOS, OSXPmem was used.3.The browser window was then closed and a second dump ofthe memory was further taken.C. Preparation of Dataset4.For the purpose of this study, each of the browsers waspopulated with a set of pre-defined browsing activities carried outin the private browsing modes in both the operating systems (referTable 1), to mimic the activities of a criminal or a crime suspect:Table 1: Pre-defined Browser activitiesAfter capturing the memory in both the scenarios, the defaultlocations where each browser store their browsing artifacts incases of normal web browsing [4], were analyzed.5.The previously captured memory was then analyzed inWinHex for the presence of any private browsing artifacts.Various keywords related to the predefined activities such asthe URLs and the search terms were used in the string searchto find related artifacts on the physical memory.Nirsoft Web Browser Tools Package - This package is acollection of various tools that extracts history, cache, cookies,downloads, etc., from the default locations of the differentbrowsers, including Chrome, Firefox, Edge, etc. [21]. It was usedto extract the browsing artifacts of various browsers on WindowsOperating System.WebsitesBrowsing ActivitiesThoughtcatalog.com1.Enter “best ways to get away withmurder” in the search bar.2.Open the article titled “16 Steps to KillSomeone and Not Get Caught”.3.The URL is 16-steps-tokill-someone-and-not-get-caught/1.Enter “Parasite” in the search bar.2.Select the ‘Images’ tab and open theimage from Imdb.com3.Download the image to the Downloadfolder.1.Enter the URL inthe browser.2.View flight tickets for Delhi to Dubaion 30th April, 2020, withoutbooking.1.Enter the URL in thebrowser2.Enter email address of the r’semailpassword:‘[email protected]’4.View some emails from the inbox andsign out1.Enter the URL inthe browser.2.Search keyword “how to spy on amobile phone” in YouTube search.3.Play and watch the video titled “Howto Spy on a Cell Phone with IMEINumber”.Parasite (ImageDownload)Goibibo.comGmail.comYouTube.comIV RESULTS AND ANALYSISThis section describes the findings from the experimentsconducted on each web browser on both the operating systems.A. Analysis of Default Locations of browsing artifactsAfter identical browsing activities were carried out on allthe browsers and the physical memory was imaged before andafter closing the browser; the common locations where artifacts ofnormal browsing session are stored by default were analyzed todetermine whether it records artifacts of private browsing sessionas well. However, no traces of any of the browsing activities werefound on both the operating systems. The only exception wasMicrosoft Edge on Windows, where the file path of thedownloaded image was found along with the time stamp whenanalyzed in BrowsingHistoryViewer.B. Analysis of Physical Memory for evidence from browserMicrosoft EdgeWindows OS: On analysis of the memory dump takenbefore closing the browser, various browser related entries werefound in both the cases. The URLs of websites visited, email Id,search query and downloaded image file were found to exist inmemory. The author, date and time of publishing and even thecomment section could be retrieved in case of“” and as for the travelling website“”, details of the flight search including the origin,destination and date of departure were also found. However, whenthe browser was closed, the available artifacts were found to belesser and became limited to the visited URLs and search querywhile there was no information on email communication, detailsof the flight search or the video watched on YouTube, as shown inFig. 1.WWW.IJASRET.COM32

Volume 5 Issue 6 June 2020 ISSN (Online) 2456-0774INTERNATIONAL JOURNAL OF ADVANCE SCIENTIFIC RESEARCHAND ENGINEERING TRENDSFigure 1: Screenshot of the Gmail Id “[email protected]” found on analysis of Microsoft Edge with WinHexMacOS: Analyzing the memory dumps taken after thebrowser window was closed, yielded similar results as to when itwas opened. The keyword search hits that were returned in thetwo cases included the URLs of the websites visited, downloadedimage, email ID and details of the flight search and the videowatched on YouTube.C. Analysis of Physical Memory for evidence from browserGoogle ChromeWindows OS: On analyzing the memory dump takenafter the browsing session, without closing the browser window, astring search on WinHex returned several hits such as the URLs ofwebsites, downloaded image, and email communication detailsincluding the Gmail id as well as some content of the inbox emailwhich was opened during the browsing session. As with theprevious browser, details of the flight search including the origin,destination and date of departure were found. In addition to this,the number of travelers, travel class and currency were also found.With the YouTube video, the title and description of the videowere found to exist in memory. On closing the browser window,no information of the website “” or the emailcommunication were found. However, there were still traces ofthe downloaded image file, URLs of the travel website and thevideo watched on YouTube.MacOS: On analysing the memory dumps taken afterperforming various predefined browsing activities, a number ofentries for each of the websites visited during the browsingsession were found. Similar to the ones found on Windows, theywere the URLs of the websites visited during the session, searchqueries, downloaded image, email Id and details of the flightsearch. The details of the YouTube video were limited to the URLand the video title and no description of the video was found.However, it was also found that these entries persisted and werefound even after closing the private window. A snapshot of theanalysis is shown in Fig. 2.Figure 2: Screenshot of the flight details from Mac OS GoogleChrome on analysis with WinHexD. Analysis of Physical Memory for evidence from browserMozilla FirefoxWindows OS: Browsing related entries such as the URLsvisited, email ID, image download, details of flight search andvideo watched on YouTube were found in both the cases.However, the number of entries greatly decreased when thebrowser was closed.MacOS: On analyzing the captured memory that weretaken before as well as after closing the private window, browsingrelated entries similar to those found in windows OS were found.One exception is the password of the email id which was foundwhen the browser was open. Another detail of interest that wasfound was the term “Private Browsing” which was found next tothe search queries and the page title ( as wellas the video title, indicating the use of private browsing instead ofregular browsing.Figure 3: Screenshot of the article viewed on Firefox onMacOS along with private browsing indicator found onanalysis with WinHexWWW.IJASRET.COM33

Volume 5 Issue 6 June 2020 ISSN (Online) 2456-0774INTERNATIONAL JOURNAL OF ADVANCE SCIENTIFIC RESEARCHAND ENGINEERING TRENDSE. Analysis of Physical Memory for evidence from BraveBrowserWindows OS: Similar to the other browsers, variousbrowsing related entries were found in both the memory dumpsthere were significantly lesser entries in Windows 10 (listed inTable 2). However, the closure of the browser windows seemedto have little effect in case of MacOS that resulted in somewhatsimilar amount of entries (given in Table 3) on analyzing dumpstaken before and after terminating the browsing sessions.captured before and after closing the Private window. The URLsvisited, email Id, image download, details of flight search andvideo watched on YouTube were found to exist in memory, whichbecame lesser after closing the Private browser window. Bravewas the only browser among the four that gave a positive hit forthe password of the email id, that is, “[email protected]” in Windows10. However, it was no longer found on analyzing the memorydump taken after the browser was closed. A snapshot of theanalysis is shown in Fig. 4.Figure 4: Screenshot of the email password on Brave inWindows 10 found on analysis with WinHexMacOS: On analysing the captured memory with thehelp of string search on WinHex, the following browser relatedentries were found: URLs of the visited websites, search queries,downloaded image, and email Id with some content of the inboxmail that was opened, details of flight search and YouTubeVideo.F. Analysis of Physical Memory for evidence from Apple SafaribrowserMacOS: The analysis of the memory dump taken afterclosing the private window gave the same results as that of thememory dump that was taken while the browser was kept opened.Not only were the URLs of the websites and the email Id found,but also the password of the email Id, that is, “[email protected]” wasfound to exist in memory even after the browser was closed. Otherentries such as the downloaded image, details of the flight searchincluding the origin, destination and the date of departure as wellas the details of the YouTube video including the video title anddescription also surfaced when analyzed with WinHex, as shownin Fig. 5.Between the two operating systems opted for this study,Windows 10 was clearly found to store a lesser number ofartifacts than MacOS Sierra. Although each browser in both theoperating systems exhibited notable amount of entries for each ofthe predefined browsing activities, there was a clear-cutdifference in the number of entries stored by each of the browsersin the two different operating systems. Moreover, on analyzingthe memory dumps taken after closing the browser windows,Figure 5: Screenshot of the details of the YouTube videowatched on Safari in MacOS Sierra found on analysis withWinHexWhile all the browsers in both the operating [email protected]”, Brave was the only browserthat displayed the password for the email Id in Windows 10.Nevertheless, it did not store the password in memory after thebrowser was closed. In case of MacOS, two browsers, namelySafari and Firefox, returned hits for the password of the emailaddress “[email protected] In case of Safari, the password wasfound to exist in memory even after the closure of the privatebrowsing window. As for Firefox, it was found in memory onlywhen the private browsing window was open. Moreover,memory dumps of Firefox taken before and after closing thebrowser in MacOS had browser related entries that clearlyindicated the use of private browsing mode.V CONCLUSIONSAll the browsers deployed for the study claimed that theusual browser related information such as search history,cookies, temporary cache files, etc., would either not be recordedor deleted from memory once the browser was closed. This studywas undertaken to test the effectiveness of this claim and toensure the ways in which a forensic investigation may go aboutin such cases.WWW.IJASRET.COM34

Volume 5 Issue 6 June 2020 ISSN (Online) 2456-0774INTERNATIONAL JOURNAL OF ADVANCE SCIENTIFIC RESEARCHAND ENGINEERING TRENDSAlthough, no traces of the pre defined activities carriedpinpoint a single browser as the most private, based on theout in the private mode were found in the default locations in allnumber and type of entries alone. In conclusion, it is clear thatthe browsers of both the operating systems, except for Microsoftthe private modes of the browsers have not been very effective inEdge, yet, the artifacts of private browsing were plentiful in themaintaining the privacy of the browsing sessions. Therefore,physical memory. The results of this study have shown that it isfrom the user’s point of view, it is reasonable to state that thevery much possible to find remnants of the browsing activities inprivate modes of browsers in reality are not really that private.memory in cases where a live system is encountered, even afterHowever, these traces of private browsing artifacts present inclosing the browser window. It has also shown that if such anRAM could thus, prove to be potential evidence, in cases whereopportunity arises, then the traces of browsing artifacts can belive systems are encountered. Therefore, although the artifactsrecovered through RAM forensics using various available openfound in memory undermined the privacy claim of the browsersource tools. Nevertheless, although the amount of artifactsvendors, on the other hand, it has also proven its significance asvaried among the browsers as well as the operating systems, yetforensically valuable information in cases of questionable websince all of them did leave behind a significant amount ofactivities for investigators.evidences of private browsing, it would not be practical toTable 2: Number of entries of each predefined browsing activity found on Windows 10 on analyzing the dumps taken beforeand after closing the browsing session on )Brave(closed)323110316624461176Search term “best way to getaway with murder”00060000Page title “16 steps to killsomeone and not get caught”73090000Search term “Parasite"165101118183731Downloaded image [email protected] password“[email protected]”00010000Search term “How to spy ona mobile phone”04461580004Video title “How to spy on acell phone with ibo.comWWW.IJASRET.COM35

Volume 5 Issue 6 June 2020 ISSN (Online) 2456-0774INTERNATIONAL JOURNAL OF ADVANCE SCIENTIFIC RESEARCHAND ENGINEERING TRENDSTable 3: Number of entries of each predefined browsing activity found on MacOS Sierra on analyzing the dumps taken beforeclosing (O) and after closing (C) the browser window on WinHexKeywordsSafariEdge Chrome Firefox BraveSafariEdge Chrome atalog.com5978238727544058289267253494Search term “bestway to get away210015100010with murder”Page title “16 stepsto kill someone andnot get Email password“[email protected]”3001040000Search term “Howto spy on a mobilephone”10504956844800276Video title “How tospy on a cell phonewith IMEI number”4712560355600000Search term“Parasite"Downloaded imagefilewww.goibibo.comREFERENCES[1] P. Gralla and M. Troller, “How the Internet Works”, (8thEdition). London, United Kingdom: Que Pub, 2006.[2] H. Said, N. Al Mutawa, I. Al Awadhi and M. Guimaraes,“Forensic analysis of private browsing artifacts”, In 2011International Conference on Innovations in InformationTechnology, IEEE pp. 197-202, 2011.[3] M. Vermaat, S. Sebok, M. Frydenberg, S. Freund and J.Campbell, “Discovering Computers, Essentials”, NelsonEducation, 2015.[4] E. Noorulla. Web browser private mode forensics analysis,2011.[5] G. Aggarwal, E. Bursztein, C. Jackson and D. Boneh, “AnAnalysis of Private Browsing Modes in Modern Browsers.”In USENIX security symposium, pp. 79-94, 2010.WWW.IJASRET.COM36

Volume 5 Issue 6 June 2020 ISSN (Online) 2456-0774INTERNATIONAL JOURNAL OF ADVANCE SCIENTIFIC RESEARCHAND ENGINEERING TRENDS[6] D. Ohana and N. Shashidhar, “Do Private and PortableWeb Browsers Leave Incriminating Evidence?” InProceedings of the International Workshop on CyberCrime, San Francisco, CA 2013[7] A. Ghafarian and S. Seno, “Analysis of privacy ofprivate browsing mode through memory forensics.”International Journal of Computer Applications,132(16), 2015.[8] Montasari R and Peltola P, “Computer forensic analysisof private browsing modes.” In International Conferenceon Global Security, Safety, and Sustainability, pp. 96109, Springer, Cham, 2015.[9] Soghoian C, “Why private browsing modes do notdeliver real privacy.” Center for Applied Cyber securityResearch, Bloomington. 2011.[10] Gao X, Yang Y, Fu H, Lindqvist J and Wang Y,“Private browsing: An inquiry on usability and privacyprotection.” In Proceedings of the 13th Workshop onPrivacy in the Electronic Society pp. 97-106, 2014.[16] AccessData - Product Downloads. Available from: [Accessed on 24thFebruary 2020].[17] Pmem - OSXPMem - Mac OS X Physical Memoryacquisition tool. Available from: [Accessed on23rd February 2020].[18] X-ways - WinHex: Computer Forensics & Data RecoverySoftware, Hex Editor & Disk Editor. Available from: [Accessed on 25th February2020].[19] DB Browser for SQLite, 2020, Downloads, Available from: [Accessed on 25th February2020].[20] Nirsoft - Web Browser Tools Package. Available from: browser tools.html [Accessedon 25th February 2020].[11] Wu Y, Gupta P, Wei M, Acar Y, Fahl S and Ur B,“Your secrets are safe: How browsers' explanationsimpact misconceptions about private browsing mode.”In Proceedings of the 2018 World Wide WebConference, pp. 217-226, 2018.[12] Lerner BS, Elberty L, Poole N and Krishnamurthi S.“Verifying web browser extensions’ compliance withprivate-browsing mode.” In European Symposium onResearch in Computer Security, Springer, Berlin,Heidelberg, pp. 57-74, 2013.[13] B. Zhao and P. Liu, “Private browsing mode not reallythat private: Dealing with privacy breach caused bybrowser extensions.” In 45th Annual IEEE/IFIPInternational Conference on Dependable Systems andNetworks, IEEE, (pp. 184-195), 2015.[14] R. Gabet, K. Seigfried-Spellar and M. Rogers, “Acomparative forensic analysis of privacy enhanced webbrowsers and private browsing modes of common webbrowsers.” International Journal of Electronic Securityand Digital Forensics, 10 (4), pp. 356-371, 2018.[15] VirtualBox - Download VirtualBox, Oracle. loads[Accessed on 21st February 2020].WWW.IJASRET.COM37

AccessData FTK Imager Lite - FTK Imager Lite contains the minimum files necessary to run FTK Imager without installing it on the system. It is used for acquiring the live image of memory on a Windows system [17]. OSXPmem - Mac OS X Physical Memory acquisition tool is an open so