Web browser artefacts in private and portable modes: A forensic investigation

C. Flowers, Ali Mansour, Haider Al-Khateeb

Research output: Contribution to journalArticlepeer-review


Web browsers are essential tools for accessing the internet. Extra complexities are added to forensic investigations when recovering browsing artefacts as portable and private browsing are now common and available in popular web browsers. Browsers claim that whilst operating in private mode, no data is stored on the system. This paper investigates whether the claims of web browsers discretion are true by analysing the remnants of browsing left by the latest versions of Internet Explorer, Chrome, Firefox, and Opera when used in a private browsing session, as a portable browser, and when the former is running in private mode. Some of our key findings show how forensic analysis of the file system recovers evidence from IE while running in private mode whereas other browsers seem to maintain better user privacy. We analyse volatile memory and demonstrate how physical memory by means of dump files, hibernate and page files are the key areas where evidence from all browsers will still be recoverable despite their mode or location they run from.
Original languageEnglish
Pages (from-to)99-117
Number of pages18
JournalInternational Journal of Electronic Security and Digital Forensics
Issue number2
Publication statusE-pub ahead of print - 29 Mar 2016

Bibliographical note

© 2016 Inderscience Enterprises Ltd.


  • web browser forensics
  • portable applications
  • private browsing
  • incognito mode
  • physical memory
  • Windows
  • Chrome
  • Firefox
  • Opera
  • OSForensics
  • Internet explorer
  • web browsers
  • browser artefacts
  • portable browsers
  • user privacy
  • volatile memory
  • recoverable artefacts record recovery
  • evidence recovery


Dive into the research topics of 'Web browser artefacts in private and portable modes: A forensic investigation'. Together they form a unique fingerprint.

Cite this