>Private browsing and forensics


Ever wondered whether the “private browsing” feature in your browser actually works?  

This article may shed some light on this topic for you. On a sour note, I’m completely shocked that Microsoft’s implementation of private browsing leaves something to be desired.

From a privacy advocate and defensive security perspective, I’m all for private browsing, both in the private and corporate world, and here’s the main reason: cookies, cached files and the like represent a significant security issue and a potential data leak. If your company uses webmail or an intranet and you’re consulting confidential files on the fly, that data gets stored locally on a machine. This constitutes a risk at the enterprise level that trumps the need for a forensically viable audit trail.

Private browsing isn’t a panacea, though: since data is stored in memory, malware that is already installed on the PC could scrape memory in search of interesting data (credit card numbers, credentials, etc etc.) — and not just malware, either. If you were at the European SANS forensics summit this year, you might have heard this guy talk about retrieving the contents of a machine’s memory using forensics tools.  Nor does it protect the user against a traditional network sniffer / MITM attack. Finally, it assumes that you actually bother to close your browser to clear that memory of sensitive data.

A lot of this is abstract for the layperson, so let’s provide a real-world scenario:

Let’s say you work for a pharma company and you’re waiting for a flight.  You’re bored, so you go to an internet café and open up your webmail. Your teammate’s sent you the latest draft of that report you’ve been working on, internally disclosing the findings of your latest research. You review the document, and fire her back an e-mail with your comments; you then leave the café and proceed to your gate. 

Risk #1: the PC you use isn’t an enterprise PC: to quote a memorable Mike Myers film, it’s the village bicycle of IT — everyone’s had a ride. What’s the café’s policy on updating its A/V? Is there regular maintenance? Does the machine get re-ghosted after every use? Is there a slot for a USB drive (and therefore a vector of infection)? Is the network traffic being sniffed (i.e. monitored)? It all depends on the owner of the café — there aren’t any laws or standards that oblige internet café owners to comply to basic security measures. For this risk, no amount of “private browsing” can help you – you may as well have broadcast your enterprise password and files on facebook.

Risk #2: that report you just looked as has pretty much become public property the minute you opened it up on that public machine. Not only can subsequent users of that PC retrieve your report, but the law will not be on your side (“you should have known better” will be the de facto response). Private browsing can help you there, provided that you close the browser, because the data is stored in memory and not on disk.

Risk #3: how often do people forget to log off? Very often. As a matter of fact, I don’t think there’s a single person on this planet that’s used a computer and has never, ever forgotten to log off. And yet, if you forget to log off when you walk away from that public PC, all of your company’s past, present and future secrets could be compromised. Ever heard of the switchblade USB key? It retrieves cached passwords very nicely, and almost instantaneously. Very difficult to use: you insert the key in the computer, wait thirty seconds, pull it out — voilà, passwords du jour. In this scenario as well, private browsing can be extremely useful, because it doesn’t allow cached passwords to be written to the disk.

So there you have it, straight from the horse’s mouth: private browsing may well make forensics more difficult, but it doesn’t make it impossible. That is an acceptable risk to me, given that it mitigates enterprise and personal risk of a security breach.