Private Browsing:A window of
Forensic Opportunity1
Howard Chivers
Presented by Aung Thu Rha Hein (g5536871)
[1] H. Chivers...
Outline
■ Introduction
■ Background
○ Digital Forensic
○ Browser Architecture
○ Private Browsing
■ Private Browsing: A win...
Introduction
Motivation
■ Browser is the most used application
■ Digital artifacts from browsers are valuable
■ Private br...
Introduction
Problem Statements
■ Is it possible to discover digital artifacts from private
browsing sessions?
■ Different...
Introduction
Research Objectives
■ To analyze the possibility of browser forensic
■ To measure the privacy level & capabil...
Background
Digital Forensic
■ Basic methodology
■ 3 methodologies & the detailed process varies
○ Basic Forensic Methodolo...
Background
Browser Architecture
Background
Browser Architecture/2
Background
Private Browsing
■ no traces of browsing activity after session ends
■ architecture and capability varies from ...
Background
Private Browsing/2
Browser
(Private Mode)
Private
Browsing
Indicator
Browsing
History
Usernames/E
mail accounts...
Background
Related Works
[1]Keith J. Jones, “Forensic Analysis of Internet Explorer Activity Files.”,2003
[2]Gaurav Aggarw...
Background
Related Works/2
[4]H. Said, N. Al Mutawa, I. Al Awadhi, and M. Guimaraes, “Forensic analysis of private
browsin...
Private Browsing: A
window of Forensic
Opportunity
Private Browsing: A window of Forensic
Opportunity
Objectives
■ Forensic capability of IE 10’s Inprivate browsing
■ archit...
Private Browsing: A window of Forensic
Opportunity/2
Extensible Storage Engine (ESE)
■ allow applications to retrieve data...
Private Browsing: A window of Forensic
Opportunity/3
HTTP/HTML Data Storage
■ each datatypes store in separate database ta...
Private Browsing: A window of Forensic
Opportunity/4
Windows
8 pro
IE 10.0.9..
FTK Imager
E01.img
ESECarve
Result
python
s...
Private Browsing: A window of Forensic
Opportunity/5
Browser Data Structures
■ Users%USERPROFILE%AppDataLocalMicrosoftWind...
Private Browsing: A window of Forensic
Opportunity/6
Identifying InPrivate Browsing records
■ records are stored in same d...
Private Browsing: A window of Forensic
Opportunity/7
Recovery Success
Disk Map of Recovered Inprivate browsing records
Conclusion
■ research works on browser forensic
■ possibility of forensic analysis on private browsing
■ InPrivate browsin...
Reference
Research papers
[1] H. Chivers, “Private Brows. A Wind. forensic Oppor. Digit. Investig., 2013.
Digital Investig...
Reference
Web Resources
1. http://www.html5rocks.
com/en/tutorials/internals/howbrowserswork/#The_browsers_we_will_talk_ab...
Upcoming SlideShare
Loading in...5
×

Private Browsing: A Window of Forensic Opportunity

946

Published on

This is a seminar presentation and the paper is selected because of closed relation to my research.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
946
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
26
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Private Browsing: A Window of Forensic Opportunity

  1. 1. Private Browsing:A window of Forensic Opportunity1 Howard Chivers Presented by Aung Thu Rha Hein (g5536871) [1] H. Chivers,Dept. of Computer Science, University of York “Private browsing: A window of forensic opportunity,” Digit. Investig., 2013.
  2. 2. Outline ■ Introduction ■ Background ○ Digital Forensic ○ Browser Architecture ○ Private Browsing ■ Private Browsing: A window of Forensic Opportunity ■ Conclusion ■ References
  3. 3. Introduction Motivation ■ Browser is the most used application ■ Digital artifacts from browsers are valuable ■ Private browsing becomes barrier in forensic analysis
  4. 4. Introduction Problem Statements ■ Is it possible to discover digital artifacts from private browsing sessions? ■ Different browsers have different architecture… ■ Is it possible to develop a common forensic methodology for all browsers?
  5. 5. Introduction Research Objectives ■ To analyze the possibility of browser forensic ■ To measure the privacy level & capability of private browsing ■ Propose a methodology for analyzing public & private browsing artifacts
  6. 6. Background Digital Forensic ■ Basic methodology ■ 3 methodologies & the detailed process varies ○ Basic Forensic Methodology ○ Cyber Tool Online Search For Evidence (CTOSE) ○ Data Recovery UK (DRUK)
  7. 7. Background Browser Architecture
  8. 8. Background Browser Architecture/2
  9. 9. Background Private Browsing ■ no traces of browsing activity after session ends ■ architecture and capability varies from browser ■ Goal & Threat model: ○ Local attackers ○ Web attackers
  10. 10. Background Private Browsing/2 Browser (Private Mode) Private Browsing Indicator Browsing History Usernames/E mail accounts Images Videos IE 8.0 X Google Chrome 23.0.1271.95 X X Mozilla Firefox 17.0.1 X X Apple Safari 5.1.7 X X [1] D. Ohana and N. Shashidhar, “Do private and portable web browsers leave incriminating evidence?: a forensic analysis of residual artifacts from private and portable web browsing sessions,” EURASIP J. Inf. Secur., pp. 135–142, May 2013.
  11. 11. Background Related Works [1]Keith J. Jones, “Forensic Analysis of Internet Explorer Activity Files.”,2003 [2]Gaurav Aggarwal and Collin Jackson, “An Analysis of Private Browsing Modes in Modern Browsers,” USENIX Security Symposium, 2010. [3]Aditya Mahendrakar and James Irving, “Forensic Analysis of Private Browsing Mode in Popular Browsers,” 2010.
  12. 12. Background Related Works/2 [4]H. Said, N. Al Mutawa, I. Al Awadhi, and M. Guimaraes, “Forensic analysis of private browsing artifacts,” in 2011 International Conference on Innovations in Information Technology (IIT), 2011, pp. 197–202. [5] D. J. Ohana and N. Shashidhar, “Do Private and Portable Web Browsers Leave Incriminating Evidence? A Forensic Analysis of Residual Artifacts from Private and Portable Web Browsing Sessions,” 2013, pp. 135–142. [6] H. Chivers, “Private browsing: A window of forensic opportunity,” Digital Investigation, 2013.
  13. 13. Private Browsing: A window of Forensic Opportunity
  14. 14. Private Browsing: A window of Forensic Opportunity Objectives ■ Forensic capability of IE 10’s Inprivate browsing ■ architecture changes in IE 10 ○ replace binary historical formats with with new database technology, Extensible Storage Engine(ESE) ■ To study the internal behaviour of InPrivate browsing
  15. 15. Private Browsing: A window of Forensic Opportunity/2 Extensible Storage Engine (ESE) ■ allow applications to retrieve data via Indexed & Sequential Access The Propagation of Transaction Data into Disk Files
  16. 16. Private Browsing: A window of Forensic Opportunity/3 HTTP/HTML Data Storage ■ each datatypes store in separate database tables ■ also separated by integrity level(private or public) Data Type Description Cookies maintain stages of HTTP exchanges Web Storage allows to store name:value data Indexed Database Storage store large arbitrary objects with indexes (internet.edb)
  17. 17. Private Browsing: A window of Forensic Opportunity/4 Windows 8 pro IE 10.0.9.. FTK Imager E01.img ESECarve Result python script Method Analyzed Result ■ 3 Inprivate experiments: scoping exercise, A controlled comparison with ample system memory & a mixed load scenario VMWARE
  18. 18. Private Browsing: A window of Forensic Opportunity/5 Browser Data Structures ■ Users%USERPROFILE%AppDataLocalMicrosoftWindowsWebCache ■ contains containers table ■ index to container_nn ■ Metro App have several containers
  19. 19. Private Browsing: A window of Forensic Opportunity/6 Identifying InPrivate Browsing records ■ records are stored in same database ■ identify private browsing records by marker (type field) ■ browsing records are deleted after session overs ■ records still remain in log file (xxx.log) ■ log files removed when browsers opens again
  20. 20. Private Browsing: A window of Forensic Opportunity/7 Recovery Success Disk Map of Recovered Inprivate browsing records
  21. 21. Conclusion ■ research works on browser forensic ■ possibility of forensic analysis on private browsing ■ InPrivate browsing and internal behaviour Thank You & Questions?
  22. 22. Reference Research papers [1] H. Chivers, “Private Brows. A Wind. forensic Oppor. Digit. Investig., 2013. Digital Investig., 2013. [2] G. Aggarwal and E. Bursztein, “An Analysis of Private Browsing Modes in Modern Browsers.,” USENIX Secur. …, 2010. [3] Aditya Mahendrakar and James Irving, “Forensic Analysis of Private Browsing Mode in Popular Browsers,” 2010. [4] D. Ohana and N. Shashidhar, “Do private and portable web browsers leave incriminating evidence?: a forensic analysis of residual artifacts from private and portable web browsing sessions,” EURASIP J. Inf. Secur., pp. 135– 142, May 2013.
  23. 23. Reference Web Resources 1. http://www.html5rocks. com/en/tutorials/internals/howbrowserswork/#The_browsers_we_will_talk_about 2. https://archrometects.files.wordpress.com/2009/10/assignment-01-conceptual- architecture-of-google-chrome-archrometects.pdf 3. http://www.chromium.org/developers/design-documents 4. https://docs.google. com/document/d/1aBYEBd4b70YThMbuYskLIIyxltwlNxJTae89F1ULGcc/edit? usp=sharing
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×