Cassandra Flowers, a Specialised Systems Support and Development Manager at the Babraham Research Campus, in Cambridge, and colleagues Ali Mansour and Haider Al-Khateeb of the Department of Computer Science and Technology, University of Bedfordshire, Luton, England, have demonstrated that forensic analysis can still retrieve traces of data from an "InPrivate" browser session for Microsoft’s Internet Explorer.
During an InPrivate browser session using Internet Explorer version 11 the program added .dat files to the Recovery directory as it would during a normal session, which allows recovery after a computer or software crash. It also heavily utilised the Low\Content.IE5\ directory to cache files during InPrivate browsing, the team explains. They add that existing .log files in the WebCache folder were removed and new logs created in the same directory for the current session, the browser also used the "CryptnetUrlCache\Content\" directory to store certificates. On closing the browser some cleanup was carried out but not all log files were deleted until a new instance of the browser was opened.
By contrast, Firefox and Opera undertook very little hard drive activity during private browsing, most of the constant hard drive activity in Chrome was down to plugin actions. All the browsers left some file modifications that might be extracted through detailed analysis of the computer hard drive or USB stick. However in "portable" private mode none of these browsers left artefacts and all files were cleaned from the USB stick from which the browser was being run. Even in this mode it was possible to retrieve cached Internet Explorer files that closing the InPrivate session that left behind.
Web browser claims that browsing history will not be recoverable in private modes may prevent an average computer user from finding evidence. However, forensic techniques recovered plenty of evidence which may prove to be crucial to a forensic investigation.
Conversely, third parties spying on an everyday user could retrieve information about that user even from private modes. In addition, the team adds that, "It is also crucial for internet users to learn that browsers security does not make them anonymous when their network is monitored by an internet service provider or a network administrator at the workplace."