2016

Annual ADFSL Conference on Digital Forensics, Security and Law Proceedings

May 25th, 1:00 PM

Forensics Analysis of Privacy of Portable Web Browsers

Ahmad Ghafarian
Department of Computer Science and Information Systems, Mike Cottrell College of Business,
ahmad.ghafarian@ung.edu

Follow this and additional works at: https://commons.erau.edu/adfsl

Part of the Aviation Safety and Security Commons, Computer Law Commons, Defense and Security
Studies Commons, Forensic Science and Technology Commons, Information Security Commons,
National Security Law Commons, OS and Networks Commons, Other Computer Sciences Commons, and
the Social Control, Law, Crime, and Deviance Commons

Scholarly Commons Citation

Ghafarian, Ahmad, "Forensics Analysis of Privacy of Portable Web Browsers" (2016). Annual ADFSL
Conference on Digital Forensics, Security and Law. 9.
https://commons.erau.edu/adfsl/2016/wednesday/9

This Peer Reviewed Paper is brought to you for free and

open access by the Conferences at Scholarly Commons.
It has been accepted for inclusion in Annual ADFSL
Conference on Digital Forensics, Security and Law by an (c)ADFSL
authorized administrator of Scholarly Commons. For
more information, please contact commons@erau.edu.
Forensics Analysis of Privacy of Portable Web … CDFSL Proceedings 2016

FORENSICS ANALYSIS OF PRIVACY OF

PORTABLE WEB BROWSERS
Ahmad Ghafarian
Department of Computer Science and Information Systems
Mike Cottrell College of Business
University of North Georgia, Dahlonega, GA 30597, USA
Ahmad.ghafarian@ung.edu

ABSTRACT
Web browser vendors offer a portable web browser option which is considered as one of the
features that provides user privacy. Portable web browser is a browser that can be launched from
a USB flash drive without the need for its installation on the host machine. Most popular web
browsers have portable versions of their browsers as well. Portable web browsing poses a great
challenge to computer forensic investigators who try to reconstruct the past browsing history, in
case of any computer incidence. This research examines various sources in the host machine such
as physical memory, temporary, recent, event files, Windows Registry, and Cache.dll files for the
evidential information regarding portable browsing session. The portable browsers under this study
include Firefox, Chrome, Safari, and Opera. Results of this experiment show that portable web
browsers do not provide user-privacy as they are expected to do.
Keywords: computer forensics tools, RAM forensics, volatile memory, forensics artifacts,
Registry

INTRODUCTION memory (Aggarwal and Jackson, 2010). The

data that is contained within the two types of
When surfing the web, browsers save sources varies significantly. Static media is
information about the surfing activities in primarily used for long term storage and
various locations. In an attempt to maintain contains data such as executables, images,
privacy of web browsing, most major web documents, and browser history. On the other
browsers have a portable version of their hand, physical memory is a temporary working
browsers. A portable browser is a browser that space for data that are being used by the
can be saved on a removable storage media system. The major difference between the data
such as a USB flash drive. The browser can sources in relation to a computer-forensic
then be launched from the flash drive without investigation is that the latter is a less tangible
the need for its installation on the host source of evidence (Simmons & Slay, 2009).
machine (Choi, et al, 2012). From computer-
forensics point of view, browsing artifacts can Forensics artifacts left after a portable
be saved on the portable browser flash drive, browsing session can be retrieved from sources
server and the host machine. The local such as caches, history, cookies, and download
machine saves browsing data in both static file lists (Davis, 2009). On the other hand,
media such as hard drive as well as random retrieving portable browsing forensics artifacts
access memory (RAM), also known as volatile left behind from main memory have recently

© 2016 ADFSL Page 183

ADFSL Conference Proceedings 2016 Forensics Analysis of Privacy of Portable Web …

attracted some attention (Oh et al, 2011) LITERATURE REVIEW

(Shashidhar, 2013). The authors have used
limited memory forensics to retrieve forensics In this section, we review the previous work on
data left after a portable browsing session. portable browsing forensics. We study portable
They argue that memory forensics is very browsing artifacts retrievable from static media
promising in establishing a link between the and from main memory.
suspect and the retrieved data. Static Media Forensics
When we are dealing with portable Static media forensics related to the artifacts
browsing artifacts, memory forensics would be left due a portable browsing session has been
challenging because once we remove the studied by various researchers. For example,
portable browser flash media from the suspect Marrington et al (2013) has examined privacy
machine, the portable browser-related data of Google Chrome portable web browser using
content in the main memory will gradually be conventional forensics by taking an image of
deleted. the hard drive after a portable browsing
The focus of this research is the session and analyzed the image. The details of
examination of various sources such as main the analysis are not clear in their paper. They
memory, temporary files, recent files, event reported that portable Google Chrome does
files, Windows Registry, and Cache.dll file in leave traces of browsing activities on the hard
the suspect machine looking for residual drive. In another research, privacy of the
artifacts left behind after private portable web portable Google Chrome has been studied by
browsing activities. The research Adautin and Meeran (2015). The researchers
experimentally analyzes both static media examined the content of the IconCache.db
sources such as hard drive as well as volatile database as well as Windows Registry and
memory for their evidential potential related to reported that they found evidence of portable
portable web browser activities. The portable browsing activities. They claim that they
browsers under this study include Firefox, examined the content of volatile memory;
Google Chrome, Opera and Safari. To however, other than making some general
evaluate the effectiveness of browser closure recommendations, the authors provided no
after a browsing session, the experiment is details of their RAM forensics process. It is
carried out in two cases: 1) portable browser worthwhile to notice that in both cases of hard
flash drive left attached to the suspect machine drive forensics and volatile memory forensic,
after a browsing session and 2) portable they left the portable flash drive connected to
browser flash drive was removed from the the suspect machine during their experiment.
suspect machine after a browsing session. The Dharan and Meeran (2014) have reported
results will be tabulated for comparison that portable web browsing activities can be
purposes. obtained by searching the Windows Registry
The remainder of this paper is organized as and Prefetch files. The researchers performed
follows: Section 2 gives literature review, both live and offline forensics and reported
section 3 provides research methodology, evidence of portable web browsing activities in
results appear in section 4, section 5 covers both cases. However, their experiment
conclusion and future research is presented in description is very fuzzy and they did not
section 6. disclose the portable browser with which they
experimented.

Page 184 © 2016 ADFSL

Forensics Analysis of Privacy of Portable Web … CDFSL Proceedings 2016

Memory Forensics be confirmed. In special cases, if the search

word information is encoded in unfamiliar
Memory forensics involves two steps, memory
characters, this tool provides a decoding
capture and analysis of the captured memory.
function.
RAM capture is the process of making an
image of the physical memory and saving it as Other researchers have explored memory
a file on an external storage media. Memory forensics in relation to private browsing mode;
analysis involves parsing the data structure however, in both cases of private browsing and
tree of the captured memory file, looking for private portable browsing, the process of RAM
processes that were running when the memory forensics and the objective remain the same,
was taken as well as other data such as which is maintaining privacy of the user. For
passwords, downloaded files, SSL Certificates, this reason, we briefly review some of the
URLs, etc. To facilitate memory forensics, important memory forensics research findings
several open-source and proprietary RAM here.
forensics tools have been developed. Some Mahendrakar, et al. (2010) examined
examples include Volatility (2015), Redline various popular web browsers in private mode
(2015), and WinHex (2015). to determine traces of browsing activities that
One of the most comprehensive portable remain in physical memory. They created a
browsing forensics researches is the work of website which contained individual pages that
Ohana and Shashidhar (2013). Along with required the browser to interact with various
other forensics investigation methods, the types of data including SSL certificates, form
researchers performed RAM forensics with passwords, form text entries, HTML files,
three portable web browsers, namely Mozilla JPEG files, and cookies. Since they used their
Firefox portable, Google Chrome portable, and own memory parser tool, which is not publicly
Opera portable. They conclude that the best available, and their experiment was performed
way to recover residual data is to obtain the in a controlled research setting environment,
evidence from RAM, but that is not always their result cannot be replicated.
possible for investigators. Also, they did not Said, et al. (2011) examined the content of
disclose whether, during the RAM capture, the the volatile memory after a private browsing
portable flash drive was connected to the session and found artifacts left in memory
suspect machine or not. Based on our own about user activities. Private-mode browsing
results, we believe the researchers captured has also been studied by Satvat, et al. (2014).
RAM while the portable flash drive was still In their experiment, after navigating a few
attached to the suspect machine. websites in private mode and closing the
Oh, et al. (2012) demonstrated that web session, they discovered traces of private
browsing activities can be obtained from the navigation in RAM. The researchers did not
web browser’s log file. They suggest that disclose the details of RAM forensics tools and
current tools are not adequate for this task. methodologies and thus their findings cannot
Consequently, they developed a tool called be proved by replication.
WEF. This tool provides an integrated analysis In a study of physical memory forensics,
function for various web browsers in various Hejazi, et al. (2009) proposed a new technique
time zones. In addition, online user activity, for extracting sensitive information from
search words, and URL parameters, which are physical memory. Their technique is based on
significant information for digital forensics, can analyzing the Call Stack and the security

© 2016 ADFSL Page 185

ADFSL Conference Proceedings 2016 Forensics Analysis of Privacy of Portable Web …

sensitive Application Program Interfaces  Nirsoft Internet Tools- history,

(API). They implemented this technique as cache, and cookie Viewers
part of memory analysis plug-in, which takes a
 Firefox Portable 33.0, Google
memory image file and analyze the file..
Chrome portable 42.0.2311.90,
A theoretical discussion of RAM forensics Opera portable 12.7, and Safari
tools, techniques and guidelines can be found portable 5.1.7
in (Simmons, 2009) and (Amari, 2009). The
 FTK Imager Lite- portable version
authors discuss the way physical memory
works in Windows and Linux operating  SQLite Maestro software
systems as well as the types of forensically
 WinHex
valuable data that can be extracted from
physical memory.  Mandiant Redline

RESEARCH  DumpIt memory capture software

METHODOLOGY Experiment
In this section, we provide the tools, We started by uninstalling the OS from all
techniques and the forensics investigation four PCs and installed Windows 7 fresh. Then
methodologies. we installed DaemonFS (2015), which is a tool
that monitors in real-time files on the hard
Technology and Setup
disk. We installed several tools from NirSoft
In preparation for the forensics experiment, the (2015) on the PCs for viewing history, cache,
following tools were used. and cookie. Next, we used Paragon Disk Wiper
(2015) to wipe all USB flash and external
Hardware:
drives. The flash drives were installed with a
 One Desktop PC (4GB RAM) for free utility program called PortableApps
forensics workstation activities (2015). This utility allows you to run different
programs from a flash drive, similar to an OS
 Four other Desktop PC (4GB
Start menu. Subsequently, we installed the
RAM) for suspect activities
portable web browsers on the USB flash drives
 Four USB Flash Drive (8GB) for and connected the flash drives to the suspect
portable browsers PCs. We also attached the write-blocker to the
 Four USB External Drive (8GB) suspect machines. We should note that the
for captured RAMs only browser on each machine was the portable
browser, and there were no installed browsers.
 SATA to USB adaptor At this point we were ready to do the web-
 USB write blocker browsing activities. Each portable browser was
individually launched in private-mode followed
Software: by the same series of web-activities, i.e. log in
 Microsoft Windows 7, Pro 32 bits, to email and bank account, sending/receiving
SP1 email, searching for images and videos,
uploading and downloading files and streaming
 DaemonFS- file integrity videos.
monitoring software
 Paragon DiskWipe v 12

Page 186 © 2016 ADFSL

Forensics Analysis of Privacy of Portable Web … CDFSL Proceedings 2016

Using the DeamonFS (2015) and Table 2

NirLauncher, a Nirsoft tool (2015), we Portable browsing artifacts retrievable from Registry
Portable Registry report of host
examined temp, recent, Chache.dll, and cookies
Browser machine activity
with the aim of finding footprints of portable
Google Flash drive vendor ID, product
browsing activities. Our experiment showed
Chrome ID, version, serial number, drive
that in all four browsers, after the USB flash letter, URLs visited were
drive was removed from the suspect machine, retrievable.
most of the browsing activities information was Some registry keys was created
created, modified, and then deleted from the but deleted after the browsers
host machine (see Table 1). This observation is was removed
consistent with the results reported by Ohana Firefox Flash drive vendor ID, product
and Shashidhar (2013). Table 1 entries show ID, version, serial number, drive
that portable Firefox and portable Opera letter, URLs visited was
provide slightly more privacy than portable retrievable. The time/date the
browser launched was also visible
Chrome and portable Safari. This is because
Safari Flash drive vendor ID, product
with portable Chrome we were able to see
ID, version, serial number, drive
some account login information. Similarly, use letter, URLs visited were
of Safari leaves traces of email communication retrievable.
activities. We repeated the RAM forensics Opera Flash drive vendor ID, product
process to verify the validity of the results but ID, version, serial number, drive
the same results were obtained the second time letter, URLs visited was
as well. retrievable. The time/date the
browser launched was also visible
Table 1
Retrieved portable browsing artifacts
Portable Suspect machine Table 2 entries show information such as
Browser Activity flash drive vendor ID, product ID, serial
Google temp, recent, and Cache.dll created number, the URL history and date/time the
Chrome and then deleted.
browsers were launched. These are important
some account login info and
evidential information for computer forensics
downloaded files created but not
deleted investigators. This data establishes a link
Firefox temp, recent, and.Cache.dll created between the suspect and browsing activities;
and then deleted however, we were not able to see the details of
Safari temp, recent.Cache.dll created and browsing activities such as browsing history,
then deleted cookies, search items, etc. This indicates that
for email login we noticed that some although examination of the Registry data is
Appdata/Ntuser.dat modified on host very useful, it is not sufficient.
machine but not deleted
Opera temp, recent, and Cache.dll created We also analyzed the SQLite database
and then deleted which stores user-defined records in large
tables. Examination of this database shows no
details of web-surfing activities. Table 3 shows
Next, we used a Registry editor to examine the activities on the host machine reported by
Windows Registry. Table 2 shows portable SQLite database. As can be seen from the
browsing information retrieved by examining entries, there are no privacy differences
the Registry.

© 2016 ADFSL Page 187

ADFSL Conference Proceedings 2016 Forensics Analysis of Privacy of Portable Web …

between the portable web browsers with which creating these tools can be found in Redline
we experimented. user manual.
Table 3 The experiment consisted of two parts. In
SQLite report of portable browsing session the first part, after a portable browsing
Portable Suspect machine
session, we left the portable browser flash drive
Browser Activity
attached to the suspect machine, captured, and
Google Chrome cookies.sqlite-wal, places.sqlite-shm,
analyzed the RAM. In the second part, we
and webappsstore.sqlite-shm were
deleted
removed the portable browser flash drive,
profile/*.db were modified captured the RAM, and analyzed it. RAM
Firefox cookies.sqlite-wal, places.sqlite-shm, capture in the latter part is very time sensitive
and webappsstore.sqlite-shm were and it depends on the time gap between
deleted removal of portable browser flash drive and
profile/*.db were modified RAM capture. Since Redline Collector cannot
Safari cookies.sqlite-wal, places.sqlite-shm, collect information about terminated processes
and webappsstore.sqlite-shm were and closed files, we also used WinHex (2015)
deleted Hexadecimal editor.
profile/*.db were modified
Opera cookies.sqlite-wal, places.sqlite-shm, RAM Forensics Process
and webappsstore.sqlite-shm were
To make data extracting less cumbersome, we
deleted
profile/*.db were modified cleared all cookies, cache, history, bookmarks,
etc that may have been left on the suspect
For RAM forensics we followed the machines from our earlier experiment. We
framework suggested by Ghafarian (2015). We installed Memoryze software on the forensics
chose an open source memory forensics tool workstation. To simplify analysis, we disabled
called Redline (2015) for the following reasons: physical address extension mode on Redline.
We ran Redline, created the RAM capture
 Graphical User Interface software Collector, and saved it on a wiped
 Selection option which allows user USB external drive. Then we followed the
to choose only browsing related below steps:
processes and disabling all the other 1. Attached the portable browser flash
processes and files drive to the suspect machine and
 Allow to import memory analysis configured the browsers as the default
results to a file such as MS Word browser with extensions and plug-ins
for offline processing disabled. Then we performed a
browsing session, attached the Collector
 Easy to user and having a external drive to the suspect machine,
comprehensive user manual. captured RAM, saved the file onto the
In Redline, the RAM capture tool is called external drive and removed external
‘Collector’ and the RAM analysis is called drive for RAM analysis.
‘Memoryze.’ We created the Collector software 2. Step 1 was repeated for all the other
and saved it on a USB external drive. We also suspect machines with different
created the Memoryze and saved it on the portable browser.
Forensics workstation machine. The details of 3. We repeated steps 1 and 2 above, but
this time we removed the portable

Page 188 © 2016 ADFSL

Forensics Analysis of Privacy of Portable Web … CDFSL Proceedings 2016

browser flash drive and immediately suspect machines and immediately RAMs were
captured the RAM and saved it to the captured.
external drive.
The blue entries in Table 4 show that with
4. Configured Memoryze to retrieve only
the exception of email password everything else
browsing-related information and
was retrievable. That means that if the
processes. This action reduced the
portable USB flash drive is attached to the
amount and time of data analysis. We
machine during RAM capture, portable
imported the memory parsed data to a
browser provides no privacy at all. In this case,
MS Word file for offline analysis. We
the information that was retrieved from
should note that Redline only provide
memory is enough to conclude browsing
information about running processes
activities and establishing link between the
and programs that were running before
web browsing activities and the suspect. For
memory was captured. We also used
example, browsing history, search history, and
WinHex to retrieve residual data on
file downloads were retrieved from memory for
these processes and files.
all of the portable browsers we studied. These
5. Step 4 was repeated for the other three
are important evidential information for
captured RAM files.
computer-forensics investigators.
Over all, we had four RAM captured files
However, when we removed the portable
for the cases when portable browsers flash
browser from the PC and then captured RAM,
drives were still attached to the suspect
the forensics artifacts retrieved from main
machine during the RAM capture process. And
memory slightly varies among various
four captured RAM files for the case when
browsers. This variation is discussed below.
portable storage flash drives were removed
after each browsing session. The total memory For Mozilla Firefox, analysis of the
files that we captured were eight. Considering memory dumped file showed considerable
each RAM capture took on average one hour, browser-related entries in memory indicating
we spent eight hours to capture the memory of web browser activity. We were able to detect
the suspect machines. The process of memory email communication details, browsing and
capture and analysis were performed according URL history, search history, and downloaded
to the forensics investigations rules and files (documents, images, and videos). On one
regulations. The results are discussed in the hand, some information such as cookies, email
next section. password, timelines, and process ID could not
be retrieved. We also used Winhex to analyze
RESULTS the captured RAM, but did not find any of
aforementioned data. This indicates that when
Retrievable computer forensics artifacts after a the portable browser flash drives were
portable browsing session via memory forensics removed, some of the browsing information
for all four browsers are summarized in Table was removed from the memory.
4. The blue columns represent artifacts Similar results were observed for Opera.
retrieved when the portable browsers flash Analysis of the RAM showed that portable
drives were still attached to the machines browser flash drive removal had an effect on
when RAMs were captured. The pink columns the amount of data retrievable from memory.
represent retrieved data when the portable Similar to Firefox cookies, timelines, email
browser flash drives were removed from the passwords, and process ID were deleted before

© 2016 ADFSL Page 189

ADFSL Conference Proceedings 2016 Forensics Analysis of Privacy of Portable Web …

we captured RAM. This is because once the Chrome portable left the most residual
portable browser flash drive is removed, the artifacts on the host machine.
data structure tree that handles cookies, for
For Safari, the amount of retrieved data
example, are not accessible. On the other
from portable browsing session is identical to
hand, we were able to identify HTML data
Firefox and Opera. That means cookies,
containing various types of information
timeline, and email password were not
including the SSL certificate for accessing a
retrievable from main memory. However, like
secure website, URL, file downloaded and
Firefox, we were able to see forensically-
more.
valuable information such as history, file
Analysis of physical memory for portable downloads, SSL certificates, etc.
Google Chrome revealed forensically valuable
In an attempt to validate the retrieved
artifacts such as Certificate, HTML text file,
data from main memory, we used another open
URL history, and files downloaded. We should
source software tool from Microsoft called
note that only Google Chrome saved process
DumpIt to capture the physical memory after
ID in memory. Nevertheless, similar to Firefox,
a browsing session. Then we used WinHex to
we were not able to see cookies, email
analyze the captured images. The results for
passwords, and timeline. Analysis of the
both Redline and DumpIt were identical.
retrieved artifacts indicates that Google

Table 4
Results of Installed Browser, and Portable Browsers
Data Item Firefox Opera Chrome Safari Firefox Opera Chrome Safari
Removed Removed Removed Removed Attached Attached Attached Attached

Browser - - √ - √ √ √ √
process
URL History √ √ √ √ √ √ √ √
Cookies − − − − √ √ √ √
File downloads √ √ √ √ √ √ √ √
Timelines − − √ − √ √ √ √
Browser √ √ √ √ √ √ √ √
history
Email − − − − − − − −
password
Email ID √ √ √ √ √ √ √ √
SSL Certificate √ √ √ √ √ √ √ √
Search history √ √ √ √ √ √ √ √

Analysis of the Results varied slightly among the browsers. For

example, Table 4 above shows that the
Interpretation of the data captured from
Timeline and process ID are retrievable with
memory indicate that portable browsing mode
portable Google Chrome. Also, Figure 1 shows
does leave browsing evidence, even after the
the date, time, and the site that was visited.
browser flash drives were removed from the
Among all the browsers in our study, Google
machine in all four web browsers under this
Chrome portable left the most residual
experiment. The type and the amount of data
artifacts on the host machine.

Page 190 © 2016 ADFSL

Forensics Analysis of Privacy of Portable Web … CDFSL Proceedings 2016

Examination of temp, recent, Cache.dll

showed browser activity, but all the data were
deleted immediately (see Table 1). Windows
Registry showed flash drive information such
as vendor ID, product ID, serial number, etc.
This information establishes a link between the
suspect and the browsing activities.
Examination of the SQLite database also
showed some information about cookies but
not sufficient to establish conclusion. SQLite
database revealed other data such as
profile/*.db.
Figure 1. Process Time To Live shows 42
Additionally, we have employed the
Ipconfig/displaydns command. Issuing this
command will generate the site address and
the IP addresses of the sites visited even after
the browser media is removed but keeps
changing. For example, Figures 1 and 2 show
the site visited with its IP address; however,
closure of the browser causes the time-to-live
to be reduced from 42 to 7 seconds and thus
the forensics investigator should be quick on
recording the data. This observation indicates
that the speed of capturing RAM after the
portable browser flash drive removal from the
PC is important. Figure 2. Process Time To Live shows 7

Figure 3. Memory analysis reveals the date and time when the user access the site

© 2016 ADFSL Page 191

ADFSL Conference Proceedings 2016 Forensics Analysis of Privacy of Portable Web …

CONCLUSIONS for analyzing the volatile memory for data

about terminated processes and closed files and
We used both static media forensics and RAM programs. Second, repeat the same experience
forensics to experimentally examine privacy with different tool such as Volatility. Third,
feature of portable Firefox, Opera, Chrome, extract information over an extended period of
and Safari browsers when they are used in time instead of one specified browsing session.
private mode. We found that through a
combination of RAM forensics, Registry, ACKNOWLEDGMENTS
SQLite database, temp, recent, Cache.dllfile
This research was supported by the 2015 UNG
and folders, we can retrieve forensically-
Presidential semester award. The author would
valuable information about suspect’s activity,
like to thank all the individuals who were
such as sites visited, Internet searches, secure
involved in the establishment and the
sites login credentials, and traces of email
implementation process of this award.
communication even after the portable
browsers flash drive were removed from the
machine. The artifacts such as flash drive
vendor ID, product ID, version, serial number,
drive letter, and URLs visited are enough to
constitute a link between the data and the
suspect. Our experiment shows that the
vendor’s claim of privacy can be nullified
through a combination of various computer-
forensics investigations. Among portable
browsers under our experiment, Google
Chrome portable left the most residual
artifacts on the host machine.
Due to the dynamic nature of physical
memory, the time gap between removing the
portable browser flash media from the machine
and capturing RAM is very important. The
greater the time gap spent causes a greater
chance of losing data in RAM.
Also, when the browsers are closed, we can
retrieve the last information saved on the
clipboard and analyze it for possible evidential
information.
Finally, we believe the Registry is a good
source for retrieving portable browsing
artifacts when it is used along with memory
forensics.

FUTURE WORK
This research can be extended in several ways;
first, determine better tools and methodologies

Page 192 © 2016 ADFSL

Forensics Analysis of Privacy of Portable Web … CDFSL Proceedings 2016

REFERENCES

Adautin, E.D. and Meeran, N. (2015). Forensic through Memory Forensics. International
Reconstruction and Analysis of Residual Journal of Computer Applications (0975 –
Artifacts from Portable Web Browse. 8887), 132(16), 27-34
International Journal of Computer
Hejazi, S.M., Talhi, C. & Debbabi, M. (2009).
Applications (0975 – 8887), 128 (18), 19-24.
Extraction of Forensically Sensitive
Aggarwal, G., Bursztien, E., Jackson C., & Information from Windows Physical
Boneh, D. (2010). An analysis of private Memory. Digital Investigation, 6, 121-131.
browsing modes in modern browsers. Elsevier publishing Co.
Proceedings of the 19th Usenix Security
Koepi, D. (2010). Firefox Forensics. Retrieved
Symposium.
November 2014 from
Amari, K., (2009). Techniques and Tools for http://davidkoepi.wordpress.com/2010/11/
Recovering and Analyzing Data from 27/firefoxforensics
Volatile Memory. SANS Institute InfoSec
Mahendrakar, A., Irving, J., and Patel, S.,
Reading Room.
(2010). Forensic Analysis of Private
Choi, J. H., K.G. Lee, J. Park, C. Lee, and S. Browsing Mode in Popular Browsers.
Lee (2012). Analysis framework to detect Retrieved August 2014 from
artifacts of portable web browser. Center http://mocktest.net/paper.pdf
for Information Security Technologies
Mandiant Redline User Manual (2014).
DaemonFS, Retrieved on May 27 from Retrieved February 2015
http://sourceforge.net/projects/daemonfs/ fromhttps://dl.mandiant.com/EE/library/
Redline1.7_UserGuide.pdf
Davis, N. (2009). Live memory forensics for
Windows Operating Systems. Eastern Marringhton, A., I. Baggili, T. AI Ismail, A.
Michigan University, IA 328. Retrieved, AI Kaf (2013). Portable Web Browser
January 2015 from Forensics: A forensic examination of the
https://www.emich.edu/ia/pdf/research/Li privacy benefits of portable web browsers.
ve%20Memory%20Acquisition%20for%20W IEEE Journal.
indows%20Operating%20Systems,%20Naja
NirSofer. (2013). NirSoft Freeware Utilities.
%20Davis.pdf
Retrieved February 2015 from
Dharan, D.G. and Meeran, N.A.R. (2014). http://nirsoft.net
Forensic Evidence Collection by
Oh, O., Lee, S., and Lee, S. (2011). Advanced
Reconstruction of Artifacts in Portable
evidence collection and analysis of web
Web Browser. International Journal of
browser activity. Journal of digital
Computer Applications (0975 – 8887),
investigation 8, 62-70
91(4), 32-35.
Ohana, D.J. and Shashidhar, N. (2013). Do
Ghafarian, A. and Hosseini, S.A. (2015).
private and portable web browsers leave
Analysis of Private Browsing Mode
incriminating Evidence?: a forensic analysis

© 2016 ADFSL Page 193

ADFSL Conference Proceedings 2016 Forensics Analysis of Privacy of Portable Web …

of residual artifacts from private and

portable web browsing sessions. EURASIP
J, on Inf. S. 201(6), 1-13
Paragon Disk Wiper, retrieved January 2015
from http://www.paragon-
software.com/home/dw-
professional/download.html
PortableApps. (2013). retrieved March 2015
from http://portableapps.com/
Ruff, N. (2008). Windows Memory Forensics.
Journal in Computer Virology, l 4, 83-100.
Said, H., Mutawa, A.H., Awadhi, A.I.,
Guimaraes, M. (2011). Forensic analysis of
private browsing artifacts. International
Conference on Innovations in Information
Technology (IIT).
Satvat, K., Forshaw, M., Hao, F. and Toreini
E. (2014). On the Privacy of Private
Browsing – A Forensic approach. Journal
of Information Security and Application,
19, 88-100.
Simons, M. and Slay, J. (2009). Enhancement
of Forensics Computing Investigations
through Memory Forensics Techniques.
International Conference on Availability,
Reliability and Security.
Volatility Foundation
http://www.volatilityfoundation.org/
WinHex: retrieved January 2015 from
http://www.x-ways.net/winhex/

Page 194 © 2016 ADFSL