Sunday, November 16, 2008

Not so private "private browsing"

The "Incognito" mode of Google's Chrome browser and Microsoft Internet Explorer 8 beta's "InPrivate" mode can leave significant footprints in the system. It has always been the case that disk forensics (or even simple undelete tools) could dig up information on these private-mode browsing sessions, but in some circumstances it is a lot easier than that.

Under the right (or more likely wrong) circumstances, entering "http" in the Start > Run dialog box will offer a list of visited web media URLs.  The key is that when the browser launches Windows Media Player, it pushes the URL into Windows history (even if the Media Player is set to not store history).  Interestingly, to clear this you need to clear history in Internet Explorer, even if the Media Player session was initiated by Chrome.

Remember, "do it yourself" forensics are almost always a bad idea for any situation where there is a chance of ending up in court- but if you are just looking for information, don't overlook the easy stuff.