Chrome has it. IE8 and Firefox 3.1 have it. So what does it mean to forensics investigators? I’m talking about private browsing--the ability to visit sites, conduct research, or participate in illegal/unethical activities without leaving tell-tale signs behind.
Recent interest in this capability, sparked by privacy enhancements touted by Mozilla, Google, and Microsoft, prompted me to take a closer look at what this might mean to my forensics investigations. As usual, the impact on reconstructing questionable behavior depends on the browser used and the skills of both the problem employee and the investigator.
The need for private browsing
Some common reasons given for private browsing include:
- Researching a medical condition
- Shopping from a home PC for a surprise gift or vacation
- Planning a surprise birthday party
However, most family members aren’t going to know how to get around methods already provided by browsers—deleting cookies, cache content, and other session information written to disk. So these are rather weak arguments for stronger browsing privacy.
A more appropriate reason might be deleting anything written to disk which might be used to track Internet use or other behavior. This is already an available configuration, at some level, in all major browsers.
The problem with these reasons for eliminating all evidence of systems use is they are often a smoke screen for nefarious or illegal activities, including:
- Cheating on a spouse
- Theft of sensitive information
- Visiting child porn sites
- Participation in questionable organizations
I’m all for personal privacy, but let’s be honest about why many pine for these capabilities. They want to be able to live secret lives via the Web. And this is nobody’s business if the actions are not illegal or harmful to others, and they take place on home PCs. However, when these actions move to company-owned systems, they become potential forensics problems.
Private Browsing Capabilities in IE and Firefox
Microsoft and Mozilla seem to be taking different approaches to private browsing. Firefox 3.0 had the capability to delete session information when closing the browser. This isn’t perfect, allowing disk recovery tools access to information, but it works for most reasons people give for privacy. It looks like Microsoft is simply trying to play catch-up with IE8.
Tests run against Microsoft’s InPrivateBrowsing feature, however, were successful in retrieving browsing history and other information about user activities. (See IE8's 'privacy' mode leaks your private data, PC Advisor, 29 August 2008.) Unless tightened up in the final release, InPrivateBrowsing will protect against ordinary user searches but not from someone committed to retrieving user activity.
According to the Mozilla Wiki, Firefox 3.1 will take a different approach based on the premise that “The purpose of private browsing is to put Firefox into a temporary state where no information about the user’s browsing session is stored locally” (Private Browsing, Mozilla Wiki). According to Firefox 3.1 functional specifications, the following browser functions will be prohibited from writing to disk when in private mode:
- Cache service
- Cookies service
- Permissions manager
- SSL certificate exception manager
- History service
- Form/Search bar auto-complete history manager
- Download manager
- Login manager
- Content specific preferences manager
- Session restore service
- Error console service
Instead of writing this information to disk, it will be stored in memory and deleted when private browsing ends.
What this means for forensics
The time of easy access to evidence of unwanted activity on company systems is drawing to a close. Browser privacy capabilities and user awareness of what needs to be done to hide their actions are improving. Even if the browsers don’t effectively remove all evidence of questionable activity, there are plenty of utilities that do. The resourceful criminal or reprobate already knows about them and is probably skilled in their use.
When conducting research for this article, I was unable to find a spot solution for by-passing browser privacy on an end-point device as part of an approved investigation. However, private browsing only affects the end-user device. Unencrypted traffic passing over a company’s network is still a good source of digital evidence. This capability, coupled with device or web filter configurations preventing unauthorized SSL connections, provides still provides reasonable privacy with visibility into questionable activities on company infrastructure.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.