How does Chrome’s ‘incognito’ mode affect digital forensics?


This post is a follow-up to a post I recently did about Internet Explorer’s ‘In-Private’ mode. I received a lot of messages asking about the private browsing modes in Chrome and Firefox and how it may affect digital forensics. This post discusses the Chrome ‘incognito’ mode and the effects it may or may not have on digital forensics.

Chrome’s ‘incognito’ mode is very similar to Internet Explorer’s ‘In-Private’ mode. To access this ‘private’ browsing feature, a user simply chooses the “New incognito window’ from the Chrome menu on the toolbar. Alternatively, a user can use Ctrl+Shift+N to start a new incognito session in a new window. Additional browsing tabs that are opened in that new incognito window will also be in incognito mode.

Here is a description of ‘incognito’ from Chrome’s internal help document:

Incognito Description

To illustrate how incognito may or may not affect artifacts, I started with a clean installation of Chrome with no browsing history and immediately opened an incognito window.

Incognito Window

I then browsed to several websites, including Google, Gmail, Facebook, Flickr & Yahoo. I logged in to check mail, check some Facebook statuses, sent a few messages and conducted a few web searches.

After some moderate browsing, I ran Internet Evidence Finder and only selected Chrome browser artifacts, webmail, as well as the social networking artifacts. I was greeted with these results:

IEF Results

Almost all of the results found were in the pagefile.sys file. This is quite different from the “In-Private” results in Internet Explorer, but there is a reason for this.

Internet Explorer stores many artifacts as files on the file system, such as the cached webpages, images, etc. whereas Chrome uses a SQLite database to track many of those records. Chrome’s incognito is not making records for the webpages visited or caching the images/pages like Internet Explorer does in “In-Private” mode, but then IE deletes them at the end of the private browsing session, leaving artifacts in unallocated. The result with using Chrome’s incognito is far fewer artifacts ever hitting the disk and ultimately going into unallocated space.

However, what Chrome’s incognito mode cannot control, just like Internet Explorer’s “InPrivate” mode, is what ends up in RAM and the pagefile.sys file (virtual RAM). This is another wakeup call to revisit your workflow and processes to make sure the collection of RAM is a high priority and at the top of your “order of volatility” list.

For fun, I collected the system’s RAM to see what I could find in RAM related to my incognito browsing sessions compared to what I was finding in the pagefile.sys file itself.

RAM related to Incognito

In the example above, I used a virtual machine with a small amount of RAM (1024M) and over time it is apparent more artifacts ended up in the pagefile.sys than remained in RAM at any one time. Certainly the total amount of RAM installed as well as the amount of time since the artifact was created in RAM and/or the pagefile.sys file will affect how long it sticks around and can later be found during a forensic examination.

So while Chrome’s incognito mode tends to leave fewer artifacts in unallocated compared to Internet Explorer’s “In-Private” mode, it still can leave lots of important artifacts in memory and in the pagefile.sys file.

 

As always, I appreciate the feedback, comments or questions.
You can reach me anytime at lance (at) magnetforensics.com