Privacy Preserving Internet Browsers: Forensic Analysis of Browzar

With the advance of technology, Criminal Justice agencies are being confronted with an increased need to investigate crimes perpetuated partially or entirely over the Internet. These types of crime are known as cybercrimes. In order to conceal illegal online activity, criminals often use private browsing features or browsers designed to provide total browsing privacy. The use of private browsing is a common challenge faced in for example child exploitation investigations, which usually originate on the Internet. Although private browsing features are not designed specifically for criminal activity, they have become a valuable tool for criminals looking to conceal their online activity. As such, Technological Crime units often focus their forensic analysis on thoroughly examining the web history on a computer. Private browsing features and browsers often require a more in-depth, post mortem analysis. This often requires the use of multiple tools, as well as different forensic approaches to uncover incriminating evidence. This evidence may be required in a court of law, where analysts are often challenged both on their findings and on the tools and approaches used to recover evidence. However, there are very few research on evaluating of private browsing in terms of privacy preserving as well as forensic acquisition and analysis of privacy preserving internet browsers. Therefore in this chapter, we firstly review the private mode of popular internet browsers. Next, we describe the forensic acquisition and analysis of Browzar, a privacy preserving internet browser and compare it with other popular internet browser

Web browser artefacts in private and portable modes: a forensic investigation

Web browsers are essential tools for accessing the internet. Extra complexities are added to forensic investigations when recovering browsing artefacts as portable and private browsing are now common and available in popular web browsers. Browsers claim that whilst operating in private mode, no data is stored on the system. This paper investigates whether the claims of web browsers discretion are true by analysing the remnants of browsing left by the latest versions of Internet Explorer, Chrome, Firefox, and Opera when used in a private browsing session, as a portable browser, and when the former is running in private mode. Some of our key findings show how forensic analysis of the file system recovers evidence from IE while running in private mode whereas other browsers seem to maintain better user privacy. We analyse volatile memory and demonstrate how physical memory by means of dump files, hibernate and page files are the key areas where evidence from all browsers will still be recoverable despite their mode or location they run from

A comparative forensic analysis of privacy enhanced web browsers

Growing concerns regarding Internet privacy has led to the development of enhanced privacy web browsers. The intent of these web browsers is to provide better privacy for users who share a computer by not storing information about what websites are being visited as well as protecting user data from websites that employ tracking tools such as Google for advertisement purposes. As with most tools, users have found an alternative purpose for enhanced privacy browsers, some illegal in nature. This research conducted a digital forensic examination of three enhanced privacy web browsers and three commonly used web browsers in private browsing mode to identify if these browsers produced residual browsers artifacts and if so, if those artifacts provided content about the browsing session. The examination process, designed to simulate common practice of law enforcement digital forensic investigations, found that when comparing browser type by browser and tool combination, out of a possible 60 artifacts, the common web browsers produced 26 artifacts while the enhanced privacy browsers produced 25 for a difference of 2\%. The tool set used also had an impact in this study, with FTK finding a total of 28 artifacts while Autopsy found 23, for a difference of 8\%. The conclusion of this research found that although there was a difference in the number of artifacts produced by the two groups of browsers, the difference was not significant to support the claim that one group of browsers produced fewer browsers than the other. As this study has implications for privacy minded citizens as well as law enforcement and digital forensic practitioners concerned with browser forensics, this study identified a need for future research with respect to internet browser privacy, including expanding this research to include more browsers and tools

Forensic Analysis of Tor Browser on Windows 10 and Android 10 Operating Systems

Smartphones and Internet have become prevalent in our society with various applications in businesses, education, healthcare, gaming, and research. One of the major issues with the Internet today is its lack of security since an eavesdropper can potentially intercept the communication. This has contributed towards an increased number of cyber-crime incidents, resulting in an increase in users’ consciousness about the security and privacy of their communication . One example is the shift towards using private browsers such as Tor. Tor is a well-recognized and widely used privacy browser based on The Onion Router network that provisions anonymity over the insecure Internet. This functionality of Tor has been a major hurdle in cybercrime investigations due to the complex nature of its anonymity. This paper investigates artifacts from the Tor privacy browser on the latest Windows 10 and Android 10 devices to determine potential areas where evidence can be found. We examine the registry, storage, and memory of Windows 10 devices and the memory, storage, logs, and Zram of Android 10 devices for three possible scenarios i.e. before, during, and after use of the Tor browser. Our results do not support the claims made by the Tor Project regarding user privacy and anonymity. We find that it is possible to retrieve significant details about a user’s browsing activities while the Tor browser is in use as well as after it is closed (on both operating systems). This paper also provides an investigative methodology for the acquisition and analysis of Tor browser artifacts from different areas of the targeted operating systems. Therefore, it can serve as a base to expand research in the forensic analysis of other privacy browsers and improve the efficiency of cybercrime investigations efficiency

Digital forensic analysis methodology for private browsing: Firefox and Chrome on Linux as a case study

The web browser has become one of the basic tools of everyday life. A tool that is increasingly used to manage personal information. This has led to the introduction of new privacy options by the browsers, including private mode. In this paper, a methodology to explore the effectiveness of the private mode included in most browsers is proposed. A browsing session was designed and conducted in Mozilla Firefox and Google Chrome running on four different Linux environments. After analyzing the information written to disk and the information available in memory, it can be observed that Firefox and Chrome did not store any browsing-related information on the hard disk. However, memory analysis reveals that a large amount of information could be retrieved in some of the environments tested. For example, for the case where the browsers were executed in a VMware virtual machine, it was possible to retrieve most of the actions performed, from the keywords entered in a search field to the username and password entered to log in to a website, even after restarting the computer. In contrast, when Firefox was run on a slightly hardened non-virtualized Linux, it was not possible to retrieve any browsing-related artifacts after the browser was closedS

Forensics Analysis of Privacy of Portable Web Browsers

Web browser vendors offer a portable web browser option which is considered as one of the features that provides user privacy. Portable web browser is a browser that can be launched from a USB flash drive without the need for its installation on the host machine. Most popular web browsers have portable versions of their browsers as well. Portable web browsing poses a great challenge to computer forensic investigators who try to reconstruct the past browsing history, in case of any computer incidence. This research examines various sources in the host machine such as physical memory, temporary, recent, event files, Windows Registry, and Cache.dll files for the evidential information regarding portable browsing session. The portable browsers under this study include Firefox, Chrome, Safari, and Opera. Results of this experiment show that portable web browsers do not provide user-privacy as they are expected to do. Keywords: computer forensics tools, RAM forensics, volatile memory, forensics artifacts, Registr

Exploring the protection of private browsing in desktop browsers

Desktop browsers have introduced private browsing mode, a security control which aims to protect users’ data that are generated during a private browsing session, by not storing them in the file system. As the Internet becomes ubiquitous, the existence of this security control is beneficial to users,since privacy violations are increasing, while users tend to be more concerned about their privacy when browsing the web in a post-Snowden era. In this context, this work examines the protection that is offered by the private browsing mode of the most popular desktop browsers in Windows (i.e.,Chrome, Firefox, IE and Opera).Our experiments uncover occasions in which even if users browse the web with a private session,privacy violations exist contrary to what is documented by the browser.To raise the bar of privacy protection that is offered by web browsers,we propose the use of a virtual filesystem as the storage medium of browsers’ cache data. We demonstrate with a case study how this countermeasure protects users from the privacy violations, which are previously identified in this work