Cybercrime has evolved to become a challenging problem during the past few years. Cybercriminals rely on the dark web to sell various hacking and malicious tools on darknet marketplaces including ransomware, DDoS attack tools, Crimeware-as-a-service (CaaS), and others. Users can currently use the Tor browser bundle, with incognito properties, to access the dark web and conduct transactions in darknet marketplaces. Furthermore, there are other anonymous browsing software that can conceal the online browsing activities of users. Even though these internet browsers cannot be used to access the dark web directly, they enable users to browse the internet anonymously and conceal all forms of illegal activities that they might engage in. Accordingly, analyzing digital evidence obtained from the records of users’ anonymous browsers represents a critical challenge, especially to law enforcement agencies.
A recently published research paper analyzed how programs and tools can be utilized in forensic analysis of different forms of anonymous internet browsers. The paper analyzed six different anonymous internet browsers: Secure Browser, Epic Privacy Browser, SRWare Iron, Comodo Dragon, Maxthon, and Dooble. Throughout this article, we will overview some of the interesting results presented via this paper.
The Epic Privacy Browser:
The Epic Privacy Browser relies on Chromium. It is designed to block every link that can lead to privacy leaks, thus, maximizing privacy. Session data, including tracking data and cookies, are all deleted following termination of each browsing session. All search queries are conducted via the browser’s very own server, which acts via prioritization of SSL connections whenever possible.
Secure Browser offers users private browsing, secure browsing, privacy removal, non-tracking, HTTPS based encryption, and a group of other incognito and safety features.
Comodo Dragon is a totally free internet browsing software that is based on Chromium. Its user interface is similar to that of Google Chrome but without features that can undermine users’ privacy.
SRWare Iron is also a totally free internet browsing software that is based on Chromium. SRWare Iron offers functions that are very similar to those of Chrome.
Maxthon is a brand new HTML5 compatible internet browser. Its innovative incognito mode offers secure browsing capabilities without leaving any potential traces.
Digital forensic methods used to analyze the six browsers:
The researchers used the X-Ways Forensics Software to perform integration analysis and save the file systems of the virtual machine. Data obtained from four sources (system registry, files and folders, network packages, and memory) were utilized in differential analysis and observation to detect potential file paths in residual forensic data or forensic feature items which can be helpful in forensic examination.
The following tools were used to collect data:
– SysTracer Version 2.1.0 to compare relevant records (registry location and registry keys)
– Disk Pulse Version 8.2.16 in order to observe and record changes in the files and folders
– Wireshark Version 2.4.6 in order to capture and analyze network packets
– Process Hacker Version 2.39 in order to capture browser’s memory
– Capture Memory function within FTK Imager in order to record the memory of the virtual machines
Figure (1) shows the used forensic process for analyzing the anonymous browsers.
Figure (1): The forensic process used to analyze the anonymous browsers
Results of forensic analysis of the six anonymous browsers:
The forensic analysis revealed residual evidence within multiple regions including the file systems’ files and folders, random access memory, network port utilized in connection, system registry key, and browser execution memory.
Even though the studied six anonymous browsers utilize a different group of incognito features and frameworks, they still record browsing data and records with the browser’s memory. Table (1) shows some essential forensic items for the six browsers with incognito functions enabled.
|Browser||Name of important folder or file||Important storage path||Forensic value|
|Epic Privacy Browser||Files: Cookies, Login Data, Preferences, Secure Preferences, Bookmarks; Folder: Local Storage||1. \Users\User Account\ AppData\Local\Epic Privacy Browser\User Data\Default||Identify whether or not a user has installed and used this anonymous browser|
|Secure Browser||1. Files: Cookies, Web Data, Favicons, Login Data, Preferences, Shortcuts, Top Sites, Network Action Predictor, Bookmarks, previews_opt_out.db; Folders: Local Storage, databases, Cache 2. Files: Safe Browsing Cookies, Safe Browsing Download; Folder: CertificateTransparency||1. \Users\User Account\ AppData\Local\Safer Technologies\Secure Browser\User Data\Default\ 2. \Users\User Account\ AppData\Local\Safer Technologies\Secure Browser\User Data\||Identify whether or not a user has installed and used this anonymous browser|
|Comodo Dragon Browser||Files: Cookies, Web Data, Favicons, Login Data, Preferences, Shortcuts, Top Sites, Network Action Predictor; Folders: Local Storage, Session Storage, Databases, Cache 2. Files: Safe Browsing Cookies, Safe Browsing Download; Folder: CertificateTransparency||. \Users\User Account\ AppData\Local\Comodo\ Dragon\User Data\Default\ 2. \Users\User Account\ AppData\Local\Comodo\ Dragon\User Data\||Identify whether or not a user has installed and used this anonymous browser|
|SRWare Iron Browser||. Files: Cookies, Web Data, Favicons, Login Data, Preferences, Shortcuts, Top Sites, Network Action Predictor; Folders: Local Storage, databases, Cache, Session Storage, Media Cache 2. Files: Safe Browsing Cookies; Folder: Certificate Transparency||1. \Users\User Account\ AppData\Local\Chromium\ User Data\Default\ 2. \Users\User Account\ AppData\Local\Chromium\ User Data\||Identify whether or not a user has installed and used this anonymous browser|
|Dooble||Files: applications.db, cacheexceptions.db, cookies.db, downloads.db, favicons.db, history. db, preferences.db; Folder: Cache, Dooble||\Dooble\User Account\.dooble||Identify whether or not a user has installed and used this anonymous browser|
|Maxthon||1. Files: Cookies, Web Data, *.dat; Folders: Local Storage, databases, Application Cache, History, Favorite 2. Files: Cookies, Web Data; Folders: Local Storage, databases, Application Cache 3. Files: *.dat; Folder: NewTab 4. All files||1. \Users\User Account\ AppData\Roaming\ Maxthon5\Users\guest\ 2. Users\User Account\ AppData\Roaming\ Maxthon5\Users\guest\ Session\ 3. \Users\User Account\ AppData\Roaming\ Maxthon5\Temp\ 4. \Users\kan\AppData\Local\ Temp\Maxthon3Cache\ Temp\Webkit\Cache\||Identify whether or not a user has installed and used this anonymous browser|
Table (1): Essential forensic items for the six anonymous internet browsers with incognito mode enabled
In summary, forensic analysis of the six anonymous browsers revealed digital evidence in multiple regions including SQLite database files (cache, history, shortcuts, cookies, login data, web data, and top sites), bookmark and search keyword information, system registry key, temporary browser storage files, pagefile.sys, server execution memory, unallocated space, and Hyberfil.sys. When the browsers’ incognito mode is turned on, forensic analysis is almost impossible to conduct. Nevertheless, if the content of the browsers’ memory can be extracted via means of forensic tools, it is still possible to extract and obtain the browsing records of the user.