private browsing: a window of forensic opportunity
DESCRIPTION
This is a seminar presentation and the paper is selected because of closed relation to my research.TRANSCRIPT
![Page 1: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/1.jpg)
Private Browsing:A window of Forensic Opportunity1
Howard Chivers Presented by Aung Thu Rha Hein (g5536871)
[1] H. Chivers,Dept. of Computer Science, University of York “Private browsing: A window of forensic opportunity,” Digit. Investig., 2013.
![Page 2: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/2.jpg)
Outline■ Introduction■ Background
○ Digital Forensic ○ Browser Architecture○ Private Browsing
■ Private Browsing: A window of Forensic Opportunity■ Conclusion■ References
![Page 3: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/3.jpg)
IntroductionMotivation
■ Browser is the most used application■ Digital artifacts from browsers are valuable■ Private browsing becomes barrier in forensic analysis
![Page 4: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/4.jpg)
IntroductionProblem Statements
■ Is it possible to discover digital artifacts from private browsing sessions?
■ Different browsers have different architecture…■ Is it possible to develop a common forensic
methodology for all browsers?
![Page 5: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/5.jpg)
IntroductionResearch Objectives
■ To analyze the possibility of browser forensic■ To measure the privacy level & capability of private
browsing■ Propose a methodology for analyzing public & private
browsing artifacts
![Page 6: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/6.jpg)
BackgroundDigital Forensic■ Basic methodology■ 3 methodologies & the detailed process varies
○ Basic Forensic Methodology○ Cyber Tool Online Search For Evidence (CTOSE)○ Data Recovery UK (DRUK)
![Page 7: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/7.jpg)
BackgroundBrowser Architecture
![Page 8: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/8.jpg)
BackgroundBrowser Architecture/2
![Page 9: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/9.jpg)
BackgroundPrivate Browsing■ no traces of browsing activity after session ends■ architecture and capability varies from browser■ Goal & Threat model:
○ Local attackers○ Web attackers
![Page 10: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/10.jpg)
BackgroundPrivate Browsing/2
Browser(Private Mode)
Private Browsing Indicator
Browsing History
Usernames/Email accounts
Images Videos
IE 8.0 X
Google Chrome 23.0.1271.95
X X
Mozilla Firefox 17.0.1
X X
Apple Safari 5.1.7 X X
[1] D. Ohana and N. Shashidhar, “Do private and portable web browsers leave incriminating evidence?: a forensic analysis of residual artifacts from private and portable web browsing sessions,” EURASIP J. Inf. Secur., pp. 135–142, May 2013.
![Page 11: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/11.jpg)
BackgroundRelated Works
[1]Keith J. Jones, “Forensic Analysis of Internet Explorer Activity Files.”,2003
[2]Gaurav Aggarwal and Collin Jackson, “An Analysis of Private Browsing Modes
in Modern Browsers,” USENIX Security Symposium, 2010.
[3]Aditya Mahendrakar and James Irving, “Forensic Analysis of Private Browsing
Mode in Popular Browsers,” 2010.
![Page 12: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/12.jpg)
BackgroundRelated Works/2
[4]H. Said, N. Al Mutawa, I. Al Awadhi, and M. Guimaraes, “Forensic analysis of private
browsing artifacts,” in 2011 International Conference on Innovations in Information
Technology (IIT), 2011, pp. 197–202.
[5] D. J. Ohana and N. Shashidhar, “Do Private and Portable Web Browsers Leave
Incriminating Evidence? A Forensic Analysis of Residual Artifacts from Private and
Portable Web Browsing Sessions,” 2013, pp. 135–142.
[6] H. Chivers, “Private browsing: A window of forensic opportunity,” Digital Investigation,2013.
![Page 13: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/13.jpg)
Private Browsing: A window of Forensic
Opportunity
![Page 14: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/14.jpg)
Private Browsing: A window of Forensic Opportunity
Objectives
■ Forensic capability of IE 10’s Inprivate browsing■ architecture changes in IE 10
○ replace binary historical formats with with new database technology, Extensible Storage Engine(ESE)
■ To study the internal behaviour of InPrivate browsing
![Page 15: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/15.jpg)
Private Browsing: A window of Forensic Opportunity/2
Extensible Storage Engine (ESE)
■ allow applications to retrieve data via Indexed & Sequential Access
The Propagation of
Transaction Data into Disk Files
![Page 16: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/16.jpg)
Private Browsing: A window of Forensic Opportunity/3HTTP/HTML Data Storage
■ each datatypes store in separate database tables■ also separated by integrity level(private or public)
Data Type Description
Cookies maintain stages of HTTP exchanges
Web Storage allows to store name:value data
Indexed Database Storage store large arbitrary objects with indexes (internet.edb)
![Page 17: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/17.jpg)
Private Browsing: A window of Forensic Opportunity/4
Windows 8 pro
IE 10.0.9..
FTK Imager
E01.img
ESECarve
Result
python script
Method
Analyzed Result
■ 3 Inprivate experiments: scoping exercise, A controlled comparison with ample system memory & a mixed load scenario
VMWARE
![Page 18: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/18.jpg)
Private Browsing: A window of Forensic Opportunity/5Browser Data Structures■ \Users\%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache
■ contains containers table■ index to container_nn■ Metro App have several containers
![Page 19: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/19.jpg)
Private Browsing: A window of Forensic Opportunity/6Identifying InPrivate Browsing records
■ records are stored in same database ■ identify private browsing records by marker (type field)■ browsing records are deleted after session overs■ records still remain in log file (xxx.log)■ log files removed when browsers opens again
![Page 20: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/20.jpg)
Private Browsing: A window of Forensic Opportunity/7Recovery Success
Disk Map of Recovered Inprivate browsing records
![Page 21: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/21.jpg)
Conclusion■ research works on browser forensic■ possibility of forensic analysis on private browsing■ InPrivate browsing and internal behaviour
Thank You & Questions?
![Page 22: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/22.jpg)
ReferenceResearch papers
[1] H. Chivers, “Private Brows. A Wind. forensic Oppor. Digit. Investig., 2013.Digital Investig., 2013.
[2] G. Aggarwal and E. Bursztein, “An Analysis of Private Browsing Modes in Modern Browsers.,” USENIX Secur. …, 2010.
[3] Aditya Mahendrakar and James Irving, “Forensic Analysis of Private Browsing Mode in Popular Browsers,” 2010.
[4] D. Ohana and N. Shashidhar, “Do private and portable web browsers leave incriminating evidence?: a forensic analysis of residual artifacts from private and portable web browsing sessions,” EURASIP J. Inf. Secur., pp. 135–142, May 2013.
![Page 23: Private Browsing: A Window of Forensic Opportunity](https://reader033.vdocuments.us/reader033/viewer/2022051609/547c02f35806b5ea3f8b46d0/html5/thumbnails/23.jpg)
ReferenceWeb Resources
1. http://www.html5rocks.com/en/tutorials/internals/howbrowserswork/#The_browsers_we_will_talk_about
2. https://archrometects.files.wordpress.com/2009/10/assignment-01-conceptual-architecture-of-google-chrome-archrometects.pdf
3. http://www.chromium.org/developers/design-documents4. https://docs.google.
com/document/d/1aBYEBd4b70YThMbuYskLIIyxltwlNxJTae89F1ULGcc/edit?usp=sharing