A Comparative Analysis of Residual Data Between Private Browsing and Normal Browsing Using Live Memory Acquisition

Abstract

Nowadays, web browsers are a common and important tool that allows people to perform online activities such as internet banking, buying online and accessing social networking sites. All user activities and data from browsing can be tracked and stored in normal mode browsing such as cookies, caches, downloads, history, other sensitive data, and temporary files, which helps digital forensic investigators trace any evidence left. Hence, this research paper will analyse and compare which browsers mode among Google Chrome and Firefox can extract the entire residual data from the laptop’s volatile storage testing on a forensic tool. The research is conducted using live memory acquisition to acquire disk images from RAM. The tools used for acquisition are BelkaSoft RAM Capturer and Autopsy for analysis. There are four stages involved in methodology: preparation stage, forensic acquisition and analysis stage, analysis stage and validation stage. Findings from this study show that live memory acquisition on private and norm brow modes able to acquire key residual data such as email Id, password, downloaded files, web visited and keyword terms. This research may help other researchers to realise that using RAM forensics for digital forensic investigation can be very useful, especially to find the evidence for browsing activities in physical memory.