Beware what you travel with

For those of you that didn’t catch it on the wire, Internet Explorer 8 Beta 2 was released this week. As a forensic examiner I have a natural interest in any product released to the general public that is expected to see wide usage. Internet Explorer is one those products. What caught my attention was new functionality called “InPrivate Browsing”.

Here’s what Microsoft has to say about this functionality: “InPrivate Browsing prevents Internet Explorer from storing data about your browsing session. This includes cookies, temporary Internet files, history, and other data” . Ouch, when implemented right a feature like that could wreak havoc to us forensic dudes, so one could be inclined to think ;) But did Microsoft implement it correctly?

Initial tests we conducted show it didn’t, which is strange. Didn’t it state that this function prevents data from being written? Well, it doesn’t, which is good for us forensic folk, but bad for you if you trust this feature to provide you with your desired level of privacy.

I browsed several sites using the InPrivate function, used several search engines and to top it of logged into my online (SSL protected) banking website and transfered my monthly rent. Traces of this activity were easily recovered from the disk using both a simple Hex editor, Pasco and FTK.

It’s true some records are not written to the index.dat history file, namely the host records. This results in the user seeing an empty history overview in the browser. However, all other records related to a visit to a specific website are written to the index.dat file. Keep in mind that most websites are built-up of tens of separate webpage elements, filling up the Index.dat file quickly.

What’s worse, in contrary what Microsoft states, the temporary Internet files cache is used, files are written to disk but after closing the browser the cache is cleared/deleted. Not erased. Oopsss. Unless I use some sort of erase/wipe tool information on my browsing session is all there.

Of course it would still be fairly easy to recover the cached files using carving techniques, but one could argue that this is not something a regular user would or could do. I disagree. Just a simple Google query in search for data recovery tool yields almost 1.5 million results. We’re not talking quantum physics here.

Microsoft plays down the story, stating that the privacy of regular users is protected, at least against other regular users. Maybe so, but I would not rely on this feature too much until we know more.

On a side note: I did find information about the wire transfer (my monthly rent), which surprised me. And in case you are wondering, the traces were not part of the pagefile but located in freespace.

I’m not done with IE8, expect an update when I’ve had some more time to chew on this.