1. Private Browsing:A window of
Presented by Aung Thu Rha Hein (g5536871)
 H. Chivers,Dept. of Computer Science, University of York
“Private browsing: A window of forensic opportunity,” Digit. Investig., 2013.
○ Digital Forensic
○ Browser Architecture
○ Private Browsing
■ Private Browsing: A window of Forensic Opportunity
■ Browser is the most used application
■ Digital artifacts from browsers are valuable
■ Private browsing becomes barrier in forensic analysis
■ Is it possible to discover digital artifacts from private
■ Different browsers have different architecture…
■ Is it possible to develop a common forensic
methodology for all browsers?
■ To analyze the possibility of browser forensic
■ To measure the privacy level & capability of private
■ Propose a methodology for analyzing public & private
■ Basic methodology
■ 3 methodologies & the detailed process varies
○ Basic Forensic Methodology
○ Cyber Tool Online Search For Evidence (CTOSE)
○ Data Recovery UK (DRUK)
■ no traces of browsing activity after session ends
■ architecture and capability varies from browser
■ Goal & Threat model:
○ Local attackers
○ Web attackers
IE 8.0 X
Apple Safari 5.1.7 X X
 D. Ohana and N. Shashidhar, “Do private and portable web browsers leave incriminating evidence?: a forensic analysis of
residual artifacts from private and portable web browsing sessions,” EURASIP J. Inf. Secur., pp. 135–142, May 2013.
Keith J. Jones, “Forensic Analysis of Internet Explorer Activity Files.”,2003
Gaurav Aggarwal and Collin Jackson, “An Analysis of Private Browsing Modes
in Modern Browsers,” USENIX Security Symposium, 2010.
Aditya Mahendrakar and James Irving, “Forensic Analysis of Private Browsing
Mode in Popular Browsers,” 2010.
H. Said, N. Al Mutawa, I. Al Awadhi, and M. Guimaraes, “Forensic analysis of private
browsing artifacts,” in 2011 International Conference on Innovations in Information
Technology (IIT), 2011, pp. 197–202.
 D. J. Ohana and N. Shashidhar, “Do Private and Portable Web Browsers Leave
Incriminating Evidence? A Forensic Analysis of Residual Artifacts from Private and
Portable Web Browsing Sessions,” 2013, pp. 135–142.
 H. Chivers, “Private browsing: A window of forensic opportunity,” Digital Investigation,
13. Private Browsing: A
window of Forensic
14. Private Browsing: A window of Forensic
■ Forensic capability of IE 10’s Inprivate browsing
■ architecture changes in IE 10
○ replace binary historical formats with with new database
technology, Extensible Storage Engine(ESE)
■ To study the internal behaviour of InPrivate browsing
15. Private Browsing: A window of Forensic
Extensible Storage Engine (ESE)
■ allow applications to retrieve data via Indexed & Sequential Access
The Propagation of
Transaction Data into Disk Files
16. Private Browsing: A window of Forensic
HTTP/HTML Data Storage
■ each datatypes store in separate database tables
■ also separated by integrity level(private or public)
Data Type Description
Cookies maintain stages of HTTP exchanges
Web Storage allows to store name:value data
Indexed Database Storage store large arbitrary objects with
17. Private Browsing: A window of Forensic
■ 3 Inprivate experiments: scoping exercise, A controlled comparison
with ample system memory & a mixed load scenario
18. Private Browsing: A window of Forensic
Browser Data Structures
■ contains containers table
■ index to container_nn
■ Metro App have several containers
19. Private Browsing: A window of Forensic
Identifying InPrivate Browsing records
■ records are stored in same database
■ identify private browsing records by marker (type field)
■ browsing records are deleted after session overs
■ records still remain in log file (xxx.log)
■ log files removed when browsers opens again
20. Private Browsing: A window of Forensic
Disk Map of Recovered Inprivate browsing records
■ research works on browser forensic
■ possibility of forensic analysis on private browsing
■ InPrivate browsing and internal behaviour
Thank You &
 H. Chivers, “Private Brows. A Wind. forensic Oppor. Digit. Investig., 2013.
Digital Investig., 2013.
 G. Aggarwal and E. Bursztein, “An Analysis of Private Browsing Modes in
Modern Browsers.,” USENIX Secur. …, 2010.
 Aditya Mahendrakar and James Irving, “Forensic Analysis of Private Browsing
Mode in Popular Browsers,” 2010.
 D. Ohana and N. Shashidhar, “Do private and portable web browsers leave
incriminating evidence?: a forensic analysis of residual artifacts from
private and portable web browsing sessions,” EURASIP J. Inf. Secur., pp. 135–
142, May 2013.