As incognito / private browsing increases in popularity, law enforcement and forensic investigators are seeing its use more and more often when conducting an investigation that includes electronic devices with internet capability. Although most popular among adolescent males for accessing explicit content, criminals are using private browsing in an attempt to conceal their activity. This project will help aide law enforcement and forensic investigators in finding these browsing files which could contain evidence pertinent to a criminal investigation.
The LCDI will be utilizing VMware to conduct data generation, focusing on four main browsers: Google Chrome, Mozilla Firefox, Safari, and Internet Explorer. Each of the four browsers will have their own virtual machine. Research will be done on the browsers that offer private/incognito sessions, along with what types of programs are best at viewing the imaged drives. Research will also be done into comparing the chosen browsers’ private/incognito session policies. The data generation process with include surfing the web, downloading files of various types, saving html pages, collecting tracking cookies, and using autofill features. This will be done using both a normal browsing session and an incognito/private browsing session, which we will compare. Once this is done, the team will image the virtual machines using forensic imaging software; once imaged, we will locate and examine the browsing session files.
We will be sharing our progress and findings in future blog posts throughout the coming months. If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at email@example.com.