InPrivate Browsing; Fancy or Flawed?
For those of you that didn’t catch it on the wire, Internet Explorer 8 Beta 2 was released this week. As a forensic examiner I have a natural interest in any product released to the general public that is expected to see wide usage. Internet Explorer is one those products. What caught my attention was new functionality called “InPrivate Browsing”.
Here’s what Microsoft has to say about this functionality: “InPrivate Browsing prevents Internet Explorer from storing data about your browsing session. This includes cookies, temporary Internet files, history, and other data” . Ouch, when implemented right a feature like that could wreak havoc to us forensic dudes, so one could be inclined to think 
But did Microsoft implement it correctly?
Initial tests we conducted show it didn’t, which is strange. Didn’t it state that this function prevents data from being written? Well, it doesn’t, which is good for us forensic folk, but bad for you if you trust this feature to provide you with your desired level of privacy.
I browsed several sites using the InPrivate function, used several search engines and to top it of logged into my online (SSL protected) banking website and transfered my monthly rent. Traces of this activity were easily recovered from the disk using both a simple Hex editor, Pasco and FTK.
It’s true some records are not written to the index.dat history file, namely the host records. This results in the user seeing an empty history overview in the browser. However, all other records related to a visit to a specific website are written to the index.dat file. Keep in mind that most websites are built-up of tens of separate webpage elements, filling up the Index.dat file quickly.
What’s worse, in contrary what Microsoft states, the temporary Internet files cache is used, files are written to disk but after closing the browser the cache is cleared/deleted. Not erased. Oopsss. Unless I use some sort of erase/wipe tool information on my browsing session is all there.
Of course it would still be fairly easy to recover the cached files using carving techniques, but one could argue that this is not something a regular user would or could do. I disagree. Just a simple Google query in search for data recovery tool yields almost 1.5 million results. We’re not talking quantum physics here.
Microsoft plays down the story, stating that the privacy of regular users is protected, at least against other regular users. Maybe so, but I would not rely on this feature too much until we know more.
On a side note: I did find information about the wire transfer (my monthly rent), which surprised me. And in case you are wondering, the traces were not part of the pagefile but located in freespace.
I’m not done with IE8, expect an update when I’ve had some more time to chew on this.
Comments
4 Responses to “InPrivate Browsing; Fancy or Flawed?”
Leave a Reply
Hi, I found your blog on this new directory of WordPress Blogs at blackhatbootcamp.com/listofwordpressblogs. I dont know how your blog came up, must have been a typo, i duno. Anyways, I just clicked it and here I am. Your blog looks good. Have a nice day. James.
Internet Explorer 8 is very good because it is as stable as Opera. I hate the previous versions of IE like IE6 because it hangs frequently. ‘
Internet Explorer 8 have been my most used browser this year, it is definitely stable and fast loading too. “”
‘Private browsing mode’, or ‘porn mode’ as I’ve seen it referred to, now seems to be a feature of most of the major browsers. Firefox call it ‘Private Browsing’ and Google prefer ‘Incognito’, but both sell the feature as a way of shopping for birthday gifts or planning surprises. For that level of privacy it’s going to be adequate and if the birthday boy/girl wants to ruin the surprise by running data recovery tools, then I suppose that’s the modern day equivalent of rummaging around at the back of the wardrobe looking for presents
Obviously a more serious problem is the false sense of security offered by private browsing modes. As the blog article shows, the data is not erased it is merely deleted. The same effect could be achieved in normal browsing mode by just running the browser’s ‘clear data’ facility at the end of the session.