The similar functionality can be found in Firefox via plug-ins and built in Safari 'Private browsing', but given the significant market share of Internet Explorer this new feature may have some serious impact on the successful identification of the suspect's web browsing activities.
Here is some information found on IEBlog.
While InPrivate Browsing is active, the following takes place:
- New cookies are not stored
- All new cookies become "session" cookies
- Existing cookies can still be read
- The new DOM storage feature behaves the same way
- New history entries will not be recorded
- New temporary Internet files will be deleted after the Private Browsing window is closed
- Form data is not stored
- Passwords are not stored
- Addresses typed into the address bar are not stored
- Queries entered into the search box are not stored
- Visited links will not be stored
It is very easy to switch to InPrivate mode by simply entering Ctrl+Shift+P. All tabs and new windows after that will also be opened in InPrivate mode.
'InPrivate' can be useful for corporations to make use of this feature as an additional step to negate their liability in various harassment etc. litigations. Some however may decide to turn this feature off and it is also easily done via editing Group Policies. Here is one way of doing this via GPEdit.msc
A quick search for artefacts left by 'InPrivate' browsing confirmed that there was no browsing history saved.
Whilst in 'InPrivate' mode I went to google.com web site and changed search preferences to "Do not filter my search results". Later I was able to recover this: http://images.google.com.au/setprefs?sig=0_Ai3r3BRa_NyzSVLmEfe1fo_5H6M%3D&hl=en&lang=all&safe=off&num=10&q=&prev=http%3A%2F%2Fimages.google.com.au%2Fimghp%3Fhl%3Den%26tab%3Dwi&submit2=Save+Preferences+
I then searched for "military tanks" pictures and clicked on several links. After viewing some images, I closed IE 8 and went searching for any traces of the above-mentioned activities. To accomplish this task I used X-Ways Forensics and Netanalysis tools. I was unable to locate my typed search term "military tanks" and no browsing history was found.
Searching inside
c:\Users\%USER%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RandomFolderName
produced good results and I was able to recover most of the deleted images.
Digging further confirmed that upon exiting 'InPrivate' mode, IE 8 deleted Temporary Internet Files and inside %Windows%\Temp directory. IE 8 beta 2 was tested on Windows XP and Windows 7 Beta test machines. In general, 'InPrivate' mode works as stated by Microsoft with only a few traces left behind, which means extra work for forensic examiners.
No comments:
Post a Comment