This blog post is the final in a three part series that discusses the privacy modes of the three major web browsers and what implications it has on digital forensics. You can see the original post for Internet Explorer here, or Google Chrome here.
In this post, I will briefly discuss Firefox’s “Private Browsing” feature. One of the key statements in the Private Browsing description in the Mozilla product page is “Private Browsing allows you to browse the Internet without saving any information about which sites and pages you’ve visited”. Some additional information from the Mozilla Firefox documentation:
What does Private Browsing not save?
Private browsing is activated through the ‘File -> New Private Window’ menu option (CTRL+Shift+P). Once activated, the user is presented with the following window/information:
First, here is a baseline of all artifacts found before Firefox was even installed.
After Firefox was installed and immediately put into Private Browsing mode, I did a few hours of Internet browsing and then re-ran IEF with the following results (after the Firefox browser was closed, but before a reboot):
A quick filter was applied to show ONLY the hits in the pagefile and it reveals almost 100% of the hits above were located in the pagefile.sys file (virtual memory).
A dump of memory was then done and analyzed using the same process:
After a reboot and some additional general use (no browsers), I ran IEF again and still found thousands of artifacts in the pagefile.
While all three of these browsers try and reduce the amount of information left behind after usage and for the most part stop or minimize the amount of data THEY store, they cannot completely stop or control what ends up in memory and the pagefile.
As always, I appreciate the feedback, comments or questions.
You can reach me anytime at lance (at) magnetforensics.com