Forensics Evaluation of Privacy of Portable Web Browsers

Abstract

Browsers claim private mode browsing saves no data on the host machine. Most popular web browsers also offer portable versions of their browsers which can be launched from a removable device. When the removable device is removed, it is claimed that traces of browsing activities will be deleted and consequently private portable browsers offer better privacy. This makes the task of computer forensics investigators who try to reconstruct the past browsing history, in case of any computer incidence, more challenging. However, whether or not all data is deleted beyond forensic recovery is a moot point. This research examines privacy of popular private portable browsers, including Firefox, Chrome, Safari, and Opera through both static and volatile memory forensics. In static memory, we examine the content of registry, recent, cache, cookies and temp files. In volatile memory forensics, we analyze the content of live memory. Results of this experiment show that traces of web browsing activities can be found, even after removing the portable browser device.