How private is Internet Explorer’s “InPrivate” browsing mode?
InPrivate Browsing is a feature of Internet Explorer that was introduced a handful of years ago. InPrivate Browsing mode was given the name ‘porn mode’ which is designed to allow the user to browse the Internet without the browser storing Internet history and webpage cache information, as it typically does. This feature was really designed for public computers (apartment complexes, Internet cafés, etc.) where traditionally without the use of “InPrivate” a person’s browser history could be viewed by anyone else who has access to that user account profile. Although, just how private is it?
According to Microsoft: “InPrivate Browsing in Internet Explorer helps prevent one’s browsing history, temporary Internet files, form data, cookies, and usernames and passwords from being retained by the browser, leaving no easily accessible evidence of browsing or search history. InPrivate Filtering provides users an added level of control and choice about the information that third party websites can use to track browsing activity. InPrivate Subscriptions allow you to augment the capability of InPrivate Blocking by subscribing to lists of websites to block or allow.
InPrivate mode is activated in Internet Explorer by selecting Tools-> InPrivate Browsing (Ctrl+Shift+P).
Depending on the version of IE, the word “InPrivate” will appear either in the title bar or address bar, as shown below. Additional Tabs opened will also be in “InPrivate” mode.
InPrivate Browsing mode might not be what you were imagining. Forensic examiners would expect a feature that advertises itself as preventing the storage of browsing artifacts to also hinder us during a forensic examination. The reality of InPrivate mode is that IE still creates data on the disk related to the user’s browsing activity. Cached files are still placed in the standard “Temporary Internet Files” subdirectories, URLs are still recorded in the index.dat file(s), and there are many other locations you’ll find data from InPrivate browsing. Cookies are now treated as “session cookies” and deleted upon the closing of the browser.
Here is the first example of evidence showing that InPrivate browsing is being used. Can you guess what version of IE I am using by the path of the evidence?
This exercise was performed on IE 10. Note the new location of the evidence stored. From a forensic perspective, the most important change between versions is that the previously used index.dat files are now replaced with an ESE (also known as JET Blue) database, named WebCacheV01.dat. Below is a depiction of file types and names of the new IE 10 logs:
The ESE database not only captures and stores web artifacts, but also local file paths from browsing through Windows Explorer noted by the picture below: Note: (Some information hidden to remain anonymous)
When IE is closed, the files that were created and cached on the filesystem during your InPrivate Browsing session are then deleted, BUT NOT WIPED, as you’ll see below (Note the difference between deleted and wiped). In addition, many of the artifacts that were spawned by the user’s InPrivate session were at some point in memory and therefore make their way to the pagefile. The good news there is that InPrivate browsing has no effect on the pagefile.
In order to demonstrate the outcomes of InPrivate browsing I ran a session on Windows 7 with no prior web history. With my InPrivate session open, I surfed to LinkedIn, YouTube and Gmail.
Here is an example of the files created on the file system during an InPrivate session:
Mentioned before, upon closing your InPrivate browsing session, the files that were cached on the system are then deleted, BUT NOT WIPED. Open FTK Imager and mount the physical drive. Navigate to the locations of where IE stores its browsing contents. (NOTE: this is not the only location of IE artifacts.) The below picture shows that this evidence is still obtainable even after a reboot:
If you can capture RAM before the system is shutdown, you have an even better chance of finding some great artifacts from InPrivate browsing sessions. Below is evidence from a RAM capture of the sites that I browsed to (LinkedIn and YouTube. Even the video I searched for in YouTube.)
As you can see from the above evidence, IE InPrivate browsing mode does conceal some browsing activity, and is arguably better than regular browsing mode. Now, does it pose a severe threat to Forensic Examiners? Not really much at all.
A few important things to remember from this:
- There are many different places that IE stores its evidence. Check them all!
- Not all evidence is deleted from the file system
- Deleted evidence is still obtainable
- Collection of RAM is very important and holds most of the evidence
- File system evidence can be overwritten, so act quickly if possible.
- RAM usage will affect what is stored in the pagefile, so collect RAM FIRST!