Volatile forensics

Research published in the International Journal of Information and Computer Security has looked at the everyday privacy and anonymisation settings in conventional web browsers and compared the enhanced functionality of browsers with greater and layered privacy control that can help hide one’s legitimate activity from prying eyes, for instance. The notion of volatile memory forensics is considered a putative way to access at least some of that activity even with privacy-enhanced browsers once criminal investigators have timely access to the laptop or other device on which the browser is running.

Privacy-enhanced web browsers help protect citizens using the internet from those who might wish to see details of their browsing habits and behaviour, perhaps relatives or so-called friends, but also government agencies with no right to access personal information, as well as third-parties with malicious intent, such as identity theft. The flip side of creating such browsers is that criminals too can use these tools to obfuscate their activities and to exploit potential victims of their crimes. The very nature of a privacy-enhanced browser might then make it very difficult for the police to investigate a crime where such a browser has been central to the activity.

Nilay R. Mistry, Krupa Gajjar, and S.O. Junare of the National Forensic Sciences University in Gandhinagar, Gujarat, India, explain how digital forensics is central to many a criminal investigation whether the crime happens online or offline. Critically, the wider concept of computer forensics must be able to identify, acquire, preserve, and analyse evidence from a device so that it can be presented in a court of law with the provenance that it is exactly as it was found on the device an so representative of the perpetrator’s behaviour.

The team’s work compares various privacy-enhanced browsers and the artefacts of browsing and login activity that are held and might remain in the device’s volatile memory, essentially the RAM (random access memory) or virtual memory. With their tools, they were able to obtain email addresses, visited website addresses from all the browsers tested from both a live RAM dump of the data on the device as well as a dead RAM dump, where all tabs in the browser had been closed and the browser shut down. Such access could be very important in a criminal investigation but it would be essential that investigators could seize the device before it is completely shut down otherwise the data in volatile memory, as the term suggests, would evaporate and be lost.

In addition, they were able to obtain search terms from a live RAM dump from all browsers on the test devices but not from a dead RAM dump. No downloaded images could be retrieved from either scenario from any browser, nor any passwords. However, for some purportedly privacy-enhanced browsers, the team was able to extract searches from a well-known online video service, live RAM dumps for all and with the exception of three, dead RAM dumps too.

The very minimum of evidence that would be available to investigators finding a shut down device, might be files present or cached on the device’s permanent storage and the presence of a given privacy-enhanced browser. That would not be as strong evidence as a live RAM dump of activity in the browser obtained while activity associated with a crime is underway, of course.

Mistry, N.R., Gajjar, K. and Junare, S.O. (2022) ‘Volatile memory forensics of privacy aware browsers’, Int. J. Information and Computer Security, Vol. 18, Nos. 3/4, pp.313–326.