M6A6

This weeks assignment you will be reading different journal articles, one on Firefox, one on Chrome, one on Private Web Forensics, and one on Private and Portable Modes. Select two from four attached articles and write a 2-3 page summary on what have you learned including the techniques used, how each is different and the end results. You should have a title page and your 2-3 page summary should include your opinions on all the information as this is not a research paper.

Evaluation of Firefox Browser Forensics Tools

Don't use plagiarized sources. Get Your Custom Essay on

M6A6

Just from $13/Page

Order Essay

Sweta Mahaju
University of Alabama

P.O. Box 870290
Tuscaloosa, Alabama 35487
smahaju@crimson.ua.edu

Travis Atkison∗

University of Alabama
P.O. Box 870290

Tuscaloosa, Alabama 35487
atkison@cs.ua.edu

ABSTRACT

Web browsers store web surfing data and history to facilitate
the users ease of operation such as instant website recommen-
dations or quicker access to previously visited sites. Since
cyber-criminals or suspects, in general, may use the browser
to search for any number of crime methods or visit differ-
ent websites to collect information, this is a good source
of electronic evidence used in lawsuits and other crime re-
lated investigations. For this reason, web browser forensics
is an important field of Digital Forensics. It is crucial to
know about the different web browsing analysis tools that
are available and have a clear understanding of which tool
would be more productive and suitable for which cases and
situations. Therefore, this paper presents a survey of web
browser forensics analysis tools for Firefox, as well as evalu-
ates the performance of the tools and the system while the
tool is being run. These tools are tested against different
criteria such as time constraints, memory consumption, and
availability. The evaluation result is varied with respect to
different sets of criteria. Each of the tools in this survey had
their own strengths and weaknesses. However, if one is to be
chosen which could be suitable enough for all the jobs, then
FoxAnalysis would be the choice.

KEYWORDS

Digital Forensics, Web Browsers, Survey

ACM Reference format:
Sweta Mahaju and Travis Atkison. 2017. Evaluation of Firefox

Browser Forensics Tools. In Proceedings of ACM SE ’17, Kenne-
saw, GA, USA, April 13-15, 2017, 8 pages.

DOI: http://dx.doi.org/10.1145/3077286.3077310

1 INTRODUCTION

Internet is used by almost every one today; around 3.5 billion,
as of the most recent report according to Statista [16]. Among
those billions of Internet users are a number of suspects who

∗Corresponding author.

Permission to make digital or hard copies of all or part of this work
for personal or classroom use is granted without fee provided that
copies are not made or distributed for profit or commercial advantage
and that copies bear this notice and the full citation on the first
page. Copyrights for components of this work owned by others than
ACM must be honored.

Abstract

ing with credit is permitted. To copy
otherwise, or republish, to post on servers or to redistribute to lists,
requires prior specific permission and/or a fee. Request permissions
from permissions@acm.org.

ACM SE ’17, April 13-15, 2017, Kennesaw, GA, USA

will use the Internet for any help or information to assist
with their criminal activities. These could be activities they
either intend to commit or have already committed in the
past; whether it be web searching, visiting different websites
or deleting browsing history of the web browser, accessing
emails or online storage, or downloading files and so on.
Therefore, considering web browsers for evidence searching
could be a crucial part of a digital forensic investigation, as
critical electronic evidence is usually found in a suspect’s web
browsing history in the form of above mentioned logs.

There are several numbers of web browsers that a user
can use to access the Internet. Among them, Mozilla Firefox,
Google Chrome, Internet Explorer, Safari and Opera are
known as web browsing giants of today’s age. Each of them
has their own significance. However, this paper will focus on
the Firefox web browser as it is OS independent, i.e., it is
compatible to several operating systems like MAC, Windows,
Linux, etc. [17]. Moreover, it is highly customizable with a
simple layout and easier to use, which could be one of the
reasons making it many users’ first choice [17]. Web browsers
save traces and logs, such as cache, history, cookies, login
credentials, and a download list. Similarly, Firefox stores
browsing logs in an SQLite database from which data can be
extracted during an investigation. The Firefox browser and
its log data files and formats are described in detail in the
upcoming section.

Web browsing evidence recognition is one of the most
significant parts of a digital forensic investigation [13]. How-
ever, a forensic investigation is not limited to collecting logs
and evidence. After gathering evidence, the next step is the
analysis phase in which the forensic investigators begin by
reconstructing the web browsing events and activities. As the
process is quite complicated, it calls for the need of different
forensics analysis tools. There are several browser specific and
browser independent analysis tools available. However, not
every tool exhibits all the features that a particular investi-
gation scenario may require. Hence evaluation of the analysis
tools with respect to the set of features they provide would
be beneficial, especially for forensics investigation. Therefore,
this paper includes a section which evaluates different web
browser forensic tools for the Firefox browser on the basis of
different features they provided which may be helpful during
forensics investigations.

Additionally, performance of a tool is one of the key factors
to be considered. Speed, ease of use, availability, memory
utilization and CPU consumption, etc., are some of the per-
formance matrices on the basis of which the tools could
be tested against, so that forensic investigation could get a

ACM SE ’17, April 13-15, 2017, Kennesaw, GA, USA Sweta Mahaju and Travis Atkison

performance-wise better tool among all the available tools
exhibiting the common feature sets. Considering the same
logic, this paper also focuses on benchmarking the tools as
well as the system on which the tools are to be run, on the
basis of mentioned performance matrices to compare the
results among themselves and find out the best tool of the
chosen set.

This paper contains five sections. Section II discusses the
different early works that were related to the work proposed
in this paper. Section III describes the Firefox web browser
and the log files it stores. Section IV presents the different web
browser forensics tools. Section V provides an evaluation of
web browser forensics tools with subsections that categorizes
the evaluation into feature set evaluation and performance
evaluation of the tools. Section VI discusses the accuracy of
the idea the paper presents along with the comparison of the
tools on the basis of the evaluation result. Finally, section
VII summarizes the concept of evaluation of web browser
analysis tools and conclude with its importance on the field
of digital forensics investigation.

2 RELATED WORKS

In [7], Lowman focuses on the topic of web history visual-
ization and compares the work of a visual web browser tool,
‘Webscavator,’ with that of one of the non-visual web browser
tool, ‘NetAnalysis’. The paper shows the evaluation of the vi-
sual browser forensic tool and explains the importance of data
visualization in the field of digital forensics by comparing its
features set with those of a non-visual browser forensic tools.
Haggerty and Taylor [4] focus on web log analysis in which
the author proposes a methodology for data visualization of
search strings in web browser log files, so as to summarize
a suspect’s interest, intentions and actions over a period of
time.

In [12], Pereira points out the change in the structure of
web history log when the web browser Firefox shifted from
version 2 to version 3, explaining the new structure. Fur-
thermore, the author proposes the methodologies to recover
the deleted history files from the SQLite databases explain-
ing that the traces of deleted records could be found in the
unallocated spaces.

In [1], Akbal et al. presents a nice methodology for the
forensic analysis to be carried out on the digital resources
related to the suspect’s web browser data. The data could
be of any of the different web browsers and on any of the
different operating system. With regards to the same, the
author includes a section that introduces some of the web
forensics tools and describes their features in brief.

In [11], Oh et al. proposes a new methodology for web
browser log file analysis and evidence gathering. The paper
explains in detail a few of the important functionalities that
a web browser forensics tool should have; introduces a new
tool, WEFA (Web Browser Forensic Analyzer), which exhibits
functionalities of advance evidence collection and integrated
analysis; and finally, performs functional comparison of the
same tool with existing tools.

Most of the above mentioned research works are focused
on web log file structures and analysis. Some of them include
comparisons of different web browser forensics tools. However,
those papers show the limitations of the tools or introduce
a new tool and compare and contrast the features of those
existing tools with respect to extra features the new tools
provides. Furthermore, almost all of the related research
mentioned above are out of date as their discussions focus
either on older tool versions or are superfluous in analysis of
appropriate tools for Firefox log files. With the demand of
upgrading technologies, the research needs to be updated to
include the newer version of the tools that may provide more
features.

Hence, this paper focuses on the web browser forensics tools
and different features they provide for browser forensic data
analysis; evaluation of the tools based on those features as well
as different performance matrices; simultaneously comparing
the results in a motive to help the forensic investigators to
find out the best suited tool for a given forensic case.

3 FIREFOX WEB BROWSER AND
LOG FILES

Firefox is one of the predominant web browsers today. It sup-
ports web standards such as HTML, XHTML, CSS, DOMs,
XML and plugins such as Java, Flash, Acrobat Reader as
well as millions of non-standard web pages that can be found
in the Internet today [3].

Firefox uses an SQLite database to record browser infor-
mation and log files. It stores everything in separate SQLite
files. There are a total of 12 SQLite files maintained corre-
sponding to the different functions like cookies, web searches,
website visited, etc. These SQLite files contain various tables
to store user profile data. The data is stored in a protective
way so that it is still saved in the tables even after deletion
by user. From a forensic point of view, these SQLite files
are considered helpful to extract the digital evidence. Table
1 describes the different SQLite log files used by Firefox to
store the web browsing information and their importance [2].

4 WEB BROWSER FORENSICS TOOLS

The forensic analysis phase is an important phase of a digital
forensic investigation as the forensic investigator reaches a
result based on the analysis done on the collected evidence.
For a web browser investigation, the process begins with
event reconstruction of the web browsing history. However,
there are several tools available now that could considerably
accommodate contouring the procedure [5].

Web browser forensics tools, among different computer
forensic tools, are those which are specifically related to
Internet browsing activities of the suspect’s system. Different
web browsing analysis tools are browser specific. However,
there are some that may be compatible with more than one
browser. As this paper is concerned with the Firefox web
browser, below are some of the top web browsing history
analysis tools which support Firefox log files format as input
mentioned and described briefly below:

Evaluation of Firefox Browser Forensics Tools ACM SE ’17, April 13-15, 2017, Kennesaw, GA, USA

Table 1: Firefox log Files

S. No. Firefox Log Files Description

1 content-prefs.sqlite This file is used to set user specific preferences for
browser and content setting that persist through-
out the user browsing session along with brows-
ing history. content-prefs.sqlite contains 3 tables –
namely groups, prefs, and settings which give the
information about preferably visited sites during
forensic investigation [2]

2 extensions.sqlite This file contains seven different tables which are
used to store information about different exten-
sions installed in Firefox browser. Among these
tables, ‘addon’ could be considered as an impor-
tant one according to Forensics point of view as it
stores information like “descriptor”, “installDate”,
and “sourceURL” [2]

3 places.sqlite This file is probably one of the most significant
files in Firefox forensics. It maintains the records
of all the Firefox bookmarks and lists of all the
files downloaded and websites visited; and all the
related information are considerably important for
forensic investigation to pursue the suspect [6]

4 addons.sqlite This file contains the table that stores all the in-
formation related to browser add-ons – such as
name of add-on, version number, description, de-
veloper notes, support URL, creator and creator’s
URL, homepage URL and total number of down-
loads. Therefore, a forensic investigator can use
this file to retrieve the details of all the installed
add-ons while analyzing the browsing activities of
the suspect [2]

5 cookies.sqlite Firefox uses a table named “moz cookies” to store
all the information related to the browser cookies.
Not all the cookies are relevant to forensic analysis,
as cookies are generated for two purposes – one to
create a user profile and other for advertisement
purposes. Hence, the columns like baseDomain,
host, lastAccessed, and creationTime are the im-
portant ones from a forensic point of view which
can be used to extract the relevant information [2]

6 formhistory.sqlite This file contains a table named “moz formhistory”
which stores all the data used for filling web forms.
Additionally, the data related to web searching
using search bar as well as the search keywords
used for the same are also stored in the table. The
important columns are “value”, “fieldname”, “firs-
tUsed” and “lastUsed”. The search keywords are
stored in “fieldname” and data related to search
and other forms data are stored in “value” column
whereas the other two columns give the informa-
tion about the time related to the records [2]

7 search.sqlite The search.sqlite file stores the lists of all the avail-
able search engines such as – google, bing, yahoo,
wikipedia, etc., that can be used by Firefox browser
[2]

8 signons.sqlite When the user logs in to any website, their user
credentials (username and password) are stored
in this file in encrypted forms under the columns
“encryptedUsername” and “encryptedPassword”.
Along with these, there is also the information
related to timestamps such as – created time, last
used time, password last changed time. Site visit
count is also stored as data under “timeUsed” col-
umn. Hence, this file is one of the important files for
investigators to retrieve information which could
be decisive and pivotal during evidence searching
[2]

9 permissions.sqlite This file consists of a table named “moz hosts”
whose column “host” stores the name of the sites
for which permission such as allow pop ups, allow
adobe flash, etc., are set [2]

10 downloads.sqlite This file consists of the table named
“moz downloads” which saves all the infor-
mation about past downloads such as files
downloaded, destination, sources, time, etc., which
can be crucial to forensic investigation [2]

11 webappstore.sqlite The information about software methodology and
protocols used in a web browser is stored in this
file. Along with these, the table in the file also
contains information about the web storage types.
Moreover, even after the user deletes the browser
history, cookies, or other browsing information, the
data still remains in the table [2]

12 chromeappsstore.sqlite This file stores the information related to a search
engine in the table named “webappstore2” [2]

4.1 NetAnalysis V2

NetAnalysis v2 is a web browser forensic application which
allows the user to retrieve the logged web browsing history
and perform forensic analysis on it. Digital Detective Group
Ltd introduced this application along with HstEx v4 which
is an advanced data recovery solution designed to recover
deleted browser history and other browsing data. The Net-
Analysis tool provides the features of web browser forensics,
filtering and searching, cache export and page rebuilding,
and reporting, all of which are meant to be useful for digital
forensic analysis and investigation [8].

4.2 FoxAnalysis V1.6.0

FoxAnalysis is a web browser forensics tool developed by
Foxton Software Limited that helps with retrieving recorded
bookmarks, cookies, downloads, form histories, web histories,
logins, saved sessions, and website visits within the Firefox
browser. All of these are equally important data for the
forensics investigations. Some of the features it provides are
web history timeline and analysis, filtering, create and open
case files, exporting and reporting, etc. [10].

4.3 PasswordFox

PasswordFox gives the investigators the privilege of retriev-
ing the login credentials saved by the Firefox browser. The
program is developed by Nir Sofer, which introduced it as
a portable program. It does not need to be installed and
can also be transported via portable devices. PasswordFox
retrieves the records related to the current user profile by
default. However, any location can be given which selects
any other Firefox user profile. The application allows you to
extract the information specifically related to the website,
user name, password, user name field, password field, sign-on
file, HTTP realm, password strength and Firefox version. An-
other feature of the application is that the list of the records
can be exported to a TXT, HTML, XML or KeePass CSV
file [15].

4.4 Browser History Examiner

Browser History Examiner is also one of the products of
Foxton Software Limited. It is a browser forensic tool used
for capturing, extracting and analyzing the web browsing
history data of the Firefox web browser. It stores logs of
bookmarks, cached data, cookies, downloads, favicons, form
history, web searches, website visits, login credentials, etc.,
which are almost all the type of data relevant for web browser
forensics investigation. [9].

4.5 MZ History Viewer

MZ History Viewer is a simple web browser forensic tool
to view the browsing history of the Firefox browser. It pro-
vides the user with several simple features. These features
include displaying the browsing history in a grid view with
columns for First Visit time, Last visit time, Visit Count, Url,
Visit Length, etc., searching the history, properties window,
navigating to the displayed history urls, and reporting, etc.

ACM SE ’17, April 13-15, 2017, Kennesaw, GA, USA Sweta Mahaju and Travis Atkison

This is the common information necessary for a forensics
investigation. [14].

5 EVALUATION OF WEB BROWSER
FORENSICS TOOLS

The importance of forensics tools call forth the need to assure
that the tools are well tested against their features and
performance level. The paper provides an evaluation of the
tools listed above based on the features they provide and
performance matrices which will show at what level processing
of the tools may affect the machine on which they are run.

5.1 Evaluation based on Feature Sets

There may be various scenarios and cases the forensics in-
vestigators need to work on which call for the use of web
browser forensics tools. Having the knowledge about what
tools are suitable for which case and what relevant features
the tool provides might play a crucial role on minimizing the
workload of the investigator. Therefore, this paper lists out
a set of most important features a tool should have as the
evaluation matrix and summarizes the availabilities of the
same in the five tools mentioned in Section IV in a tabular
format, see Table 2.

Table 2: Feature Set Evaluation

S.
No.

Features

NetAnalysis PasswordFox MZ His-
tory
Viewer

Browser
History
Examiner

FoxAnalysis

1 Websites Visits Y Y Y Y Y

2 Form History Y Y Y Y Y

3 Visit Count Y N Y Y Y

4 First Accessed Time Y Y Y Y Y

5 Last Accessed Time Y Y Y Y Y

6 Firefox Version

Y Y N N N

7 Parent Page N (Not
in Eval-
uation
Version)

N Y Y N

8 Bookmarks Y N N Y Y

9 Cookies Y N N Y Y

10 Downloads Y N Y Y Y

11 Logins Y Y N Y Y

12 Session

N N N Y Y

13 Favicon Y N N Y Y

14 Filtering Y N Y Y Y

15 Search by Keyword Y Y Y Y Y

16 Sorting Y Y Y Y Y

17 Select Column to Dis-
play

Y Y Y N N

18 Time Zone Selection Y N N Y Y

19 Preview Y N N Y N

(Not in
Trial
Version)

20 Classification of
browsing activities

N N N Y Y

21 Deleted Information
Recovery

Y Y N N N

22 Timeline Generation N N N Y Y

23 Web page reconstruc-
tion

N N N N N

(Not in
Trial
Version)

24 Open selected link in
web browser

Y N Y N N

25 Password Recovery N Y N N N

26 Exporting Y N N Y Y

27 Reporting Y Y Y Y N
(Not in
Trial
Version)

With reference to Table 2, the participated tools can be
compared with respect to the features they provide which
will help the investigators to select the best suited tool for
their case. It can be seen that all of the five browser tools
provide the most necessary and basic features that are crucial
for browser forensics; however, some of the tools exhibit more
features than the others.

With web browser history analysis, the basic information
that is considered relevant and important would be ‘Websites
Visits’, ‘Form History’, ‘Visit Count’, ‘First Accessed Time’,
‘Last Accessed Time’, ‘Bookmarks’, ‘Cookies’, ‘Downloads’,
‘Logins’, ‘Keywords Used’ and ‘Reporting’. Advanced feature
would comprise of ‘Content Preview’, ‘Time-line Generation’,
‘Web Page Reconstruction’ while ‘Password Recovery’ would
be specific features. Other features such as ‘Sorting’, ‘Filter-
ing’, ‘Column to Display’, ‘link to the history url’, ‘Exporting’
could be categorized as features based on ease of use.

According to the feature evaluation result from the table
above, we see that:

1. Almost all the tools exhibit the basic features to
provide user browsing history information.

2. Advanced functionalities are lacking on almost all of
the tools; however, the paid version of Fox Analysis,
Browser History Examiner and NetAnalysis provide
some of these or other features.

3. As PasswordFox is a specific password recovery tool,
it lacks most of the features mentioned above. How-
ever, it is a worthy tool to use when the case calls for
recovering the saved password of any login page. Fur-
thermore, along with the password recovery feature,
it provides the user with basic forensic information
about the user login page, making the case easier to
an extent.

4. MZ History Viewer, which is a small tool with a
simple interface, provides the least features from
which basic information about the web browsing
history could be extracted.

5. NetAnalysis, Browser Examiner and Fox Analysis
exhibit almost all the features listed in the table.
However, due to the availability of only a trial ver-
sion of tools for the evaluation purpose, many func-
tionalities they provide could not be tested in this
project.

5.2 Evaluation Based on Performance
Matrices

In addition to knowledge of different features that the tools
provide, it is essential that a forensic investigator know how
well the tools, and the system on which the tools are to
be run as a whole, work when tested against some of the
performance constraints. Performance evaluation will decide
if the system will be satisfactorily stable and function without
any measure impact due to the processing of the tools.

The configuration of the system on which the performance
evaluation was done is described below:

Windows Edition:

Evaluation of Firefox Browser Forensics Tools ACM SE ’17, April 13-15, 2017, Kennesaw, GA, USA

Windows 8.1

System:

Processor: Intel(R) Core(TM) i5-4200U CPU @ 1.60GHz
2.30 GHz

Installed Memory (RAM): 12.0 GB (11.8 GB Usable)
System Type: 64-bit Operating System, x64-based

processor

To benchmark the system, the built-in application ‘Task
Manager’ has been used to record the memory utilization and
CPU consumption measurement for all of the five candidate
tools against a dataset of 108 MB. Other criteria are set
considering human to machine interaction.

Below performance matrices are used to evaluate the tools
in system processing as well as a user’s friendliness point of
view.

5.2.1 Memory Utilization. According to the evaluation
done, the following results could be drawn out for the five
web browser forensic tools:

Figure 1: Performance Evaluation: Memory Utiliza-
tion

We can see in Figure 1 that Netanalysis utilizes the largest
memory among all the tested tools, i.e., 63.7 MB. Next is
Browser History Examiner with 44.79 MB. FoxAnalysis uti-
lizes 29 MB whereas the remaining other two tools consume
around 6 MB of the system memory. Analyzing the data,
it seems that the tools with more features consume more
memory than the simple tools such as MZ History Viewer
and PasswordFox. However, forensics investigation requires
further criteria to be considered including the feature set,
rather than only memory consumption. Hence, relatively
logical decision needs to be made to choose a better tool.

5.2.2 CPU Consumption. CPU consumption could be an-
other matrix that needs to be considered when benchmarking
the tools as it could be one of the reasons that might make the
system processing slow. Slow processing is not a good thing
considering the need for urgency during an investigation.

Figure 2: Performance Evaluation: CPU Consump-
tion

Figure 2 provides results of evaluating the tools against
the CPU consumption constraint:

Figure 2 shows that Browser History Examiner consumes
the greatest percentage of CPU among the five tools, i.e.,
maximum of 47.7%. Analyzing the overall result, NetAnalysis
and FoxAnalysis could be considered as better tools consider-
ing low CPU consumption and more of the features privileges.

5.2.3 Speed of processing. Some cases in forensic investi-
gation need urgent analysis of the information. Hence, the
speed of the tools matter for those cases. The five browser
forensics tools were tested against the time constraint and
evaluated based on speed of their processing. The following
bar chart (Figure 3) shows the results based on processing
speed:

From the evaluation result, it has been found that Pass-
wordFox and MZ History Viewer do their job faster than the
other three tools. It is understandable because PasswordFox
is only concerned about the password recovery process and
retrieves basic browsing information of those login pages. MZ
History Viewer is also the same as PasswordFox in retrieving
only basic web browsing activities of the users. NetAnaly-
sis shows the longest processing time of all. Browser His-
tory Examiner has around the same time as NetAnalysis.
And FoxAnalysis shows has around an average of all the
processing times. Browser History Examiner and FoxAnal-
ysis could be taken as considerably better tools if tested
on the basis of time constraint that have good features set.

5.2.4 Availability. This matrix considers if the tools are
easily available to the user or must be paid for. Rating values
are Free-ware or Paid. PasswordFox and MZ History Viewer,
both produced by NirSofer, are completely free-ware. On
the other hand, FoxAnalysis and Browser History Examiner,

ACM SE ’17, April 13-15, 2017, Kennesaw, GA, USA Sweta Mahaju and Travis Atkison

Figure 3: Performance Evaluation: Speed of Process-
ing

both produced by Foxton Software Ltd., are paid products.
However, trial packages could be found in the Internet. These
trial versions limited how long they could be used. They
also allowed the user access to only a limited number of
available features and limited the number of records that
could be fetched from the web history to 25 records. In or-
der to access all available product features, FoxAnalysis and
Browser History Examinermust be paid for. NetAnalysis is
another paid software that belongs to Digital Detective Group
Ltd. An evaluation package could be downloaded on request.

5.2.5 Ease of use. Finally, ‘Ease of Use’ of the tools for
the users is one of the important criteria that needs to be
taken into consideration while evaluating the tools. There are
many functionalities such as classification of feature set, user
friendly layout, preview function, etc, that determine ease of
use. In the tools like FoxAnalysis and Browser History Viewer,
different categories of user browsing activities like website
visits, bookmarks, cookies, form histories, etc., are classified
into tabs or a left sub menu bar which makes it easier for the
users to view the desired category of browsing information.
On the other hand, NetAnalysis does not provide this type
of ease in the user interface. All the browsing information
is displayed in the single grid. However, users have been
provided with filter functionality in the each of the grid
columns. MZ History View and PasswordFox are very easy to
use because of their limited features. Both of them shows a
grid of browsing history information and a property window
for more details for each of the information.

With respect to user friendliness of the interface, Browser
history Examiner was the easier tool to use, as everything
would be visible in the same layout. The left navigation bar
contains all the categories of the user browser activities while
the right side of the screen shows the filter functionalities.

The resulting information is displayed in the center. Fox-
Analysis could also be considered user friendly as it also
provides different categories of user activities. Plus, it shows
a time-line of those activities in the website visits screen.
The filter menu is easily detectable in the menu-bar. These
tools are rated on the scale of 0 to 10 for this performance
matrix. For ease of use, NetAnalysis gets 6 out of 10; Pass-
wordFox and MZ History Viewer both get 9 out of 10 because
of their easy interface; and Browser History Examiner and
FoxAnalysis are both rated as 7 out of 10 considering the
user-friendly interface together with a better set of features.

Table 3 sums up the evaluation results:

Table 3: Performance Evaluation

S. No. Performance Matri-
ces

NetAnalysis PasswordFox MZ His-
tory
Viewer
Browser
History
Examiner
FoxAnalysis

1 Memory Utilization
(MB)

63.7 6.15 6.24 44.79 29

2 CPU Consumption
(Max. Percent)

5 1.1 9.8 47.7 2.6

3 Speed of Processing
(Secs)

5.47 1.29 2.53 4.45 3.92

4 Availability Paid Freeware Freeware Paid Paid

5 Ease of Use (Out of
10)

6 9 9 7 7

Considering both the evaluations and analyzing the re-
sult, it can be summarized that NetAnalysis and FoxAnalysis
could be considered as the contenders, as both of them pro-
vide the users with more features helping in better and easier
investigation and both of them performs considerably better
based on performance criteria. PasswordFox could be consid-
ered when it is specifically a call for a password recovery job.
However, though it performs well in performance evaluation
case, it provides less features for investigation purpose. Simi-
larly, MZ History Viewer should be used only for the cases
when basic information retrieval is enough as it will perform
faster and easily than other tools. Finally, Browser History
Examiner is the last pick in this evaluation as we can see
that even though it provides better features for investigation,
it shows the largest CPU consumption (even for a dataset
of merely 108 MB). Hence, it is ranked in the lower place in
this evaluation.

6 ACCURACY AND COMPARISON OF
THE BROWSER FORENSIC TOOLS

6.1 Accuracy

The evaluation has been performed on a personal dataset of
108 MB and the accuracy of the data retrieval could be done
by comparing the browsing history in the Browser History
Library with that of the tools. Check these attributes:

6.1.1 Website Visits. From Firefox browser history win-
dow, the browsing history related to the website visits could
be used to compare and verify those retrieved by the tools. All
of the tools show the browsing history. However, as Browser
History Examiner and FoxAnalysis were trial version pack-
ages, they retrieved only 25 of the total records on the display.

Evaluation of Firefox Browser Forensics Tools ACM SE ’17, April 13-15, 2017, Kennesaw, GA, USA

Table 4: Forensic Tools Comparison Chart

Attributes NetAnalysis PasswordFox MZ History
Viewer

Browser His-
tory Examiner

FoxAnalysis Guidelines and Suggestion

Portability
and Simplicity

Not
portable
and com-
plex

Portable
and simple

Portable and
Simple

Not portable
and Complex

Nir Sofer introduces the products like PasswordFox and MZ History Viewer keeping
in mind the simplicity of the interface and portability of the products. They would
be the best tool to use if these attributes are considered to be important.

Speed Slow Fast Fast Fast Considerably
Fast

The scenario when the forensic investigators have to deal with a large dataset
could be troublesome to get the result in a short period of time. Speed of the tool
is obviously desirable. Hence, FoxAnalysis would be the best tool which processes
the data in comparatively faster time than other tools relatively similar in other
attributes.

Classification
of user Activi-
ties

Not Classi-
fied

Not Classified Classified Classified FoxAnalysis would be the best tool to use which provides the user with an easy
access to the desired category of the user activities in their browsing history. This
would help the investigators to get the relevantly smaller list of the user browsing
information making the investigation relatively faster and easier.

Memory
and CPU
Consumption

High Low Low Very High Considerably
low

Browser History Examiner is not preferable considering the highest memory and
CPU exploitation in average. PasswordFox and MZ History Viewer with low CPU
and memory consumption are preferred for basic history retrieval job. NetAnalysis
is a good tool with a variety of feature set and low CPU consumption. However,
FoxAnalysis would be best preferred considering comparatively lower average CPU
and memory consumption and having a similar set of features.

NetAnalysis and MZ History Viewer retrieve all the history
records whereas PasswordFox does not retrieve the website
visit record unless it is related to logins.

6.1.2 Bookmarks. We can view the user created book-
marks in the browser’s bookmark toolbar. In more detail,
they can be viewed in the browser history library window
where the screen provides a tab for the bookmark section.
The information retrieved by the tools that are related to the
bookmarks could be verified from here. As a result, it has
been known that the tools FoxAnalysis and Browser History
Examiner fetch all the bookmark data correctly whereas Pass-
wordFox and MZ History Viewer do not exhibit the feature
to retrieve the bookmarks of a user profile. NetAnalysis on
the other hand consists of a column Bookmark in its grid
view. However, the evaluation version does not retrieve the
information related to the bookmarks.

Figure 4: PasswordFox: Properties Window

6.1.3 Password Recovery. The personal Firefox user pro-
file contains login information, one of which is a test Gmail
account. The evaluation result shows that PasswordFox re-
trieves the saved password in a decrypted form along with

the other relevant information such as ‘Created Time’, ‘Last
Time Used’, ‘Password Change Time’, etc., as shown in Fig-
ure 4.

NetAnalysis gives the login information for the login page.
However, the password is displayed in encrypted form in
the evaluation version. FoxAnalysis and Browser History
Examiner gives all other information related to the login
page. But the password recovery feature does not exist on
them. MZ History viewer does not have the feature either.

6.1.4 Downloads. Firefox browser history window gives
the information about the list of downloads which could be
used to verify the data retrieval using the tools that are
related to download history. We see that NetAnalysis accu-
rately retrieves the information related to the user download
history. Browser History Examiner does not retrieve this in-
formation in the trial version while FoxAnalysis trial version
shows 25 records of the download history. MZ History Viewer
shows the download information in the grid with Visit type
value ‘Downloads’. On the other hand, PasswordFox does not
exhibit the feature to retrieve download history.

6.2 Comparison Chart

Based on both the feature evaluation as well as performance
evaluation, the tools could be compared on the basis on
following attributes described in Table 4.

7 CONCLUSION

Web browser forensics is an important part of digital forensics.
It is extremely important as the Internet has become an
avenue for criminals to commit or cover up their crimes,
and web browsers are the gateway for humans to interact
with the Internet. Crucial evidence can be collected while
investigating the suspect’s web browsers. Mozilla Firefox is
one of the most popular web browsers currently available,
and can be considered as an important source of information.

To analyze the web browsing history related information,
different forensics tools are available. Some tools give the

ACM SE ’17, April 13-15, 2017, Kennesaw, GA, USA Sweta Mahaju and Travis Atkison

functionality of web browsing activities analysis as an extra
feature whereas some tools are especially developed for those
jobs. As different tools provide different or same sets of
features presented in different ways, it is essential for an
investigator to know which tool could be most suited for a
particular case. Moreover, knowing the impact of the tools in
the system they are run on is also equally important. Hence,
the paper presents the evaluation of five of the web browser
forensic tools based on the features they provide. It also
examines how well they work on the system on which they
are running. Various performance matrices were used when
evaluating the 5 tools.

The evaluation result is varied with respect to different sets
of criteria. However, if one is to be chosen which could be suit-
able enough for all the jobs, then FoxAnalysis would be the
choice. Though the evaluation is done in the trial version, the
complete package gives the user the privilege of retrieving all
the basic and important information, generating a time-line
of the user browsing activities, reconstructing the web pages,
plus the availability of a simple and user friendly interface as
well as being performance-wise considerably better.

REFERENCES
[1] Erhan Akbal, Fatma Günes, and Ayhan Akbal. 2016. Digital

Forensic Analyses of Web Browser Records. JSW 11, 7 (2016),
631–637.

[2] Acquire Forensics. 2016. Mozilla Firefox Forensics Usage of
Sqlite File in Investigation. http://www.acquireforensics.com/
services/tech/mozilla-firefox.html.

[3] Ann Fry. 2011. A Forensic web Log Analysis Tool: Techniques
and implementation. Ph.D. Dissertation. Concordia University
Montréal, Québec, Canada.

[4] J Haggerty and MJ Taylor. 2014. Retrieval and Analysis of Web
Search Narratives for Digital Investigations. In Proceedings of
the Tenth International Network Conference (INC 2014). Lulu.
com, 153.

[5] K. Jones and R. Belani. 2005. Web Browser Foren-
sics, Part 1. http://www.symantec.com/connect/articles/
web-browser-forensics-part-1.

[6] D. Koepi. 2010. Firefox Forensics. https://davidkoepi.wordpress.
com/2010/11/27/firefoxforensics/.

[7] Sarah Lowman and Ian Ferguson. 2010. Web history visualisation
for forensic investigations. Msc Forensic Informatics Disser-
tation, Department of Computer and Information Sciences,
University of Strathclyde (2010).

[8] Digital Detective Group Ltd. 2016. NetAnalysis. (2016).

Products

netanalysis/.

[9] Foxton Software Ltd. 2011. Browser History Examiner. (2011).
https://www.foxtonforensics.com.

[10] Foxton Software Ltd. 2011. FoxAnalysis. (2011). https://www.
foxtonforensics.com.

[11] Junghoon Oh, Seungbong Lee, and Sangjin Lee. 2011. Advanced
evidence collection and analysis of web browser activity. digital
investigation 8 (2011), S62–S70.

[12] Murilo Tito Pereira. 2009. Forensic analysis of the Firefox 3
Internet history and recovery of deleted SQLite records. Digital
Investigation 5, 3 (2009), 93–103.

[13] Marcus K Rogers, James Goldman, Rick Mislan, Timothy Wedge,
and Steve Debrota. 2006. Computer forensics field triage process
model. In Proceedings of the conference on Digital Forensics,
Security and Law. Association of Digital Forensics, Security and
Law, 27.

[14] Nir Sofer. 2015. Mozilla History Viewer. (2015). http://www.
nirsoft.net/.

[15] Nir Sofer. 2016. Password Fox. (2016). http://www.nirsoft.net/.
[16] Statista. 2016. Number of internet users worldwide from

2005 to 2016. https://www.statista.com/statistics/273018/
number-of-internet-users-worldwide/.

[17] B. Widder. 2016. Battle of the browsers: Edge vs.
Chrome vs. Firefox vs. Safari vs. Opera vs. IE vs.
Vivaldi. http://www.digitaltrends.com/computing/
best-browser-internet-explorer-vs-chrome-vs-firefox-vs-safari-vs-edge/.

http://www.acquireforensics.com/services/tech/mozilla-firefox.html

http://www.symantec.com/connect/articles/web-browser-forensics-part-1

Firefox Forensics

http://www.digital-detective.net/digital-forensic-software/netanalysis/

https://www.foxtonforensics.com

http://www.nirsoft.net/

https://www.statista.com/statistics/273018/number-of-internet-users-worldwide/

http://www.digitaltrends.com/computing/best-browser-internet-explorer-vs-chrome-vs-firefox-vs-safari-vs-edge/

1 Introduction
2 Related Works
3 Firefox Web Browser and Log Files
4 Web Browser Forensics Tools

4.1 NetAnalysis V2
4.2 FoxAnalysis V1.6.0
4.3 PasswordFox
4.4 Browser History Examiner
4.5 MZ History Viewer

5 Evaluation of Web Browser Forensics Tools

5.1 Evaluation based on Feature Sets
5.2 Evaluation Based on Performance Matrices

6 Accuracy and Comparison of the Browser Forensic Tools

6.1 Accuracy
6.2 Comparison Chart

7 Conclusion
References

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/321534636

WEB BROWSER FORENSICS: GOOGLE CHROME

Article · July 2017

DOI: 10.26483/ijarcs.v8i7.4433

CITATIONS

10
READS

10,627

1 author:

Some of the authors of this publication are also working on these related projects:

digital forensics View project

Digvijaysinh M Rathod

Gujarat Forensic Sciences University

13 PUBLICATIONS 26 CITATIONS

SEE PROFILE

All content following this page was uploaded by Digvijaysinh M Rathod on 05 December 2017.

The user has requested enhancement of the downloaded file.

https://www.researchgate.net/publication/321534636_WEB_BROWSER_FORENSICS_GOOGLE_CHROME?enrichId=rgreq-f9c235753b6275d877d7d54a7f6f728e-XXX&enrichSource=Y292ZXJQYWdlOzMyMTUzNDYzNjtBUzo1NjgyNDg2NDA1Nzc1MzZAMTUxMjQ5MjQ0MTA3OQ%3D%3D&el=1_x_2&_esc=publicationCoverPdf

https://www.researchgate.net/project/digital-forensics-2?enrichId=rgreq-f9c235753b6275d877d7d54a7f6f728e-XXX&enrichSource=Y292ZXJQYWdlOzMyMTUzNDYzNjtBUzo1NjgyNDg2NDA1Nzc1MzZAMTUxMjQ5MjQ0MTA3OQ%3D%3D&el=1_x_9&_esc=publicationCoverPdf

https://www.researchgate.net/?enrichId=rgreq-f9c235753b6275d877d7d54a7f6f728e-XXX&enrichSource=Y292ZXJQYWdlOzMyMTUzNDYzNjtBUzo1NjgyNDg2NDA1Nzc1MzZAMTUxMjQ5MjQ0MTA3OQ%3D%3D&el=1_x_1&_esc=publicationCoverPdf

https://www.researchgate.net/profile/Digvijaysinh_Rathod6?enrichId=rgreq-f9c235753b6275d877d7d54a7f6f728e-XXX&enrichSource=Y292ZXJQYWdlOzMyMTUzNDYzNjtBUzo1NjgyNDg2NDA1Nzc1MzZAMTUxMjQ5MjQ0MTA3OQ%3D%3D&el=1_x_4&_esc=publicationCoverPdf

https://www.researchgate.net/institution/Gujarat_Forensic_Sciences_University?enrichId=rgreq-f9c235753b6275d877d7d54a7f6f728e-XXX&enrichSource=Y292ZXJQYWdlOzMyMTUzNDYzNjtBUzo1NjgyNDg2NDA1Nzc1MzZAMTUxMjQ5MjQ0MTA3OQ%3D%3D&el=1_x_6&_esc=publicationCoverPdf

DOI: http://dx.doi.org/10.26483/ijarcs.v8i7.4433

Volume 8, No. 7, July – August 2017

International Journal of Advanced Research in Computer Science

RESEARCH PAPER

Available Online at www.ijarcs.info

ISSN No. 0976-5697

WEB BROWSER FORENSICS: GOOGLE CHROME

Dr. Digvijaysinh Rathod
Institute of Forensic Science

Gujarat Forensic Sciences University
Gandhinagar, Gujarat (India)

Abstract: Internet users use the web browser to perform various activities on the internet such as browsing internet, email, internet banking,
social media applications, download files- videos etc. As web browser is the only way to access the internet and cybercrime criminal uses or
target the web browser to commit the crime related to internet. It is very important for the digital forensic examiner to collect and analysis
artifacts related to web browser usage of the suspect. There are various browsers available in the market such as Google Chrome, Internet
Explorer, Firefox Mozilla, Safari and Opera etc, among which Google Chrome is very popular among the internet user community. Our
literature survey shows that most of the researches used prefetch file and live memory analysis as source of information to extract artifacts. In
this research paper, we analyzed default artifacts location, history, cookies, login data, topsides, shortcuts, user profile, prefetch file and RAM
dump to collect artifacts related to internet activities on windows installed Google Chrome. The outcome of this research will serve to be a
significant resource for law enforcement, computer forensic investigators, and the digital forensics research community.

Keywords: Browser forensics, Google Chrome, Digital forensics, RAM analysis

INTRODUCTION

The internet browser is the only way to access the internet
and internet users use it to access internet for purpose such
as accessing email, intent banking, accessing social
networking sites etc. Malicious (suspect) users is try to steal
sensitive and confidential information of the internet user to
gain personal financial benefit. This confidential
information can be users banking credentials; users email
addresses, user address book, social security number, user
address book or even hack into someone’s system for
personal or professional rival. It is very important for the
digital forensic examiner to know various ways to perform
forensics of web browser [1] and these forensically collected
artifacts form the suspect’s browser can be useful in
examination of case related to cybercrime. The aim and
objective of the research paper is to identify source of
information along with sound forensic techniques to collect
evidences which shows internet usage. To maintain the
privacy and security of the end user, various browser
vendors introduced private browsing or Incognito Mode [2].
By using this mode information such as webpage history,
form data and passwords, cookies, temporary internet files,
anti-phishing cache, address bar, search auto complete,
automatic crash restore (ACR), and document object model
(DOM) discard when the browser is closed [3]. The study
[4] shows that desktop browser market share of Google
Chrome, Microsoft Internet Explorer, Firefox, Microsoft
Edge, Safari, Opera, and other is 59.7%, 16. %, 12.32%,
5.65%, 3.66%, 1.21% and 0.81% respectively. So Google
Chrome is the leading internet browser and focus of this
paper is to use various digital forensic techniques and
information source to collect artifacts related to internet
usage.
The rest of the paper is organized as follows – the related
research paper review is discussed in section II, about
Google Chrome, source of artifacts and digital forensic

techniques is discussed in section III. The research paper is
concluded with comments in section IV.

LITERATURE SURVEY

Donny J Ohan , Narasimha and Shashidhar [3] has
conducted research on artifact extraction of Google Chrome,
Mozilla Firefox, Apple safari and Internet Explore in
private and portable browsing mode. Their major focus is to
see that artifacts related to private browsing, browsing
history, usernames / email accounts, images, and videos is
discovered or not. Andrew Marrington, Ibrahim Baggili and
Talal Al Ismail [5] has discussed the forensics of Google
Chrome in normal and private mode and extracted evidences
related to internet activity from hard disk. Research paper
wrote by JunghoonOha, SeungbongLeeb and SangjinLee
[1] has considered browser’s log file as source of
information to extracted potential artifacts. Huwida Said,
Noora Al Mutawa and Ibtesam Al Awadhi [2] extracted
evidences using RAM analysis.
Our literature survey shows that most of the researcher used
browser log, local files or RAM analysis as source of
information to extract artifacts related of internet usage. In
our research paper, we used broader range of information
source such as default artifacts location, history, cookies,
login data, topsides, shortcuts, user profile, prefetch file and
RAM analysis which gives an opportunity to extract more,
related and various types of artifacts related to cybercrime.
In the next section, we discussed overview of Google
Chrome, different sources of information along with digital
forensic techniques to extract evidences related to internet
usage.

GOOGLE CHROME FORENSICS TECHNIQUES

Google chrome store data in SQLite format and we can
examine using SQLite database viewer [6]. The data base
file that contains the Google chrome browsing history is

http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=%22Authors%22:.QT.Andrew%20Marrington.QT.&newsearch=true�

http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=%22Authors%22:.QT.Ibrahim%20Baggili.QT.&newsearch=true�

http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=%22Authors%22:.QT.Huwida%20Said.QT.&newsearch=true�

http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=%22Authors%22:.QT.Noora%20Al%20Mutawa.QT.&newsearch=true�

Dr. Digvijaysinh Rathod, International Journal of Advanced Research in Computer Science, 8 (7), July-August 2017,896-899

stored at default folder History. These tables are downloads,
presentation, urls, keyword_search_terms, segment_usage,

visits, meta, segment which is very important for forensic

Table – 1 point of view. The default artifacts location of Google Chrome shown in

Operating System Path

Microsoft Windows
Vista/7/8

History, Downloads and Cookies : C:\user\{username}\AppData\Local\Google\Chrome\User
Data\Default\
Cache : C:\user\{username}\AppData\Local\Google\Chrome\User Data\Default\

Apple Macintosh OS X
History, Downloads and Cookies : /Users/{users}/Library/Application
Support/Google/Chrome/Default/
Cache : /Users/{user}/Library/Caches/Google/Chrome/Default/Cache/

GNU / Linux History, Downloads and Cookies : /home/{user}/.config/google-chrome/Default/ Cache : /home/{user}/.cache/google-chrome/Default/Cache/

Analysis of History

History file contains all browsing information of the users like
visited links (URLs), downloads, search terms, and download
chains etc. This history file can be viewed using SQLite
database viewer. We can see the database structure (Figure -1)
of the history file. There are 9 tables in this file and 13 indices,
views and triggers. There is also option of the browse data,
edit pragmas, and execute SQL. Execute SQL can help
examiner to parse evidence using SQL statements.

Figure -1 Database schema and plot (graph) view

We discussed the analysis of important tables of history in the
next section
Downloads
This table shows (Figure -2) what type of stuffs downloads by
the user. It also gives information like id, current path, target
path, start time (web kit time format), received bytes, total
bytes, state, danger type, Interrupt reason, end time, opened,
refer, last modified, mime type, and original mime type of the
downloaded file. SQLite browser gives time in web kit time
stamp, so it is necessary to covert this time into readable time
format.

Figure -2 Database schema and plot (graph) view of Downloads
downloads_url_chains

This table (Figure – 3) gives list of URLs from which files
were downloaded (audio, video, document etc.) by the user.
As shown in the figure the user download WinRAR 64 bit tool
from www.filehippo.com and autopsy-4.0.0-64bit from the
sorcrforge.net.

Figure 3 downloads_url_chains

keyword_search_terms

Keyword search terms play important role to understand user’s
psychology. This table store the user entered keyword along
with keyword_id, url_id, lower_term, and term. Figure 4
shows the user entered keywords such as zorinos 10, xss pop
up, xss payload, xenu tool etc.

Dr. Digvijaysinh Rathod, International Journal of Advanced Research in Computer Science, 8 (7), July-August 2017,896-899

Figure 4 keyword_search_terms

URLs

This is the most important table which shows the URLs list
visited by the user along with id, url, title, visit count, type
count, last visit time, hidden, and favicon id. Figure 5 shows
the visited ulrs by the user.

Figure 5 keyword_search_terms

Recovered Deleted History

Cybercrime criminals normally delete the history of browser.
We intentionally deleted the history of Goolge Chrome and
tried to recovery those deleted history manually. We used
System Previous versiion For manually recovey for which we
negated to C:\Users\admin\AppData\Local and found Google
folder; and selected properties, clicked on previous version tab
(Figure 6) and click on restore option. In this tab there are so
many options for previous version of browser with date and
time. For case we mentioned, recovered history shown in
figure 6

.Figure 6 Previous version

Analysis of Cookie

Cookie are files which are created when user visit any website.
Cookies store site preference and profile number. Two types of

cookie will be generated when user visit any website and
another being generated for the advertisement purpose. Cookie
help websites to track of user preferred setting, so that when
user re-visits any website, cookie reload previous setting of the
user for that same site. As shown in the Figure 7, we can get
the information such as creation_utc, host_key, name, value,
path, expires_utc etc. Here host_key gives details of visited
link

Figure 7 Cookies

This database file gives information of user login detail along
with detail related to : Origin_url and action_url holds the
visited websites list, username_elememt, username_value
holds entered user name of the user, and password element
(Figure 8) etc. Here login data file have three tables namely
logins, meta and stats. Meta table contains three values like
version, last_compatible_version and mmap status. In our
case, there is no detail is available in Stats table.

Figure 8 Login Data

Topsites

Topsites database contains top visited sites in Google chrome
by the user. This information stored in thumbnails table.
Shortcuts

This database file contains two tables one is Meta and another
is Omnibox history. Omni box is the advance features of
Google Chrome with auto complete capabilities. This contains
information such as id, text, urls, contents, and description,
content_class, description, description_class, last access time,
number of hits, fill_into_edit, type, and keyword.
User Profile

When user login in to chrome then one separate profile of that
user created at
C:\Users\admin\AppData\Local\Google\Chrome\User Data
(Figure 8)

Dr. Digvijaysinh Rathod, International Journal of Advanced Research in Computer Science, 8 (7), July-August 2017,896-899

Figure 8 User Profile

Analysis of Prefetch File

Prefetch file play important role in forensic because it holds
information like how many time executable file run, last
executable time, volume information, directory storage, loaded
resources etc. Prefetch file helps application to reduce startup
time of the application. Last execution date & time of the
Google chrome browser, run count, volume entry of Google
Chrome file along with creation date & time and serial number
shown in figure 9

Figure 9 Last execution time and volume information

Live Memory Forensics

Private browsing artifacts will be collected using RAM dump
of the system. We visited Gmail, Facebook, Twitter and
Firefox in private mode and try to extract evidences related to
same using RAM dump analysis. We took RAM dump of
system using Belkasoft and analyzed RAM dump using HXD
and apply filter to find visited web sites. As shown in figure
10, we can see the web site link visited by user in Incognito
mode.

CONCLUSION
As web browser is the only way to access the internet and
cybercrime criminal uses or target the web browser to commit
the internet related crime. By considering this fact, web

browser forensics is the most important for digital forensic
examiners. As Google Chrome is the leading web browser and
in this research paper, we discussed various source of
information such as default artifacts location, history, cookies,
login data, topsides, shortcuts, user profile, prefetch file and
RAM dump to collect artifacts related to internet activities on
windows installed Google Chrome. Our research clearly
shows after applying various digital forensic techniques
mention in this research paper to extract an evidences, digital
forensic examiner can obtain information regarding last
accessed date and time of Google Chrome, search items,
visited URLs, and how to recover deleted data. The outcome
of this research will serve to be a significant resource for law
enforcement, computer forensic investigators, and the digital
forensics research community.

REFERENCES
[1.] JunghoonOha, SeungbongLeeb and SangjinLee Advanced

evidence collection and analysis of web browser activity,
Elsevier – Digital Investigation, Volume 8, Supplement, August
2011, Pages S62-S70.

[2.] Huwida Said, Noora Al Mutawa and Ibtesam Al Awadhi,
Forensic analysis of private browsing artifacts, 2011
International Conference on Innovations in Information
Technology25-27 April 2011.

[3.] Donny J Ohan, Narasimha and Shashidhar, Do private and
portable web browsers leave incriminating evidence?: a forensic
analysis of residual artifacts from private and portable web
browsing sessions, EURASIP Journal on Information Security,
December 2013, 2013:6

[4.] Desktop Browser Market Share,
https://www.netmarketshare.com/browser-market-
share.aspx?qprid=0&qpcustomd=0, July, 2017.

[5.] Andrew Marrington, Ibrahim Baggili and Talal Al Ismail,
Portable web browser forensics: A forensic examination of the
privacy benefits of portable web browsers, 2012 International
Conference on Computer Systems and Industrial Informatics,
18-20 Dec. 2012.

[6.] Huwida Said, Noora Al Mutawa and Ibtesam Al Awadhi,
Forensic analysis of private browsing artifacts, 2011
International Conference on Innovations in Information
Technology, 25-27 April 2011

[7.] Murilo, T. P. (2009). Forensic analysis of the Firefox 3 internet
history and recovery of deleted SQLite records. Digital
Investigation, 5, 93-103.

View publication statsView publication stats

http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=%22Authors%22:.QT.Huwida%20Said.QT.&newsearch=true�

http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=%22Authors%22:.QT.Noora%20Al%20Mutawa.QT.&newsearch=true�

https://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0�

http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=%22Authors%22:.QT.Andrew%20Marrington.QT.&newsearch=true�

http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=%22Authors%22:.QT.Ibrahim%20Baggili.QT.&newsearch=true�

http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=%22Authors%22:.QT.Huwida%20Said.QT.&newsearch=true�

http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=%22Authors%22:.QT.Noora%20Al%20Mutawa.QT.&newsearch=true�

https://www.researchgate.net/publication/321534636

Conclusion
References

Int. J. of Electronic Security and Digital Forensics , Vol. 8, No.2, 2016 1

Web Browser Artefacts in Private and Portabl

Modes: A Forensic Investigation

Abstract – Web browsers are essential tools for accessing the Internet. Extra

complexities are added to forensic investigations when recovering browsing

artefacts as portable and private browsing are now common and available in

popular web browsers. Browsers claim that whilst operating in private mode, no

data is stored on the system. This paper investigates whether the claims of web

browsers discretion are true by analysing the remnants of browsing left by the latest

versions of Internet Explorer, Chrome, Firefox, and Opera when used in a private

browsing session, as a portable browser, and when the former is running in private

mode. Some of our key findings show how forensic analysis of the file system

recovers evidence from IE while running in private mode whereas other browser

seem to maintain better user privacy. We analyse volatile memory and demonstrate

how physical memory by means of dump files, hibernate and page files are the key

areas where evidence from all browsers will still be recoverable despite their mode

or location they run from.

Keywords – Web browser forensics; Portable applications; Private Browsing; Incognito

mode; Physical Memory; Windows; IE; Chrome; Firefox; Opera; OSForensics

I. INTRODUCTION

Web browser applications are an essential tool for accessing websites via the Internet.

The web browser enables users to search for information, read emails, communicate via

instant messaging or social networks, use Internet banking and shop via e-commerce

websites (Dharan and Meeran, 2014). Forensic artefacts left by a browser after a session

include, but are not limited to cache, history, cookies, and file download lists. When

conducting a digital investigation on a system, an investigator can gather evidence from

such artefacts. This evidence can divulge the websites that a user visited, the time and

frequency of access, and also search engine keywords that were used (Oh et al., 2011).

The Apple Safari web browser introduced a feature known as ‘Private browsing’

in 2005 which prevented the web browser from leaving traces of browsing history,

temporary files, form data, usernames, passwords and cookies on a system (Satvat et al.,

2014). To date, all other popular web browsers now include this feature. In Mozilla

Firefox the feature is known as ‘Private Browsing’ (Mozilla Foundation, 2014). In

Chrome it is known as ‘Incognito mode’ (Google, 2014). In IE it is known as ‘InPrivate

2 Author(s)

Browsing’ (Microsoft, 2014). When launching these browsers in private mode they all

claim to maintain user privacy by not keeping any traces of web surfing sessions such as

visited websites, search history, download history, web form history, cookies, or any

temporary Internet files.

Portable application versions of popular desktop software are now becoming

increasingly popular allowing users’ access to their favourite applications on systems that

they do not have administrative rights to. These portable applications are becoming even

more common due to their fast execution times and ability to run without being installed

(Marrington et al., 2012). Portable applications also add an additional layer of security

due to their data being stored on and accessed from the external device that they are run

from. Web browsers are an example of a popular portable application. Not only does a

portable web browser allow users to carry around their favourite browser and website

bookmarks with them on a tiny USB stick, but it also adds the ability to surf the Internet

anonymously from any device with enabled USB ports. There is therefore a requirement

to analyse the impact of these new browser features on digital investigations to secure

evidence. In contrast to the objective of maintaining user privacy, the perspective of

digital forensics and incident response is that digital evidence is needed to identify a

threat, malicious perpetrator or ascertain whether a user has actually been falsely framed

to take the responsibility of breaking cyber laws and legislations. Jahankhani (2007)

reviews cyber legislations and their impact on the society.

Data from W3Counter.com (2014) show the popularity of different browsers

over time. Statistics show a steep decline in the number of Internet users operating

Microsoft Internet Explorer (IE) from 67.6% in May 2007 to 21.2% in July 2014. Google

Chrome, however, has rapidly grown in popularity from its introduction in Septembe

2008. It now dominates the web browser market share at 38.5%. As Chrome, IE,

Firefox

and Opera are shown to be the most popular Windows-based browsers at present, this

paper will concentrate on analysing forensic methods used for recovering evidence which

may have been viewed using these browsers in both private and portable modes. The

latest versions of these browsers will be used so as to provide an update to previous

studies and discover whether web browsers’ claims of not storing data about private

browsing sessions are now true.

When web browsers are used, they store artefacts relevant to the user activity

such as images in temporary locations on the hard disk while the physical memory also

caches processed data to speed the functionality of the software. New file versions

automatically replace existing local ones while users can configure the software to delete

these temporary files once active sessions are terminated. Likewise, Cookies are special

type of temporary files placed and utilised by external websites to store information about

the user or his computer for future use e.g. to recall login details or user preferences (Oh

et al., 2011). To store and organise browsing data, self-contained, serverless and zero

configuration rational database management systems such as SQLite are utilised (Pereira,

2009). Unlike client-server models, this approach requires no standalone process, instead

the library is integrated as part of the browser. Similar concept is applied in the .dat

files used by IE, as it works as a repository of redundant information (e.g. URLs, search

queries etc). IE used the index.dat database file until v10, then used the Extensible

Strage Engine (ESE) WebCacheV01.dat afterwords (Chivers, 2014). These files can

not be deleted easily because they are always open when Windows is running which

Web Browser Artefacts in Private and Portable Modes: A Forensic Investigation 3

makes them of significant value for digital investigations. File format could vary between

browsers, so while data is saved as binary in index.dat, ASCII was used in the old

history.dat within Firefox. Generally speaking, a URL is cached when visited, if

there is no local copy of the page, new files are download and cached on the hard drive.

Each file is then assigned a unique name (e.g. alphabetical value) inside the.dat file to

the actual filename stored on the hard disk. However, the internal structure of such

databases is not necessarily known (when not published by the developers as in IE) but

certain facts are recovered through forensic investigations.

The remaining parts of this paper are organised as follows: Section II review

existing literature. Section III details the test-bed and methodology used during the

experiments and the browsing modes that will be investigated. Section IV identifies the

locations that browsers in normal, private, portable and portable private modes store files

when in use. Section V analyses the locations noted in section III to discover the artefacts

that can be recovered after browser sessions in the various modes. Section VI discusses

the findings with the conclusions stated in Section VII.

II. RELATED STUDIES

Pereira (2009) examined how SQLite databases are used in Firefox and found that

records can be recovered after they have been deleted by the user because SQLite utilises

unallocated disk space to support transactions. Said et al. (2011) analysed artefacts from

different browsers running in private mode and demonstrated how Google Chrome is

relatively more secure although evidence is still recoverable from memory. Eleutério and

Eleutério (2011) took a different approach and conducted an experiment to argue that the

implementation of web applications has a considerable effect on the investigator’s ability

to recover artefacts.

Several studies have examined the true extent of privacy that ‘Private browsing’ and

portable browsers actually provide. Chivers (2013) examined the use of IE10’s InPrivate

browsing feature to discover what evidence could be recovered. He found that IE10

maintains a database of history records and cache in the WebCacheV01.dat file.

InPrivate browsing records were stored in the same tables as normal browsing records

and then removed when the browser was closed. He also found evidence in log files that

were not removed until IE10 was re-opened. InPrivate browsing records were identified

in pagefile.sys and the system volume information directory. He claimed that over

80% of evidence on browsing history was recoverable from non-database areas.

Satvat et al. (2014) examined the remains left by Firefox 19.0, Safari 5.1.7,

Chrome 25.0.1364.97 and IE 10.0.9200.16521. They observed that when Firefox was

cleanly closed, evidence from private browsing sessions could not be found in its

database, however, if the browser was not cleanly terminated, evidence could be

recovered until the browser was re-opened. The authors highlighted that evidence was

leaked due to extensions being used in private mode and developed their own extensions

to prove that vulnerabilities exist. The authors compared bookmarks added in private

mode versus those added in normal mode and noted that it was possible to identify the

usage of private mode through these records. Other useful information was contained in

DNS cache artefacts left in RAM and cookie timings.

4 Author(s)

Marrington et al. (2012) conducted research to determine whether Chrome

portable left similar forensic artefacts to the installed version. They compared the

footprints left by both the installed version, portable version and portable version in

incognito mode on a Windows XP SP3 system. During these three scenarios the authors

watched YouTube videos, searched for images via Google image search and browsed for

items on eBay. After examining forensic images of all scenarios, the authors identified

traces of browsing history in all images. In the case of the portable sessions, however, the

results were mostly found in unallocated space or the page file. They identified many

results in the user’s local settings/temp directory during the normal Chrome

portable browsing session indicating that the browser was storing files on the hard disk

rather than the USB stick. Evidence from the Incognito portable browsing session was

only found in pagefile.sys. From these results, they concluded that there was no

significant difference between using the installed or portable version of Chrome in

normal browsing mode as both versions left evidence that could be easily recovered from

the hard disk via conventional digital forensic methods.

Ohana and Shashidhar (2013) investigated the artefacts left by private and

portable browsers. They studied IE, Chrome, Firefox and Safari by searching on Google

and Yahoo, viewing YouTube videos, sending email with attachments via Gmail,

Hotmail, Yahoo! Mail and SHSU mail, logging in to online banking, attempting to

purchase ammunitions and searching for suspected stolen items on Craigslist. From these

experiments they discovered that portable and private browsing do leave artefacts on

systems, however, the number of artefacts left depends on the browser used. IE left the

most artefacts, although not in the typical locations. With other browsers, RAM appeared

to be the best place to obtain evidence. Chrome Portable proved to leave the most

artefacts on the host machine.

There have also been few attempts to extract and analyse specific artefacts related to web

browsers. For instance, Matsumoto and Sakurai (2014) have scoped their work on the

acquisition of WebStorage data from memory dumps. WebStorage is a method used to

store data in a web browser locally, it comes as part of HTML5 as a new coming

alternative to cookies.

III. METHODOLOGY AND TEST-BED SETUP

A. Instruments

To investigate the artefacts that portable and private browsers left on a system, VMWare

virtual machines running Windows 7 SP1 with 1GB of RAM were built. To perform

browsing sessions, the latest supported major official releases of web browsers were

installed: IE11.0.9600.17207, Firefox 36.0, Chrome 41.0.2272 and Opera 28.

Opera

Portable version 12.17 was, however, the latest portable version of the web browser

available at the time of the experiment.

To determine the storage locations of the artefacts and those changed during

browsing, OSForensics (PassMark, 2014) was installed. OSForensics allows for file

snapshots to be captured and then compared to analyse and show which files were

created, modified and deleted. FTK Imager (AccessData, 2014) was used on the host

system to mount the virtual disks and take forensic images of file systems and physical

Web Browser Artefacts in Private and Portable Modes: A Forensic Investigation 5

memory (volatile memory). Additionally, tools such as Hex Workshop from BreakPoint

Software (2014), Bulk_Extractor (Garfinkel, 2013) and Volatility from Volatility

Foundation (2014) were essential to analyse and recover data from memory dumps.

B. Experiments

The VM was cloned so as to use a clean system each time and then the

following tests run for the experiments. During each trial, we attempted to imitate the

behaviour of end users, the web browser was used to navigate to

http://www.youtube.com and watch a video, navigate to http://news.bbc.co.uk and open

two news articles, navigate to http://images.google.com and search for “meerkat” then

click to view two images. These actions were performed on Internet Explorer InPrivate,

Firefox Private, Opera Private, Chrome Incognito, Firefox Portable, Opera Portable,

Chrome Portable, Firefox Portable Private, Opera Portable Private, and Chrome Portable

Incognito. Forensic images for the file system and memory were taken, and a copy of the

pagefile.sys was exported, prior and after each browsing session. Further reflections on

each experiment are shared with analysis provided in sections IV and V.

IV. LOCATING BROWSER

ARTEFACTS

A. Locating artefacts after normal browsing

To determine a baseline for tests and discover areas to investigate for files during private

and portable browsing, the tests were first run in normal browsing mode. Locations of

browser artefacts were noted with any files covered in our analysis. Tables 1 to 4 show

the locations of these relevant artefacts.

Table 1. Default locations of IE artefacts in Windows 7

Artefact Location within C:\Users\{user}\AppData\Local\Microsoft

History …\Windows\History\

Cache …\Windows\WebCache\
…\Windows\Temp…Files\Content.IE5\

…\Windows\Temp…Files\Low\Content.IE5\

Recovery …\Internet Explorer\Recovery

Downloads …\Windows\Temp… Files\Content.IE5\

Location within C:\Users\{user}\AppData\

Digital Cert. …LocalLow\Microsoft\CryptnetUrlCache\Content\
…LocalLow\Microsoft\CryptnetUrlCache\MetaData\

Cookies …\Roaming\Microsoft\Windows\Cookies\
…\LocalLow\Microsoft\Internet Explorer\DOMStore\

Bookmarks C:\Users\{user}\Favorites

Table 2. Default locations of Firefox artefacts in Windows 7

Artefact

Location within
C:\Users\{user}\AppData\Local\Mozilla\Firefox\Profiles

Cache …\.default\Cache
…\.default\jumpListCache

Location within
C:\Users\{user}\AppData\Roaming\Mozilla\Firefox\Profiles

http://www.youtube.com/

http://news.bbc.co.uk/

http://images.google.com/

6 Author(s)

Cookies …\ngn1mdm2.default\cookies.sqlite

History & Bookmarks …\.default\places.sqlite

Digital Cert. …\.default\cert8.db

Session Store …\.default

Downloads …\.default\downloads.sqlite

Table 3. Default locations of Chrome artefacts in Windows 7

Type of File Location within C:\Users\{user}\AppData\Local\Google\Chrome\User
Data\Default

History …\History
…\History-journal

Cookies …\Cookies
…\Cookies-journal

Cache …\Cache\; …\Favicons; …\Favicons-journal

Bookmarks …\Bookmarks

Table 4. Default locations of Opera artefacts in Windows 7

Artefact Location within C:\Users\{user}\AppData

Main data directory …\Roaming\Opera\Opera\

Cache …\Local\Opera\Opera\cache\

B. Locating artefacts during and after private browsing

Each browser was tested during private browsing. The locations noted in section A were

monitored to capture potential artefact locations.

IE 11

During private browsing, IE created .dat files in the Recovery directory like during

normal browsing mode in order to give users the ability to recover sessions after crashes.

It also heavily utilised the Low\Content.IE5\ directory to cache files during

InPrivate browsing.

Existing .log files in the WebCache folder were removed and new logs

created in the same directory for the current session. In private mode, the browser still

utilised the CryptnetUrlCache\Content\ directory to store certificates. When the

browser was then closed, IE performed a clean-up task. It removed the files in the

Recovery directory and deleted files it had cached at Low\Content.IE5\. Some of

the WebCache log files were deleted, but not all, which left V0100010.log through

to V0100017.log available for further analysis along with WebCacheV01.dat and

V01.log. These files are not removed until IE is re-opened.

Figure 1 shows the files stored on the hard drive during IE InPrivate

mode.

These files can be matched to the websites being visited.

Web Browser Artefacts in Private and Portable Modes: A Forensic Investigation 7

Figure 1. Comparing snapshots taken when IE was open and closed shows that files cached were

deleted when IE restarted. However, investigation also shows that files are stored on the hard drive

during IE InPrivate mode. These files can be matched to the websites being visited.

Firefox

During private browsing, there was very little hard drive activity from Firefox. Files were

not cached, however, Firefox did store .sqlite-wal (Write Ahead Logging files for

the SQLite databases) on the hard drive. Once Firefox was closed, a clean-up operation

was observed. The .sqlite-wal and .sqlite-shm files were deleted from the

drive and .sqlite files were modified. _CACHE_001_, _CACHE_002_,

_CACHE_003_, and _CACHE_MAP_ were then modified. These files contain

information to manage the Firefox cache and hold metadata (Ritchie, 2014).

Chrome

While using Chrome Incognito browsing there was a considerable amount of hard drive

activity, however, very little of this was for cached files. The majority of this activity was

in the extensions directory related to default Chrome extensions;
…\AppData\Local\Google\Chrome\User_Data\Default\Extensions

There were many other files created and modified under the User Data folder

including Chrome database files.

Opera

There was very little hard drive activity whilst Opera was used in private mode. In the

directory located in
…\Roaming\Opera Software\Opera Stable\

The database file Visited Links was modified as was Preferences and

History. data_0 and data_1 were also modified, located in

…\Local\Opera Software\Opera Stable\Cache\

8 Author(s)

C. Locating artefacts during and after browsing in portable browsers

Firefox

Firefox portable did not store files on the hard drive whilst in use. Instead, all sqlite

databases and other files were stored on the USB stick at

\FirefoxPortable\Data\profile\. By default, the cache in Firefox portable is

set to 0MB therefore no cache files are created. If it were enabled, Firefox Portable would

store the files at \FirefoxPortable\Data\profile\ and not on the hard drive.

Chrome

Google Chrome portable stored cache files on the hard drive rather than the USB stick.

At C:\Users\{user}\AppData\Local\Temp\ a folder named

GoogleChromePortable was created with the cache folder inside populated with the

files whilst Chrome portable was in use.

These files were still in place when Chrome Portable was closed, but removed

when the USB stick was ejected. Other common Chrome browser files (e.g. Database

files) were not found on the hard drive, but on the USB stick instead.

Opera

Opera portable didn’t use the hard disk to store files. The USB stick that it was running

from showed considerable file activity. Cache folders and databases were held on the

USB stick at \OperaPortable\Data\Profile.

D. Locating artefacts during and after private browsing in portable browsers

Firefox

The portable version of Firefox stored very few artefacts on the hard disk during private

browsing. Instead, it used the USB stick to store sqlite databases and other files.

There are considerably fewer files created when in portable private browsing in

comparison with portable normal browsing.

Chrome

In portable Incognito mode, Chrome did not store files on the hard disk, unlike when

used in normal mode. There were also very few files stored on the USB stick.

Opera

In portable private mode, Opera did not utilise the hard disk to store files. Instead the

USB stick was heavily utilised to store files related to the browsing session. Once the

web browser is closed, however, a clean-up job appears to run which deleted and

modified files that were written while the browser was in use.

Web Browser Artefacts in Private and Portable Modes: A Forensic Investigation 9

V. RECOVERING EVIDENCE OF BROWSING HISTORY FROM

ARTEFACTS

The artefacts gathered in Section IV were analysed and examined for activity of the

known browser history in each session. There were several notable artefacts discovered

in the forensic images of user profiles that we discuss and analyse further.

A. Notable Artefacts

IE Web cache directory

Until version 10, IE used the index.dat database file as a repository for history,

cookies and temporary files (Satvat et al., 2014). From version 10 an ESE (Extensible

Storage Engine) database, WebCacheV01.dat, is used to maintain history, cache and

cookies (Chivers, 2013). This directory also contains the files V01.log (Transaction log

file), V01.chk (checkpoint file), and V01xxxx.log.

Whilst the operating system is in use it is not possible to copy

WebCacheV01.dat. In the

…\AppData\Local\Microsoft\Windows\ folder the WebCacheLock.dat file

resides, indicating that the database is locked. After a forensic image is taken, the

contents of WebCache can be analysed further.

The esentutl.exe tool, built into Windows, provides utilities for ESE

databases, such as WebCacheV01.dat. According to Chivers (2013), when copied

from a system, this file will most often be marked as dirty, i.e. requiring that the logs be

flushed to the database. The esentutl.exe provides a command to check the state of

a WebCacheV01.dat file:

> esentutl /mh WebCacheV01.dat

Running this on the file extracted after the IE11 private browsing session shows

a dirty shutdown state. To flush the log files extracted with the database,

esentutl.exe provides a recovery command to flush the log files in the current

directory to the database:

> esentutl /r V01 /d

When the database state is checked again, it shows as being clean. This places

the file in a state ready for analysis.

$I30 Files

On NTFS file systems, folder and directory information is stored separately from file

inode data. The $I30 files store this information (Philipp, et al., 2010). Even if the

original files have been moved or deleted, the $I30 file may still contain entries which

reveal file names and access times. INDXParse.py (Ballenthin, 2014) is a Python script

created to extract data from $I30 files to a csv file.

10 Author(s)

B. Internet Explorer 11 in InPrivate browsing mode

Artefacts for analysis after IE11 was tested in InPrivate browsing mode were: A memory

dump, pagefile.sys, a forensic image of the user profile, the webcache folder and

$I30 files in the webcache and Content.IE5/Low folders.

IE11 Webcache

After WebCacheV01.dat was placed in a clean state using esentutl.ese it was

opened in a Hex editor and searched for evidence of the private web browsing session.

Evidence of the top level domains visited during InPrivate browsing could be located in

the database, however, search terms were not. Evidence of bbc.co.uk, google.com and

youtube.com were all found.

$I30 files

On examining the \Content.IE5\ folder from the image taken of the user profile, a

$I30 file of more than zero bytes was found in two of the cache folders: JHNO3QUG and

XKCEAG9T.

Evidence in these files showed timestamps of web browsing and some filenames

of the files created during the browsing session. The extract of the $I30 file from the

JHNO3QUG cache folder revealed the files that were returned during the Google image

search. The word meerkat was detected twice in filenames as shown in Figure 2.

Figure 2. $I30 files in the IE cache folders reveal filenames to help identify search history after the

cache was cleared.

Page file and Memory Dump

Both pagefile.sys and a live memory dump were taken from the system after IE

was closed. Pagefile.sys showed no evidence, however, this would have partially

been due to the system having a large amount of RAM available and not swapping to the

page file.

The less common searches of meerkat and bbc.co.uk were found many times

throughout memory showing that it is possible to find private search history in live

memory. With URL matches for bbc.co.uk there was also HTML for the pages that had

been viewed making it possible to further analyse the actual pages that had been

accessed.

Web Browser Artefacts in Private and Portable Modes: A Forensic Investigation 11

User profile Deleted files

The ‘Deleted Files’ function of OSForensics was used to automatically detect and display

the deleted files which were automatically discovered in the forensic image of the user

profile. Several images of Meerkats were discovered.

C. Mozilla Firefox in private browsing mode

Artefacts for analysis after Firefox was tested in private mode were

\CACHE\_CACHE_001_, _CACHE_002_, _CACHE_003_, _CACHE_MAP_,

pagefile.sys and the live memory

dump.

Firefox stored very little on disk whilst in private mode. The only remnants were

the _cache_map_ files. These were parsed using Firefox Cache Forensics parser

(Ritchie, 2014). The only website that this showed data for was

http://clients1.google.com/ocsp.

Pagefile.sys and the memory dump were scanned for the search terms.

meerkat was detected in four places, however, bbc.co.uk was not. Youtube and

google.com were detected many times.

D. Google Chrome in incognito browsing mode

Artefacts for analysis after using Chrome Incognito mode revealed no artefacts on the

system hard drive. Therefore only the live memory dump and pagefile.sys were

available for analysis. Live memory provided many matches when searched as shown in

Figure 3.

Figure 3. After Chrome was used in Incognito mode, many artefacts could be detected in the

memory dump

E. Opera in private browsing mode

Although there was some hard disk activity when Opera was used in private browsing

mode, the files examined contained no evidence of the browsing session. Live memory

contained evidence of the browsing.

Artefacts extracted from these different browsers running in private mode are

compared in Table 5.

12 Author(s)

Table 5. Useful artefacts located from different browsers running in private mode
B

o
w

se
r

S
e
a

c
h

T
e
rm

C
a

c
h
e

O
th

e
r

A
r
te

fa
c
ts

P
a
g

e
fi

L
iv

M
e
m

o
ry

P
r
o

fi
le

D
e
le

te
d

fi
le
s
A
r
te
fa
c
ts

S
h

o
w

in
g

R
e
su

lt
s

IE11 meerkat 0 2 0 23 11
Memory dump,

WebCacheV01.dat + logs, $I30 in

cache folders, Deleted files in
cache folders

youtube 30 0 10 100+ 0

bbc.co.uk 3 0 0 92 0

google.com/search 0 0 0 0 0

google.com 11 0 66+ 100+ 0

Firefox meerkat 0 0 0 4 0

Memory dump

youtube 0 0 10 67 0

bbc.co.uk 0 0 0 0 0

google.com/search 0 0 0 6 0

google.com 0 0 100+ 100+ 0

Chrome meerkat 0 0 0 3 0

Memory dump

youtube 0 0 10 100+ 0

bbc.co.uk 0 0 0 87 0

google.com/search 0 0 0 22 0

google.com 0 0 100+ 100+ 0

Opera meerkat 0 0 0 3 0 Memory dump

youtube 0 0 2 17 0

bbc.co.uk 0 0 0 57 0

google.com/search 0 0 0 1 0

google.com 0 0 100+ 100+ 0

F. Mozilla Firefox portable in normal browsing mode

Although there is very little evidence available on the hard drive after browsing in normal

mode on portable Firefox, many files were created on the USB stick that it was run from:

cert8.db, places.sqlite, jumpListCache content-prefs.sqlite,

healthreport.sqlite, permissions.sqlite, webappsstore.sqlite,

cookies.sqlite, folder and thumbnails folder.

These were available for analysis along with pagefile.sys and the live memory

dump.

The cookies.sqlite file reveals some useful information about sites that

were visited in a portable browsing session. Youtube.com, google.com and bbc.co.uk all

had cookies stored for them. Nationalgeographic.com and scorecardresearch.com were

not visited, however, were recorded in the moz_cookies table, presumably because

one of the other sites linked to them. permissions.sqlite showed an entry for the

ssl settings for ssl.bbc.co.uk. Analysis of places.sqlite showed several entries of

sites visited across the different tables with the moz_places table holding the most

data including the URL and title of the page that had been visited. Image artefacts were

found in the jumpListCache as well as the thumbnails folder which could be

matched to browsing history.

G. Chrome portable in normal browsing mode

Web Browser Artefacts in Private and Portable Modes: A Forensic Investigation 13

Chrome utilised the /Local/Temp/GoogleChromePortable folder for storing

cache, however, files were removed once the USB stick was removed. The USB stick

held many artefacts related to the portable browsing session under the

GoogleChromePortable/Data/Profile folder. The history database file held

the URLs of sites that were visited in the segments and urls tables. Like with the

moz_places table in Firefox’s places.sqlite database, the full URL and titles

could be located. Artefacts were also found in the omni_box_shortcuts table of the

shortcuts database and the cookies table of the cookies database.

H. Opera portable in normal browsing mode

After normal browsing using Opera portable, no relevant files were discovered on the

hard disk, however, several files placed on the USB stick during normal browsing using

Opera Portable contained evidence of browsing history. The vps (Visited Pages Search)

files contained in the OperaPortable\Data\profile\vps\0000 directory. The

OperaPortable\Data\Sessions directory contained autosave and temporary data

of preferences for the sessions. These files include sections labelled ‘history url’ and

‘history title’ which store URLs visited in the sessions. Data was also located in the

opssl6.dat certificate store, typed_history.xml file, cookies4.dat file and

global_history.dat file. A considerable amount of evidence of websites visited

during the browsing session was obtained from these files.

Table 6 compares artefacts founds from the different portable browsers running

in normal mode.

Table 6. Useful artefacts located from different portable browsers running in normal mode. The

asterisk (*) indicates that artefacts were found on the USB stick, not hard drive.

B
ro

w
se

r
S
e
a

rc
h

T
e
rm

C
a
c
h
e
O
th
e
r

A
r
te
fa
c
ts

P
a
g
e
fi

L
iv
e

M
e
m
o
ry

P
r
o
fi
le
/
D
e
le
te
d

fi
le
s
A
r
te
fa
c
ts

S
h
o
w
in
g

R
e
su
lt
s

Firefox meerkat 0 0 0 46 11* Memory dump,

cookies.sqlite*,

permissions.sqlite*, places.sqlite*,
Thumbnails folder*,

jumpListCache folder*

youtube 0 0 5 23 8*

bbc.co.uk 0 0 0 250 19*

google.com/search 0 0 0 9 11*

google.com 0 0 100+ 80 28*

Chrome meerkat 0 0 0 55 7*

Memory dump, history*,

shortcuts*, cookies*

youtube 0 0 4 100+ 9*

bbc.co.uk 0 0 0 161 13*

google.com/search 0 0 0 0 7*

google.com 0 0 100+ 100+ 15*

Opera meerkat 0 0 0 200+ 39* Memory dump, md.dat*,
autosave.win*, opr91C3/tmp*,

opr773D.tmp*,

global_history.dat*, cookies4.dat*,
opssl6.dat*, typed_history.xml*

youtube 0 0 3 100+ 36*

bbc.co.uk 0 0 0 200+ 17*

google.com/search 0 0 0 54 7

google.com 0 0 100+ 200+ 23*

I. Firefox portable in private browsing mode

14 Author(s)

After the Firefox portable private browsing, no artefacts remained on the USB stick or

the hard disk. The only evidence found was in the moz_cookies table of the cookies

database, however, it is likely that as this entry is for google.com the entry was created by

default. The live memory dump, however, did reveal evidence of search history.

J. Chrome portable in incognito browsing mode

Chrome portable incognito browsing did not leave artefacts on the USB stick or hard

disk. The only match for the browsing history was the URL:

http://www.google.com/favicon.ico in the favicons table of the favicons database. This is

possibly because this is a default homepage rather than a link to browsing history. Again,

the live memory dump provided matches for all browser history.

K. Opera portable in private browsing mode

Only one artefact was recovered from the USB stick that Opera portable was run from in

private mode, opssl6.dat. This certificate store listed ssl.bbc.co.uk. Additional

evidence of the browsing session was only found in the live memory dump.

Table 7 compares artefacts founds from the different portable browsers running in private

mode.

Table 7. Useful artefacts located from different portable browsers running in private mode. The

asterisk (*) indicates that artefacts were found on the USB stick, not hard drive.
B
ro
w
se
r
S
e
a
rc
h

T
e
rm

C
a
c
h
e
O
th
e
r

A
r
te
fa
c
ts

P
a
g
e
fi
le

L
iv
e

M
e
m
o
ry

P
r
o
fi
le
/
D
e
le
te
d

fi
le
s
A
r
te
fa
c
ts

S
h
o
w
in
g

R
e
su
lt
s

Firefox meerkat 0 0 0 0 0

Memory dump, cookies.sqlite*

youtube 0 0 5 41 0

bbc.co.uk 0 0 0 118 0

google.com/search 0 0 0 0 0

google.com 0 0 100+ 100+ 1*

Chrome meerkat 0 0 0 54 0

Memory dump, favicons*

youtube 0 0 5 100+ 0

bbc.co.uk 0 0 0 39 0

google.com/search 0 0 0 32 0

google.com 0 0 100+ 100+ 2*

Opera

meerkat 0 0 0 2 0

Memory dump, opssl6.dat*

youtube 0 0 2 100+ 0

bbc.co.uk 0 0 0 14 1

google.com/search 0 0 0 1 0
google.com 0 0 100+ 100+ 0

VI. DISCUSSION

The results show that evidence was still recoverable during portable and private browsing

sessions, although the amount of evidence varied depending on the browser used. Even

during InPrivate browsing, IE left a considerable number of artefacts on the hard drive in

Web Browser Artefacts in Private and Portable Modes: A Forensic Investigation 15

the same locations used during normal browsing. Using forensic techniques it was

possible to recover cache files that the browser had deleted. The WebCacheV01.dat

file was recoverable from the hard drive, as long as IE had not been re-opened. Therefore,

it is possible for artefacts from the previous web browsing session to be recovered from

this file during a forensic investigation, however, older evidence may not be obtainable.

Evidence of cached file names was recoverable from $I30 files in cache folders during

forensic recovery as well.

Chrome portable stored cache files on the hard disk during normal browsing

rather than on the USB stick that it was run from. Although in these experiments it was

not possible to recover these files after they had been deleted, they may be recoverable in

other circumstances. Unlike Chrome portable, Firefox portable and Opera portabledid not

store any files on the hard disk so artefacts could not be recovered. In private browsing

modes, both Firefox, Chrome, and Opera Portable did not store any artefacts on the hard

drive.

Windows terminology labels the different parts of memory as available, free or

cached. It is the cached space that is most relevant to us because this is where data for the

most recently accessed files reside. To boost performance, application cached data will

remain even after they are closed which explains the wealth of evidence recovered from

the live memory dumps in each of our experiments. Further, Evidence was not

recoverable from pagefile.sys in any of the scenarios. It can be argued that the

reason is the relatively large RAM size installed in the host machine if compared to the

short web browsing session; when the physical memory is exhausted, Windows

compensates by virtually extending RAM space into the hard drive to create what is

known as virtual memory, or a paging file, and moves inactive (but still needed) data to

pagefile.sys. However, another reason as to why the value of the pagefile was very

limited is that Windows, for security reasons, splits files moved from RAM to the page

file into small chunks of data that can only be readable if mapped back in the right order

to reconstruct the former state. (Al-Khateeb, 2014)

Nevertheless, memory dumps showed some false (or irrelevant) evidence too.

Youtube.com and google.com were found to appear over 100 times in most memory

dumps. They were often found listed with other popular search engines or websites

indicating that these results were populated from elsewhere such as default browser

search URLs.

VII. CONCLUSIONS

From the results, the live memory dump held the most evidence of artefacts created

during private and portable browsing sessions. Unfortunately capturing a live memory

dump is not always possible when evidence is being recovered from a scene. It is also

possible that doing so could alter original data and affect the forensic value of artefacts.

The tests performed in these scenarios included far shorter browsing sessions than would

be recovered from a system under daily use. Therefore, some of the evidence found in

live memory is possibly recoverable from pagefile.sys or hiberfile.sys even

if systems have been shut down. When a virtual environment is used, users can take

snapshots of the running state of the system or suspend the active session and save

everything including physical memory to a file, usually to one of the following formats:

16 Author(s)

.vmem or .vmss, these files are increasingly becoming a very rich resource to extract

artefacts during digital investigations.

If suspects have been using IE InPrivate browsing mode in the hope of hiding

browser activities, the results from tests have shown that the artefacts IE leaves on hard

drives can lead to the sites and search terms which have been used. $I30 was a

particularly useful file which had not been mentioned in previous studies on portable and

private browser forensics and should be considered as an artefact which may contain

evidence for browsers that were identified to store files on the hard drive during usage

(Chrome Portable and IE InPrivate browsing). Firefox Portable, Chrome Portable

Incognito, Opera Portable Private, and Firefox Portable Private browsing modes stored

no artefacts on the system hard disk. With Firefox Portable, Chrome Portable and Opera

portable normal browsing, many artefacts could be recovered from the USB stick. This

demonstrates how important it is for forensic investigators to recover all devices from a

scene, particularly as the USB stick may contain the sqlite databases containing

detailed evidence of browsing history.

These tests have also shown that by default some web browsers leave URLs in

their databases and in live memory when run before any browsing activity has occurred.

In these tests, results for google.com and youtube.com were particularly prominent.

Forensic investigators will therefore need to be extra vigilant when analysing browser

artefacts to ensure that evidence was not placed by the browser.

The results outlined in this work show that evidence of web browsing sessions is

recoverable from all systems regardless of whether portable or private browsing modes

are in use in the most recent versions of Chrome, Firefox, Opera and IE. In all scenarios,

artefacts were recoverable. Web browser claims that browsing history will not be

recoverable in private modes may prevent an average computer user from finding

evidence, but using forensic techniques plenty of evidence was recoverable which may

prove to be crucial to a forensic investigation. It is also crucial for Internet users to learn

that browsers security does not make them anonymous when their network is monitored

by an Internet Service provider or a Network Administrator at the workplace. Similarly,

spyware and key loggers can also violate their privacy if any of these malicious software

is installed on their client machines.

REFERENCES

Access Data (2014) FTK Imager (Version 3.2.0) [Computer Program]. Available from

http://www.accessdata.com/support/product-downloads (Accessed 1st Mar 2015)

Al-Khateeb, H. M. (2014) ‘Recovering User Passwords From Memory’, Digital

Forensics Magazine, 2014(20): 8-12.

Ballenthin, W. (2014) INDXParse.py (Version 1.1.8) [Computer Program]. Available

from https://github.com/williballenthin/INDXParse (Accessed: 1st

Mar

2015).

BreakPoint Software (2014), Hex Workshop (Version 6.7.3) [Computer Program].

Available from http://www.hexworkshop.com/ (Accessed: 1st Mar 2015)

Chivers, H. (2014) ‘Private browsing: A window of forensic opportunity’, Digital

Investigation, 11(1), pp. 20-29 [Online].

Dharan, G. D. and Meeran, A. R. (2014) ‘Forensic Evidence Collection by

Reconstruction of Artefacts in Portable Web Browser’, International Journal of

Web Browser Artefacts in Private and Portable Modes: A Forensic Investigation 17

Computer Applications, 91(4) [Online]. Available at:

http://research.ijcaonline.org/volume91/number4/pxc3894862 (Accessed: 1st

Mar 2015).

Eleutério, P. M., & Eleutério, J. D. A. S. (2011) ‘Webmail evidence recovery: a

comparison among the most used Web browsers and webmail services’. ICoFCS

2011, 182-189.

Garfinkel, S. L. (2013). Digital media triage with bulk data analysis and bulk_extractor.

Computers & Security, 32, 56-72.

Google (2014) ‘Browse in private (incognito mode)’. Available at:

https://support.google.com/chrome/answer/95464?hl=en-GB (Accessed: 1st Mar

2015).

Jaha nkhani, H. (2007) ‘Evaluation of cyber legislations: trading in the global cyber

village’. International Journal of Electronic Security and Digital Forensics,1(1), 1-

11.Marrington, A., Baggili, I., Ismail, T. and Kaf, A. (2012) ‘Portable web browser

forensics: A forensic examination of the privacy benefits of portable web browsers’,

2012 International Conference On Computer Systems & Industrial Informatics, p. 1

EBSCOhost [Online].

Matsumoto, S., and Sakurai, K. (2014) ‘Acquisition of Evidence of Web Storage in

HTML5 Web Browsers from Memory Image’ In Information Security (ASIA JCIS),

2014 Ninth Asia Joint Conference on (pp. 148-155). IEEE.

Microsoft Windows (2014) ‘InPrivate Browsing’. Available at:

http://windows.microsoft.com/en-GB/internet-explorer/products/ie-9/features/in-

private

(Accessed: 1st Mar 2015).

Mozilla Foundation (2014) ‘Private Browsing – Browse the web without saving

information about the sites you visit’. Available at: https://support.mozilla.org/en-

US/kb/private-browsing-browse-web-without-saving-info (Accessed: 1st Mar 2015).

Said, H., Al Mutawa, N., Al Awadhi, I., & Guimaraes, M. (2011) ‘Forensic analysis of

private browsing artifacts’. In Innovations in information technology (IIT), 2011

International conference on (pp. 197-202). IEEE.

Oh, J., Lee, S. and Lee, S. (2011) ‘Advanced evidence collection and analysis of web

browser activity’, Digital Investigation, 8, pp. S62-S70 EBSCOhost [Online].

Ohana, D. and Shashidhar, N. (2013) ‘Do private and portable web browsers leave

incriminating evidence?: A forensic analysis of residual artefacts from private and

portable web browsing sessions’, EURASIP Journal On Information Security, 1(1)

EBSCOhost [Online].

Passmark (2014), OSForensics (Version 3.0) [Computer Program]. Available from

http://www.osforensics.com/osforensics.html (Accessed: 1st Mar 2015)

Philipp, A., Cowen, D., and Davis, C. (2010) ‘Hacking Exposed: Computer Forensics’.

New York; London: McGraw-Hill.

Pereira, M. T. (2009) ‘Forensic analysis of the Firefox 3 Internet history and recovery of

deleted SQLite records’. Digital Investigation, 5(3), 93-103.

Ritchie, J. (2014), ‘Firefox Cache Find (Version 0.3)’ [Computer Program]. Available at:

https://code.google.com/p/firefox-cache-

forensics/downloads/detail?name=ff_cache_find_0.3.pl (Accessed: 1st Mar 2015).

Satvat, K., Forshaw, M., Hao, F. and Toreini, E. (2014), ‘On the Privacy of Private

Browsing – A Forensic Approach’, Journal of Information Security and

Applications, 19, pp. 88-100. Available at:

http://homepages.cs.ncl.ac.uk/m.j.forshaw1/privatebrowsing/artefacts/DPM13

(Accessed: 1st Mar 2015).

18 Author(s)

Volatility Foundation (2014), Volatility (Version 2.4) [Computer Program]. Available

from http://www.volatilityfoundation.org/#!24/c12wa (Accessed: 1st Mar 2015)

W3Counter (2014) ‘July 2014 Web Browser Market Share’. Available at:

http://www.w3counter.com/globalstats.php?year=2014&month=7 (Accessed: 1st

Mar 2015).

Seediscussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/321796965

Private Web Browser Forensics: A Case Study of the Epic Privacy Browser

Preprint · March 2018

CITATIONS

0
READS

595

3 authors, including:

Some of the authors of this publication are also working on these related projects:

Digital Forensics View project

CONSUS View project

Mark Scanlon

University College Dublin

84 PUBLICATIONS 519 CITATIONS

SEE PROFILE

Nhien-An Le-Khac

University College Dublin

212 PUBLICATIONS 1,145 CITATIONS

SEE PROFILE

All content following this page was uploaded by Mark Scanlon on 04 January 2018.

The user has requested enhancement of the downloaded file.

https://www.researchgate.net/publication/321796965_Private_Web_Browser_Forensics_A_Case_Study_of_the_Epic_Privacy_Browser?enrichId=rgreq-b5e941f9635cf458914ef6a8448f522e-XXX&enrichSource=Y292ZXJQYWdlOzMyMTc5Njk2NTtBUzo1NzkwOTg1MjQ2OTY1NzZAMTUxNTA3OTI1NTk1OQ%3D%3D&el=1_x_2&_esc=publicationCoverPdf

https://www.researchgate.net/project/Digital-Forensics-2?enrichId=rgreq-b5e941f9635cf458914ef6a8448f522e-XXX&enrichSource=Y292ZXJQYWdlOzMyMTc5Njk2NTtBUzo1NzkwOTg1MjQ2OTY1NzZAMTUxNTA3OTI1NTk1OQ%3D%3D&el=1_x_9&_esc=publicationCoverPdf

https://www.researchgate.net/project/CONSUS-2?enrichId=rgreq-b5e941f9635cf458914ef6a8448f522e-XXX&enrichSource=Y292ZXJQYWdlOzMyMTc5Njk2NTtBUzo1NzkwOTg1MjQ2OTY1NzZAMTUxNTA3OTI1NTk1OQ%3D%3D&el=1_x_9&_esc=publicationCoverPdf

https://www.researchgate.net/?enrichId=rgreq-b5e941f9635cf458914ef6a8448f522e-XXX&enrichSource=Y292ZXJQYWdlOzMyMTc5Njk2NTtBUzo1NzkwOTg1MjQ2OTY1NzZAMTUxNTA3OTI1NTk1OQ%3D%3D&el=1_x_1&_esc=publicationCoverPdf

https://www.researchgate.net/profile/Mark_Scanlon?enrichId=rgreq-b5e941f9635cf458914ef6a8448f522e-XXX&enrichSource=Y292ZXJQYWdlOzMyMTc5Njk2NTtBUzo1NzkwOTg1MjQ2OTY1NzZAMTUxNTA3OTI1NTk1OQ%3D%3D&el=1_x_4&_esc=publicationCoverPdf

https://www.researchgate.net/institution/University_College_Dublin?enrichId=rgreq-b5e941f9635cf458914ef6a8448f522e-XXX&enrichSource=Y292ZXJQYWdlOzMyMTc5Njk2NTtBUzo1NzkwOTg1MjQ2OTY1NzZAMTUxNTA3OTI1NTk1OQ%3D%3D&el=1_x_6&_esc=publicationCoverPdf

https://www.researchgate.net/profile/Nhien-An_Le-Khac?enrichId=rgreq-b5e941f9635cf458914ef6a8448f522e-XXX&enrichSource=Y292ZXJQYWdlOzMyMTc5Njk2NTtBUzo1NzkwOTg1MjQ2OTY1NzZAMTUxNTA3OTI1NTk1OQ%3D%3D&el=1_x_4&_esc=publicationCoverPdf

Private Web Browser Forensics: A Case Study of the Epic Privacy Browser

A Reed1, M Scanlon2, N-A Le-Khac2

1Ottawa Police
Ottawa, Canada

E-mail: reeda136@gmail.com

2Forensics and Security Research Group

School of Computer Science
University College Dublin

Dublin, Ireland

E-mail: mark.scanlon@ucd.ie; an.lekhac@ucd.ie

Abstract: Organised crime, as well as individual criminals, is benefiting from the protection of
private browsers provide to those who would carry out illegal activity, such as money laundering,
drug trafficking, the online exchange of child-abuse material, etc. The protection afforded to users
of the Epic Privacy Browser illustrates these benefits. This browser is currently in use in
approximately 180 countries worldwide. This paper outlines the location and type of evidence
available through live and post-mortem state analyses of the Epic Privacy Browser. This study
identifies the manner in which the browser functions during use, where evidence can be recovered
after use, as well as the tools and effective presentation of the recovered material.

Keywords: Web Browser Forensics, Epic Privacy Browser, Live Data Forensics, Post-Mortem
Web Browser Forensics, Browzar

Introduction
Internet security has been a major and increasing concern for many years, in part because it can be
compromised not only through the threat of malware, fraud, system intrusion, or damage, but also
through the tracking of Internet activity. In order to combat these threats, encryption of data as a
default setting is now commonplace. Firewalls (that is, software that controls access to and from a
network) and anti-virus programs are essential tools in the fight against computer crime. Criminals
are using numerous methods to access data in the highly lucrative cybercrime business. Organised
crime, as well as individual users, is benefiting from the protection of several anti-forensic
techniques—including Virtual Private Networks (Conlan 2016), cloud services (Farina et al.
2015), and private browsers (Gabet 2016) such as Tor, Ice Dragon, and Epic Privacy Browser—
to carry out illegal activity such as money laundering, drug dealing and the trade of child-abuse
material (Reed, Scanlon & Le-Khac, 2017). Weak security has been identified and exploited in
several high-profile breaches in recent years. Most notably, in 2011, the Sony PlayStation network
faced a major security breach (Gazzini& Holt 2011). Over 77 million PlayStation accounts were
hacked, which resulted in 12 million unencrypted credit card accounts’ being compromised and

the site’s being closed for a month. In 2005, the United States’ Internal Revenue Service (IRS)
faced a data breach that resulted in a reported $50 million in fraudulent claims. In 2015, Ashley
Madison (Fox-Brewster 2015), a site for extramarital affairs, had 37 million account holders’
details released. Breaches such as these underscore the need for better online security and Internet
privacy.

Following the Snowden breach (Toxen 2014), there was public outrage at the lack of privacy
leading to a rise in the number of browsers offering private browsing. News articles offering advice
regarding Internet privacy assisted in educating the public, and a new era of private browsing arose.
Although these measures were designed to protect legitimate browsing privacy, they also provided
a means to conceal illegal activity. As Rubenking notes, one such tool released for private
browsing was the Epic Privacy Browser. This was first released in August 2013 by an India-based
company called Hidden Reflex. The Epic Privacy Browser is based on the open-source web
browser, Chromium (2014). The Chromium project has resulted in several privacy-enhancing
browsers’ being built upon its source code, including the Epic Privacy Browser, Comodo (Choi et
al. 2012), Dooble (Gabet 2016), Inox, and Project Maelstrom (Farina, Kechadi & Scanlon 2015).
The Epic Privacy Browser was made available for Windows and OSX operating platforms. As per
the browser’s homepage, https://www.epicbrowser.com/, it has over one million users and is
currently used in approximately 180 countries worldwide (Epic Privacy Browser Homepage,
2017). The Epic Privacy Browser is promoted as a browser specifically engineered to protect users’
privacy. It solely operates in private-browser mode and, upon close of the browsing session, deletes
all browsing data. Each tab functions as a separate process to increase security. In addition, it
claims to remove address bar and URL (Uniform Resource Location) tracking, to remove
installation and error tracking, and to offer a ‘one-click’ option to surf via the company’s own
encrypted proxy. The intentions of these measures are to hide the user IP address and encrypt all
browsing traffic. To prevent searches being indexed per IP address by the search engine providers,
automatic proxy routing occurs when the search engines are used.

Information commonly stored on a device using Internet browsers include cache, temporary
Internet files, cookie information, search history, passwords, and registry changes. This paper aims
to establish what, if any, data relating to the use of the Epic Privacy Browser is produced during
the installation and user interaction with the browser. To that end, the authors ran forensic tools
such as Process monitor and Regshot (Regshot 2016), captured the live RAM data after use while
the system was still running, and examined data acquired post-mortem once the system was shut
down. Because of the privacy concerns surrounding Windows 10, it was used as the main platform
for analysis. The authors also compared artefacts found on Windows 10 with those available from
Windows 7, both set up using default settings and the latest updates. This paper also examines the
Epic Privacy Browser’s claim that all traces of user activity will be cleared upon close of the
application and establishes whether the introduction of Windows 10 has an adverse effect on this
claim.

Investigators can use the methods described in this paper to examine a range of Internet-focused
Windows applications including, but not limited to instant messaging (Van Dongen 2007; Voorst,
Kechadi & Le-Khac 2016), VoIP applications (Sgaras, Kechadi & Le-Khac 2015; Sha, Manesh &
El-atty 2016), and peer-to-peer (P2P) network-client applications (Scanlon, Farina & Kechadi
2015; Bissias et al. 2016). Experimental results outlined in this paper can also assist researchers

who are finding new methods of preserving privacy or aid in the triage process for front-line
forensic personnel (Hitchcock, Le-Khac & Scanlon 2016). The contributions of this paper consist
of the following items:

• The identification and analysis of Epic Privacy Browser artefact evidence left on Windows
10 and compared with Windows 7 operating systems.

• The outlining of the amount of data recovered from live analysis compared with post-
mortem analysis.

• The examination of Epic Privacy Browser artefact evidence unique to Windows 10.
• The identification of forensic tools available to provide effective analysis.

Background
Private browsing
Although private browsing has legitimate uses, such as activity on multiple user devices and
political restrictions, many individuals are using the shield of anonymity to carry out illegal activity
on the Internet. Private browsing is designed in some web browsers to disable browsing history
and the web cache. This allows users to browse the Web without storing data on their systems that
could be retrieved by investigators. Privacy mode also disables the storage of data in cookies and
browsing history databases. This protection is only available to the local device as it is still possible
to identify websites visited by associating the IP (Internet Protocol) address at the website.

Aggarwal et al. (2010) examined private browsing features introduced by four popular browsers:
Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari. The authors noted that
private browsing modes have two goals: 1) to ensure sites visited while browsing in private leave
no trace on the user’s computer, and 2) to hide a user’s identity from web sites visited by, for
example, making it difficult for web sites to link the user’s activities in private mode to the user’s
activities in public mode. The research also identified inconsistencies among the level of privacy
afforded to the user when using private mode with the popular browsers and revealed that, although
all major browsers support private browsing, the type of privacy provided by each differs greatly.
Firefox and Chrome attempt to protect against both web and local attacks while Safari only
prevents local issues. In 2013 Marrington et al. examined the privacy benefits of the Chrome
portable web browser (including private browsing mode) and discovered that browsing traces
remained on the host machine after the session ended and the portable storage device had been
disconnected.

Plug-ins and extensions being introduced to the browser can change the configuration, render the
privacy settings unable to perform as intended, and leave the browser vulnerable to attack. Well
known browsers such as Google Chrome, Internet Explorer, Safari, and Mozilla Firefox rely on
similar methods to ensure speed and popularity of their product. Web Cache is a popular way of
storing data that can be easily and quickly accessed, thereby negating the necessity to find data
that has already been used. History databases, thumbnails (small stored images), temporary files,
and cookies (user- and site-specific data) all help to speed up the user experience and, in their path,
leave a plethora of artefact evidence for examiners to feast on. Many studies have been carried out
in this area; and free tools, such as ChromeHistoryView, ChromeCacheView, IECacheView, as
well as forensic software such as Internet Evidence Finder, are available to automate the
examination process. All the above browsers have the option to operate in private mode.

Research by Khanikekar (2010) indicates that the use of Internet Explorer in ‘Protected Mode’
runs a ‘Low Privilege’ process, preventing the application writing to areas of the system that
require higher privilege. Hedberg (2013) states that Firefox browser history and search engine
keywords are stored in the physical memory of the computer and can still be accessed after the
browsing session by way of pagefile.sys or live memory dump. Of particular interest is Google
Chrome’s ‘incognito’ mode, as the Epic Privacy Browser is built on top of Chromium. Similar to
Firefox, the history, cookies or download lists are not stored on the drive, but held in the physical
memory. This still leaves the possibility of pagefile.sys artefact evidence remaining.

The Epic Privacy Browser
The Epic Browser prides itself on protecting the user’s privacy by blocking tracking scripts,
creating a new process every time a new tab is opened, and removing installation information
amongst other reported features. Forensic analysts have relied on the recovery of Internet artefacts
to prove the type of Internet activity as well as to establish the identity of the user behind the
keyboard. Epic Browser was released in August 2013, by a company called Hidden Reflex based
in Bangalore, India and Washington, D.C. The browser was released in response to increased
concerns of Internet activity monitoring by both government and private company interests. It was
the first browser built on Chromium that was engineered specifically to protect the privacy of the
user. Epic lists, among its many features, the ability to remove all Google tracking as well as to
block other companies’ tracking attempts. It also offers the option of an encrypted proxy for added
security. Rubenking (2014), a journalist with PC Magazine, published a review of the Epic Privacy
Browser highlighting some of its main features. Although being powered by the world’s leading
search engines, Epic is able to prevent data being leaked. The author noted that the browser routes
queries through Epic’s proxy server automatically, blocking third party cookies and trackers. He
also noted that some websites “simply didn’t work with Epic”.

Epic Privacy Browser Forensics
This paper will compare the Epic Privacy Browser performance on both the Windows 7 and
Windows 10 operating systems. Windows operating systems hold the majority share of the market,
with Windows 7 being the most popular at 46.66% of market share, followed by Windows 10 at
13.65%. It is reasonable to conclude, given these statistics, that a forensic examiner is more likely
to deal with one of these operating systems than any others, which is why they were chosen for
examination in this study. In addition, this research will establish whether the introduction of new
data collection methods presented in Windows 10 have provided an opportunity for forensic
investigators to utilise any potential breaches in Epic’s privacy settings; whether tools currently
used for the analysis of similar browsers built on the same source code, such as Google Chrome,
can also be used to recover data from Epic; and whether live analysis, by the capture on Random
Access Memory data, differs when using Windows 10 compared to Windows 7.

For the analysis of the Epic Privacy Browser on both the Windows 7 and Window 10 operating
systems, a 320GB hard drive was used in an HP desktop computer containing 4GB of RAM. The
hard drive was wiped, using Wipemaster hardware, according to Department of Defence standards.
Windows 7 Pro was then installed on the hard drive, and all default settings were selected. The
computer tower was then connected to the Internet via an Ethernet cable, and all available software
and security updates were carried out. Standard firewall and defender settings were applied.

Once the Windows software was updated, the Epic Privacy Browser was installed. Installation of
the browser was monitored using the following software to analyse activity on the system:

• Process Monitor – an advanced monitoring tool that shows real-time file system, registry,
and process thread activity;

• Regshot – an open-source utility that allows snapshots to be taken pre- and post-software
installation in order to record registry changes on the system;

• TCPView – a tool that shows detailed listings of all TCP (Transmission control Protocol)
and UDP (User Datagram Protocol) endpoints as well as network connection status;

• Registry viewer – software that allows analysis of the windows registry system;
• FTK Imager – forensics software that is used to capture RAM dumps and protected files

data on a live system;
• WireShark – Network protocol analyser that identifies all network traffic;
• ChromeHistoryView – freeware that allows an examiner to view History database records;
• ChromeCacheView – freeware that allows the examiner to view cache entries.

Following installation of Epic, a series of functions were carried out and recorded for the
examination. These included Internet searches; viewing of photos, videos and galleries; as well as
document and image downloads. Social networking sites such as Facebook, Twitter, Instagram
and YouTube were visited. Any login details were entered; and, when offered, the passwords were
stored. Google’s Gmail was also visited, and account sign in and log out completed. The computer
was constantly connected to the Internet for a period of three days with the Epic Privacy Browser
displayed. On closure of the browser, but while the computer was still running, the Random Access
Memory data was then acquired using FTK Imager (version 3.1.1.8). Protected files such as
registry Sam, System, Security, Software, and User files such as NTUSER.DAT was also acquired
using FTK Imager at different stages of the process. Upon completion, the system was powered
down using the Start>Power>Shutdown option. The same 320GB hard drive was then wiped
(again to Department of Defence standards) and placed back into the HP tower, and the process
was repeated but this time using Windows 10 Pro operating system with the same browser and
forensics software installed. The same queries that had been performed with Windows 7 were
repeated. Random Access Memory data was captured before the Epic Privacy Browser was
installed and on completion of the search queries, while the browser was still displayed. On
completion, the browser was closed and the system shut down using the Start – Power – Shutdown
method.

Live-memory acquisition
As memory capture and analysis become better understood, improved forensic tools have been
developed to assist investigators in extracting and interpreting this data. Traditionally, memory
analysis has often been avoided due to the complicated nature of acquisition and interpretation,
but with the advent of software such as FTK Imager, OS Triage, and Belkasoft RAM Capturer,
these processes have become more straightforward. Software features such as improved GUIs,
‘push button’ applications, and built-in detection functions have made memory retrieval and
analysis far less intimidating for the forensic examiner. A great deal of information can be gained
from live memory analysis, making live data capture more important than ever before. Information
such as network connections and malware communication (often used as a defence) can be

established or eliminated through RAM analysis. User names and passwords, as well as decrypted
programs, may be found and private browsers, such as Epic, often use RAM in preference to other
forms of storage. For these reasons, the authors chose to use live-memory capture as an adopted
approach for this study.

In these experiments, a 128GB Thumb drive was used as storage for the RAM and protected file
dumps. FTK Imager forensics software was installed on the examination computer on initial set
up and was the software used to extract both the RAM and protected file data. The resulting data
dump was then transferred to a forensics workstation and labelled as either Windows 10 or
Windows 7, pre or post examination, and protected file dumps.

Post-mortem data acquisition
Computer examiners often receive a device post mortem, meaning that the device has been
powered down or the power plug has been pulled, thereby clearing all of the RAM data. The
benefits of powering down a device include isolation from a network, prevention of a wipe
command deleting the data, and the ability to carry out the search and seizure of equipment without
the need for an on-scene computer examiner. In addition, sometimes a device is submitted for
examination months after its seizure, and, even then, analysis of the data may not immediately
follow. So keeping the device powered on is not always practical or feasible. Given these
occurrences, post-mortem data examination was also conducted.

Figure 1: List of keyword search terms

In this study, once each hard drive was removed from the HP Tower, it was acquired individually
using FTK Imager forensics software via Tableau Write Blocking hardware. This method is used
in order to ensure an exact forensics image is obtained and verified by way of Cyclic Redundancy
Check, an error-detecting code that detects changes to raw data, and Hash MD5 algorithm on
completion of the process. Tableau Write Blocking hardware is connected directly between the

hard drive being acquired and the forensics computer running the acquisition software. Its function
is to allow read-only commands to be sent to the hard drive, thereby preserving the original data.
As the original hard drive is the best evidence in a case required for court, an exact forensic copy
is produced as a ‘working copy’ for investigators to analyse to minimise the risk of damage or data
loss to the original hard drive.

Both Windows 7 and Windows 10 E01 files were loaded into Encase forensics software for
analysis (version 6.19.7). A ‘lost folder’ recovery was then carried out followed by the inclusion
of the live-memory data. The authors then carried out a search on a number of keyword search
terms, as seen in Figure 1.

Windows 7: Epic Privacy Browser Forensic Analysis
Post-mortem analysis
Initial analysis was carried out on the Epic Privacy Browser installed on Windows 7 professional.
The installation was monitored using Regshot freeware. A capture was taken before and after
install. The software then compares the before and after snapshots and provides a report of the
changes recorded in the registry. Of interest to an examiner would be the application path as well
as the version number: C:\Users\User\AppData\Local\Epic Privacy
Browser\Application\39.0.2171.71. This contain this default folders, as shown in Figure 2. On
executing the browser, several other folders and files are created.

Figure 2: Epic default folder contents on install

The folder structure has a very similar look to that of Google Chrome, shown in Figure 3.

Figure 3: Epic default folder on execution

Process Monitor software was used to analyse the browser application launch, Figure 4, below.
This figure shows the browser making use of a cache folder and additional files that were not
initially present on the browser install.

Figure 4: Procmon capture of Epic Privacy Browser launch

The additional files and folders are populated with data while the browser is running and deleted
when the browser is closed. The history.db file and cache folder appear to function in the same
way as Google Chrome, allowing data to be viewed using standard Chrome freeware tools.
Through the device’s live memory capture, tracks of the browser running are recoverable after the
browser’s closure. Although a large number of files are deleted from view when the browser is
closed, a great deal of artefact evidence was either written to pagefile.sys, shown as deleted but
recovered using standard forensics tools or recovered from unallocated space. Encase, as well as
Internet Evidence Finder, was also able to recover created dates from Epic files shown as deleted,
as can be seen in Figure 5.

Figure 5: Encase screenshot of recovered Epic artefacts including created dates

Further analysis was carried out using Internet Evidence Finder, version 6.6.3.0740. The software
allows for the Windows 7 image file to be loaded and specific category searches selected, as can
be seen in Figure 6.

Figure 6: IEF software data selection GUI

IEF identified a large number of hits relating to queries carried out during the experiment. It
appeared that data was regularly captured and transferred to the pagefile.sys. Figures 7 and 8,
below, illustrate a small sample of those found.

Figure 7: Google Search within Epic – ‘shark attacks’ date and time stamped

Figure 8: Gmail account details, captured in pagefile.sys

Windows 7 drive image (E01) returned 343,000 hits from keyword searches (see Figure 9). The
same keyword search terms were run on the Windows 10 drive image, resulting in only 52,000
hits.

Figure 9: Windows 7 drive image keyword hits

Live analysis
On the completion of the Internet queries, but before the Epic Privacy Browser was closed, the
live-memory capture was carried out using FTK Imager software. The system files were also
captured at this time. The extracted data was then analysed in both Encase and Internet Evidence
Finder. The benefit of live-data capture was immediately evident although, in this case, post-
mortem analysis had also bore significant fruit. It appeared that Epic Browser activity on Windows
7 was being both captured in RAM and written to pagefile.sys. Internet Evidence Finder was an
excellent tool for parsing out and presenting the evidence found. Of note were the areas that would
be beneficial to a forensics examiner (see Figure 10).

Figure 10: IEF Windows 7 total hits on RAM dump

Indeed, Figure 11, below, shows the ‘kijiji dogs’ selection made during the browser query process.
This information was retrieved from both the RAM and post-mortem data dumps with the date and
time of the search clearly visible.

Figure 11: Kijiji search for dogs

Figure 12, shows a list of the URLs visited during the query stage. The URL
“https://epicsearch.in/search?pno=1&q=kijiji” indicates not only the use of Epic, but also that a
“kijiji” search was carried out by the user.

Figure 12: URLs visited

IEF returned over 40 hits of interest from the Windows 7 RAM dump, cementing the requirement
for investigators to capture live memory when possible, as shown in Figure 13.

Figure 13: IEF total Windows 7 RAM dump hits

Fifty-two thousand hits were recorded from the combined keyword searches entered in Encase,
against the live memory dumps of Epic queries on both Windows 7 and Windows 10 operating
systems. Of the 52,000 hits, only 12,000 were recorded from the Windows 7 operating system,
even though the same experimental process was carried out on each operating system.

Windows 10: Epic Privacy Browser Forensic Analysis
Post-mortem analysis
As with Windows 7, the Epic Privacy Browser installation on Windows 10 Professional was
monitored using Regshot and Process Monitor tools. A snapshot was also taken immediately
before, and after, the installation process to identify changes to both the file system and Windows
registry. There were a number of registry entries of interest that had not been present in the
Windows 7 install (see Figures 14 and 15).

Figure 14: Epic WOW6432 node version #

Figure 15: Classes root entry

Further entries were discovered specific to the user’s Security Identifier (SID) that would assist
the examiner in identifying the user account associated with the application. The SID is a device
and account identifier. It is variable in length and encapsulates the hierarchical notion of issuer
and identifier. It consists of a 6-byte identifier authority field that is followed by 1-14, 32-bit sub-
authority value. It ends in a single 32-bit Relative Identifier (RID). This not only makes it unique
to the user but also to the device. The SID is assigned during the installation of the operating
system and is unique to each computer. All user accounts are based on the computer’s SID and
contain the relative identifier for each user account. Although this is randomly generated, it is
theoretically impossible for the same SID to appear on two devices and is, therefore, extremely
useful to a forensic examiner, as can be seen in Figure 16.

(a) Epic Install SID information

(b) SID 1000 command entry

Figure 16: SID information

The installation of the Epic Privacy Browser on Windows 10 appears to differ slightly from that
of Windows 7 with the addition of a ‘Bookmarks.bak’ file. This appears to be a backup of the
bookmarks file and remains, even when the browser is closed. All other files appear to behave in
the same way as in Windows 7 in that the additional cache folder and files are generated on the
launch of the browser and then are deleted immediately on its conclusion. A running system with
browser displayed offers the best opportunity to capture the default folder and, therefore, the
complete history and cache but all is not lost if the system is powered off. Although many of the
files display in Encase as deleted, the data, and often the metadata, appears to be present (see
Figure 17).

Figure 17: Night rod special cache shown as deleted data

Stored in Windows\ServiceProfiles\NetworkService\ is a file named NTUSER.DAT.LOG2
(Figure 18).

Figure 18: NTUSER.DAT.LOG2 file information

The file logged search queries carried out during the experiment, including the site contacted to
carry out the search. https://epicsearch.in. The Windows 10 drive image (E01) returned 52,000
hits from keyword searches. The same search terms resulted in 343,000 hits on the Windows 7
image. It appears that live capture for Epic artefact evidence in Windows 10 is far more
beneficial compared to Windows 7.

Live analysis
Windows 10 relied heavily on live-memory storage during the use of the Epic Privacy Browser
with the analysis reporting that the newest offering from Microsoft was responsible for

approximately 80% of the live captured data compared with the same tests on Windows 7, again
enforcing the importance of live-data capture. Encase and IEF were used to analyse and present
the data. IEF results of note are illustrated in Figure 19)

Figure 19: Search results captured in live memory

Data within the Gmail account, that was displayed but not directly accessed, was also captured in
memory and parsed by IEF. Information of this nature is invaluable to any forensic investigator as
it is often difficult to place a user behind the keyboard (see Figure 20, below).

Figure 20: IEF Gmail hits from RAM dump

The live-memory capture shows not only the browser install location, but also the user account in
which it was installed (see Figure 21).

Figure 21: Location and user information of Epic Windows 10 RAM dump

Fifty-two thousand hits were recorded from the combined Keyword searches entered in Encase,
against the live-memory dumps of Epic queries on both Windows 7 and Windows 10 operating
systems. Of the 52,000 hits, approximately 38,000 were recorded from the Windows 10 operating
system.

Discussion
What artefact evidence is produced when the Epic Privacy Browser is installed on the Windows
10 operating system platform? On installation, the application creates a number of documents in
the C:\Users\User\AppData\Local\Epic Privacy Browser folder. A default folder is also created
that houses data on installation and temporary files and folders used only when the browser is
launched. Even though the temporary files are deleted on closure, a great deal of information can
be retrieved from both live and post-mortem examination. Registry entries, specific to the user
account (SID), are populated and recovered using software such as Registry Viewer. On Windows
7, Epic choses the same location for application installation and, by default, installs the same files
and folders as with Windows 10 (with the exception of the bookmarks.bak included in Windows
10). Artefact evidence is written to areas such as the pagefile.sys, and little effort is made to delete
and overwrite private browsing data.

Another important question is whether all Internet artefact evidence is cleared when the Epic
Privacy Browser is closed. Although temporary files and folders within the default folder of the
Epic Browser are cleared when the application is closed, the data appears readily available to the
forensic examiner, using the standard tools. These remnant traces are similar to those discovered
for Browzar (http://www.browzar.com/), another privacy-focused web browser. Upon closing the
browsing session, Browzar removed all traces of web browser activity. However, using a
combination of forensic tools and techniques, evidence (including pictures, keyword searches, and
URLs) was easily recovered in both the memory and in the pagefile (Warren, El-Sheikh & Le-
Khac 2017).

Looking at the live-data forensics approach, live-memory capture proves fruitful for the acquisition
of Epic artefact evidence. Finding a computer running with the application displayed or minimised
on screen would afford the examiner the opportunity to extract the browser ‘default’ folder in its
entirety, thereby capturing all the temporary files and data within. Live-memory dump would also
glean a wealth of information, as demonstrated in this study. Acquisition and analysis of the
imaged drive has shown to be of benefit from both the Windows 7 and Windows 10 operating
systems. Important artefact evidence was found in deleted data files, pagefile.sys, hiberfil.sys,
Ntuser.dat log files, and unallocated space. It appears that the browser does very little to either
overwrite the information or prevent the data’s being written to the drive. So in terms of the

differences between artefact evidence recovered using the Epic Privacy Browser on Windows 10
and Windows 7 Operating systems, it appears that Windows 7 is far more RAM dependent than
its successor; and so far, more evidence was found on the drive. Windows 10 RAM dump produced
80% for the live-memory data from keyword searches. In the case of Browzar forensic analysis,
live analysis also proved to contain valuable artefacts: keyword searching, websites visited, and
pictures were recovered. In some cases, pictures could not be fully recoverable, but they showed
the activities (and their focus) being performed during the browsing session (Warren, El-Sheikh
& Le-Khac 2017).

Besides, both ChromeHistoryView and ChromeCacheView were successful in presenting data
acquired from the Epic browser default folder. This was expected since both Google Chrome and
Epic Privacy Browser hail from the Chromium source code.

Conclusion and Future Work
In this paper, the authors presented the forensic acquisition and analysis of the Epic Privacy
Browser on Windows 7 and Windows 10. The Epic Privacy Browser prides itself on protecting
the user’s privacy when online and purports to clear all traces of browsing history on closure. The
files and folders created on a temporary basis do get deleted at the end of a browsing session, but
the information is still readily available to any forensic examiner using the standard tools.
Windows 10 live-memory data produced the bulk of Epic artefact evidence in this operating
system, although data was also written to the drive in the areas listed above. The results of this
research are useful to, and may be referenced by, forensic experts involved in investigations
concerning web activity and for those seeking advanced techniques and methods for recovering,
parsing and analysing web-browser-specific data.

References

1. Aggarwal, G., Bursztein, E., Jackson, C., & Boneh, D. (2010, August). An analysis of
private browsing modes in modern browsers. In Proceedings of the 19th USENIX
conference on Security (pp. 6-6). USENIX Association.

2. Bissias, G., Levine, B., Liberatore, M., Lynn, B., Moore, J., Wallach, H., & Wolak, J.

(2016). Characterization of contact offenders and child exploitation material trafficking on
five peer-to-peer networks. Child abuse & neglect, 52, 185-199.

3. Choi, J. H., Lee, K. G., Park, J., Lee, C., & Lee, S. (2012). Analysis framework to detect

artifacts of portable web browser. Information Technology Convergence, Secure and Trust
Computing, and Data Management, 207-214.

4. Conlan, K., Baggili, I., & Breitinger, F. (2016). Anti-forensics: Furthering digital forensic

science through a new extended, granular taxonomy. Digital Investigation, 18, S66-S75.

5. Connolly, M., Niebuhr, J., & Bernnat, R. (2011). Limiting the Impact of Data Breach: The
Case of the Sony Playstation Network. Booz & Company, viewed 1 December 2017.

6. Epic Privacy Browser Homepage 2017, viewed 1 December 2017

7. Farina, J., Kechadi, M., & Scanlon, M. (2015). Project Maelstrom: Forensic Analysis of

the BitTorrent-Powered Browser. Journal of Digital Forensics, Security and Law, 10(4),
10.

8. Farina, J., Scanlon, M., Le-Khac, N. A., & Kechadi, M. T. (2015, August). Overview of

the forensic investigation of cloud services. In Availability, Reliability and Security
(ARES), 2015 10th International Conference on (pp. 556-565). IEEE.

9. Fox-Brewster, T. (2015). Ashley Madison Breach Could Expose Privates of 37 Million

Cheaters. Forbes, 20 July 2015, viewed 12 September 2017,
.

10. Gabet, R. M. (2016). A Comparative Forensic Analysis of Privacy Enhanced Web

Browsers. MS Thesis, Purdue University, West Lafayette, IN, USA.

11. Hedberg A. (2013). The privacy of private browsing. Technical Report, Tufts University,
MA, USA.

12. Hitchcock, B., Le-Khac, N-A., & Scanlon, M. (2016). Tiered forensic methodology model

for Digital Field Triage by non-digital evidence specialists. Digital investigation, 16, S75-
S85.

13. Khanikekar, S.K. (2010). Web Forensics. Graduate Thesis, Texas A&M University,

College Station, TX, USA, .

14. Marrington, A., Baggili, I., Al Ismail, T., & Al Kaf, A. (2012, December). Portable web
browser forensics: A forensic examination of the privacy benefits of portable web
browsers. In Computer Systems and Industrial Informatics (ICCSII), 2012 International
Conference on (pp. 1-6). IEEE.

15. Reed, A, Scanlon, M and Le-Khac, N-A 2017, ‘Forensic Analysis of Epic Privacy Browser

on Windows Operating Systems’, Proceedings of the 16th European Conference on Cyber
Warfare and Security (ECCWS 2017), Dublin, Ireland.

16. Regshot (2016), 4 November, viewed 13 September 2017,

17. Rubenking, N, (2014). Epic Privacy Browser. PC Magazine, 6 January 2014, accessed 12
September 2017, .

18. Scanlon, M., Farina, J., & Kechadi, M. T. (2015). Network investigation methodology for
BitTorrent Sync: A Peer-to-Peer based file synchronisation service. Computers & Security,
54, 27-43.

19. Sgaras, C., Kechadi, M. T., & Le-Khac, N. A. (2015). Forensics acquisition and analysis

of instant messaging and VoIP applications. In Computational Forensics (pp. 188-199).
Springer, Cham.

20. Sha, M. M., Manesh, T., & El-Atty, S. M. A. (2016). VoIP Forensic Analyzer. The

International Journal of Advanced Computer Science and Applications (IJACSA), 7, 106-
116.

21. Toxen, B 2014, ‘The NSA and Snowden: Securing the all-seeing eye’, Communications of

the ACM, vol. 57, no. 5, pp. 44-51.

22. Van Dongen, WS 2007, ‘Forensic artefacts left by Windows Live Messenger 8.0’, Digital
Investigation: The International Journal of Digital Forensics & Incident Response, vol. 4,
no. 2, pp.73-87, DOI: 10.1016/j.diin.2007.06.019.

23. Voorst VR, Kechadi, M-T., & Le-Khac, N-A 2016, ‘Forensic acquisition of IMVU: A case

study’, Journal of Digital Forensics, Security and Law, vol. 10, no. 4, pp.69-77.

24. Warren C, El-Sheikh E & Le-Khac, N-A 2017, ‘Privacy preserving Internet browsers:
Forensic analysis of Browzar’, Computer and network security essentials, ed. K Daimi,
Springer, Cham. pp. 369-88, DOI: https://doi.org/10.1007/978-3-319-58424-9_21.

View publication statsView publication stats

https://www.researchgate.net/publication/321796965

What Will You Get?

We provide professional writing services to help you score straight A’s by submitting custom written assignments that mirror your guidelines.

Premium Quality

Get result-oriented writing and never worry about grades anymore. We follow the highest quality standards to make sure that you get perfect assignments.

Experienced Writers

Our writers have experience in dealing with papers of every educational level. You can surely rely on the expertise of our qualified professionals.

On-Time Delivery

Your deadline is our threshold for success and we take it very seriously. We make sure you receive your papers before your predefined time.

24/7 Customer Support

Someone from our customer support team is always here to respond to your questions. So, hit us up if you have got any ambiguity or concern.

Complete Confidentiality

Sit back and relax while we help you out with writing your papers. We have an ultimate policy for keeping your personal and order-related details a secret.

Authentic Sources

We assure you that your document will be thoroughly checked for plagiarism and grammatical errors as we use highly authentic and licit sources.

Moneyback Guarantee

Still reluctant about placing an order? Our 100% Moneyback Guarantee backs you up on rare occasions where you aren’t satisfied with the writing.

Order Tracking

You don’t have to wait for an update for hours; you can track the progress of your order any time you want. We share the status after each step.

Order Now Talk to Us

Areas of Expertise

Although you can leverage our expertise for any writing task, we have a knack for creating flawless papers for the following document types.

Essay

Thesis

Presentation

Dissertation

Term Paper

Research Paper

Book Review

Assignment

Report

Case Study

Letter

Article

Coursework

Speech

Q & A

Critical Thinking

Areas of Expertise

Although you can leverage our expertise for any writing task, we have a knack for creating flawless papers for the following document types.

Essay

Thesis

Presentation

Dissertation

Term Paper

Research Paper

Book Review

Assignment

Report

Case Study

Letter

Article

Coursework

Speech

Q & A

Critical Thinking

Trusted Partner of 9650+ Students for Writing

From brainstorming your paper's outline to perfecting its grammar, we perform every step carefully to make your paper worthy of A grade.

Preferred Writer

Hire your preferred writer anytime. Simply specify if you want your preferred expert to write your paper and we’ll make that happen.

Grammar Check Report

Get an elaborate and authentic grammar check report with your work to have the grammar goodness sealed in your document.

One Page Summary

You can purchase this feature if you want our writers to sum up your paper in the form of a concise and well-articulated summary.

Plagiarism Report

You don’t have to worry about plagiarism anymore. Get a plagiarism report to certify the uniqueness of your work.

Free Features $66FREE

Most Qualified Writer $10FREE
Plagiarism Scan Report $10FREE
Unlimited Revisions $08FREE
Paper Formatting $05FREE
Cover Page $05FREE
Referencing & Bibliography $10FREE
Dedicated User Area $08FREE
24/7 Order Tracking $05FREE
Periodic Email Alerts $05FREE

Our Services

Join us for the best experience while seeking writing assistance in your college life. A good grade is all you need to boost up your academic excellence and we are all about it.

On-time Delivery
24/7 Order Tracking
Access to Authentic Sources

Academic Writing

We create perfect papers according to the guidelines.

Professional Editing

We seamlessly edit out errors from your papers.

Thorough Proofreading

We thoroughly read your final draft to identify errors.

Thorough Proofreading

We thoroughly read your final draft to identify errors.

Delegate Your Challenging Writing Tasks to Experienced Professionals

Work with ultimate peace of mind because we ensure that your academic work is our responsibility and your grades are a top concern for us!

Check Out Our Sample Work

Dedication. Quality. Commitment. Punctuality

It May Not Be Much, but It’s Honest Work!

Here is what we have achieved so far. These numbers are evidence that we go the extra mile to make your college journey successful.

0+

Happy Clients

0+

Words Written This Week

0+

Ongoing Orders

0%

Customer Satisfaction Rate

Process as Fine as Brewed Coffee

We have the most intuitive and minimalistic process so that you can easily place an order. Just follow a few steps to unlock success.

Call Us +1 (877) 657-8180 Discuss Order Details Now

See How We Helped 9000+ Students Achieve Success

We Analyze Your Problem and Offer Customized Writing

We understand your guidelines first before delivering any writing service. You can discuss your writing needs and we will have them evaluated by our dedicated team.

Clear elicitation of your requirements.
Customized writing as per your needs.

We Mirror Your Guidelines to Deliver Quality Services

We write your papers in a standardized way. We complete your work in such a way that it turns out to be a perfect description of your guidelines.

Proactive analysis of your writing.
Active communication to understand requirements.

We Handle Your Writing Tasks to Ensure Excellent Grades

We promise you excellent grades and academic excellence that you always longed for. Our writers stay in touch with you via email.

Thorough research and analysis for every order.
Deliverance of reliable writing service to improve your grades.

Place an Order Start Chat Now

M6A6

What Will You Get?

Premium Quality

Experienced Writers

On-Time Delivery

24/7 Customer Support

Complete Confidentiality

Authentic Sources

Moneyback Guarantee

Order Tracking

Areas of Expertise

Essay

Thesis

Presentation

Dissertation

Term Paper

Research Paper

Book Review

Assignment

Report

Case Study

Letter

Article

Coursework

Speech

Q & A

Critical Thinking

Areas of Expertise

Essay

Thesis

Presentation

Dissertation

Term Paper

Research Paper

Book Review

Assignment

Report

Case Study

Letter

Article

Coursework

Speech

Q & A

Critical Thinking

Trusted Partner of 9650+ Students for Writing

Preferred Writer

Grammar Check Report

One Page Summary

Plagiarism Report

Free Features $66FREE

Our Services

Academic Writing

Professional Editing

Thorough Proofreading

Thorough Proofreading

Delegate Your Challenging Writing Tasks to Experienced Professionals

Check Out Our Sample Work

It May Not Be Much, but It’s Honest Work!

0+

Happy Clients

0+

Words Written This Week

0+

Ongoing Orders

0%

Customer Satisfaction Rate

Process as Fine as Brewed Coffee

Share Your Requirements

Place Order & Deposit Funds

Release Payment to Your Writer

See How We Helped 9000+ Students Achieve Success

We Analyze Your Problem and Offer Customized Writing

We Mirror Your Guidelines to Deliver Quality Services

We Handle Your Writing Tasks to Ensure Excellent Grades