Forensic implications of a person using Firefox’s “Private Browsing”


This blog post is the final in a three part series that discusses the privacy modes of the three major web browsers and what implications it has on digital forensics. You can see the original post for Internet Explorer here, or Google Chrome here.

In this post, I will briefly discuss Firefox’s “Private Browsing” feature. One of the key statements in the Private Browsing description in the Mozilla product page is “Private Browsing allows you to browse the Internet without saving any information about which sites and pages you’ve visited”. Some additional information from the Mozilla Firefox documentation:

What does Private Browsing not save?

  • Visited pages: No pages will be added to the list of sites in the History menu, the Library window’s history list, or the Awesome Bar address list.
  • Form and Search Bar entries: Nothing you enter into text boxes on web pages or the Search bar will be saved for Form autocomplete.
  • Passwords: No new passwords will be saved.
  • Download List entries: No files you download will be listed in the Downloads Window after you turn off Private Browsing.
  • Cookies: Cookies store information about websites you visit such as site preferences, login status, and data used by plugins like Adobe Flash. Cookies can also be used by third parties to track you across websites. For more info about tracking, see How do I turn on the Do-not-track feature?
  • Cached Web Content and Offline Web Content and User Data: No temporary Internet files (cached files) or files that websites save for offline use will be saved.

Private browsing is activated through the ‘File -> New Private Window’ menu option (CTRL+Shift+P). Once activated, the user is presented with the following window/information:

Private Browsing

First, here is a baseline of all artifacts found before Firefox was even installed.

Artifacts Baseline

After Firefox was installed and immediately put into Private Browsing mode, I did a few hours of Internet browsing and then re-ran IEF with the following results (after the Firefox browser was closed, but before a reboot):

Post Private Browsing - No Reboot

A quick filter was applied to show ONLY the hits in the pagefile and it reveals almost 100% of the hits above were located in the pagefile.sys file (virtual memory).

Pagefile.sys hits

A dump of memory was then done and analyzed using the same process:

Memory Dump Analysis

After a reboot and some additional general use (no browsers), I ran IEF again and still found thousands of artifacts in the pagefile.

After Reboot Results

If you have read the previous two parts to this series (Internet Explorer’s InPrivate and Chrome’s Incognito), then these results should not really be of any great surprise to anyone.

While all three of these browsers try and reduce the amount of information left behind after usage and for the most part stop or minimize the amount of data THEY store, they cannot completely stop or control what ends up in memory and the pagefile.

As always, I appreciate the feedback, comments or questions.
You can reach me anytime at lance (at) magnetforensics.com