Shelly Ma and Elizabeth Cookson will be presenting MysTORious: Residual artifacts from private/incognito internet browsing and TOR Browser at the Techno Security & Digital Forensics Conference. The abstract below will give you an idea of the material they plan to cover.
The Nineteenth Annual Techno Security & Digital Forensics Conference will be held June 4 – 7, 2017 in sunny Myrtle Beach at the Marriott at Grande Dunes Resort. This conference, previously known as the Techno Security & Forensics Investigations Conference held in conjunction with Mobile Forensics World, welcomes corporate network security professionals, federal, state and local law enforcement digital forensic specialists, corporate and private forensic examiners, and industry leaders from the US and around the world.
DATE / TIME
June 4-7, 2017
Marriott at Grande Dunes Resort
More information here
Abstract of topic:
It is no secret that a large proportion of a user’s digital activities constitute browsing of the internet. It is well understood that there are traces of user internet activities scattered across multiple areas of a system. These artifacts are forensically valuable to an investigation as they reveal evidentiary-rich information about the online activities of the user in question.
But, what if the user utilized a private browsing feature or the infamous TOR Browser? What artifacts does that leave behind for a forensic investigator?
The private or incognito modes of common internet browsers claim to allow users to peruse the internet privately without browsing information, cookies and history being locally stored. The motives for obfuscating internet history are not always nefarious, but it has certainly become a prominent way of exploring the internet for people with questionable intent. For those of such nature, another very appealing option is the TOR Browser. The TOR network’s promise of anonymity is attractive for all kinds of web users, and this same anonymity also makes it attractive for cyber criminals.
Our research applies to the digital forensics field in two ways. First, it provides an in-depth analysis of what artifacts are created when an individual engages in private browsing and if/how this differs from those that are created during regular internet browsing. Second, it examines the efficacy of the TOR Browser as an anonymizing proxy. We compare the residual artifacts left behind from common browser activities across various browser types and operating system platforms.
Our research investigates the effectiveness of private browsing and aims to determine whether a user’s private browsing session can be reconstructed, at least in part, from these artifacts. Our presentation will provide an answer to the question of how much information a forensic examiner is able to acquire from these artifacts.