Tuesday, April 14, 2009

On March 19, 2009, Microsoft made available for downloading version 8 of Internet Explorer (IE). IE has slightly over 2/3 of the browser market share, and eventually nearly all users will get upgraded from their current versions as part of Windows Update. InPrivate browsing, which has been nicknamed ?porn mode? in the press, is probably the most notable feature of the new browser from the standpoint of computer forensics. IE8 will eventually make private browsing available on virtually every computer running Microsoft Windows.

Microsoft cannot be blamed for adding this feature, as it mimics similar capabilities in others? browsers - specifically Chrome (Google), and Safari (Apple). The second most popular browser, Firefox, has this feature as an add-in and is expected to include it as a standard feature soon. InPrivate browsing is enabled by first launching Internet Explorer normally, and then selecting a button on the toolbar. A second session is then launched from the primary session. For the InPrivate session the following actions occur:

1. The browsing history for the session is not stored

2. Temporary Internet files are removed when the session ends

3. Search terms are not stored

4. Entered passwords are removed

5. Addresses typed into the address bar are not stored

6. New cookies are not stored

7. Form data from the session is not stored

Each of these deleted items has been a fruitful source in investigations of (i) inappropriate employee time/use of computers at work, and (ii) internet -based crimes.

The use of these privacy programs provides false comfort to those using them. As all computer forensic professionals know, just because something has been ?deleted?, doesn?t necessarily mean that it is gone. In August 2008, Dutch computer forensics firm FoxIT reported that it reconstructed the browsing history, browser cache, and other information about an InPrivate session. Absent additional efforts that are not currently part of these ?private? browsers, the chances are still quite high that scraps of incriminating evidence remain on the computer. The difference is that this work will now require additional effort to get fragmentary and indirect evidence, instead of the straightforward and comprehensive logs that are otherwise being retained.

What employers should do

Consider a common allegation in which an employee claims that a manager?s or co-worker?s pornography viewing at work creates a hostile work environment. The employer?s wise response usually includes impounding the relevant computer, calling a computer forensic examiner, and quickly learning whether the allegation has merit. However, the possibility that the accused employee might have used private browsing muddles what would have been otherwise clear, comprehensive, and actionable information from the forensic analysis. To make matters worse:

1. The complainant could claim that by providing the private browsing capability the company actively enables the offending behavior.

2. If action is taken against the accused employee, the accused employee could claim that the same activity is being performed by others without recourse, but the existence of private browsing makes this more difficult (expensive) to further investigate.

Having a ?porn mode? on a corporate computer sends entirely the wrong message on multiple levels, so it is almost impossible to imagine any business wanting to have this available on company computers. Fortunately, Microsoft allows InPrivate to be globally disabled via a group policy on Active Directory networks. However, since InPrivate is enabled by default, a typical small business without a vigilant technical staff member will likely need additional warning to ensure that InPrivate is disabled as the default setting.

For personal computers and less sophisticated workgroup networks, the means to disable InPrivate vary depending on the version of Windows. For Vista Home Editions and Vista Ultimate, it can be disabled via the Parental Controls Feature. For XP it is possible to disable InPrivate by downloading Windows Live Family Safety. For any Windows version, an expert user can disable InPrivate by editing the registry. For any of these methods, if the user has the knowledge to disable the feature, they also have the ability to turn InPrivate on and off whenever desired.

?Porn Mode? provides less protection than thought

It bears repeating that someone wanting to perform a serious investigation (i.e., law enforcement or a competent computer examiner) can reconstruct browsing details using sophisticated techniques.

Ironically the people most likely to be harmed by InPrivate browsing (or other browsers with similar features) are those that think that it is keeping their activities secret. For example, consider a world in which a technological change caused DNA testing to no longer give ?yes? or ?no? answers, but instead ?yes? or ?probably not? answers. Who would be most harmed by that change? It would be people needing to prove their innocence.

Before shutting a site down that law enforcement finds is delivering child pornography, IP addresses of computers accessing the site are often collected through a packet tracer. Packet tracers are also known as sniffers. These IP addresses can be traced through the internet service provider to a particular account which then can be used to obtain a search warrant covering all computer(s) at that location. This is a justifiable procedure to track a serious crime. However, like many broad-based law enforcement tactics, there is a chance of also hitting an innocent bystander. Sniffers do not distinguish between web requests from desired sites, vs. unwanted pop-ups or misleading spam messages. They also do not distinguish who was using the computer at the time, or even if the activity might have been someone stealing bandwidth from a poorly secured wireless network. If access was from an unwanted pop-up or spam e-mail, all or part of those images might very well be found on the hard disk by a forensic examiner, private browsing or not.

Once accused of illegal activities using the internet, an innocent bystander could defend himself by hiring a computer forensic expert to investigate the accused?s browsing activity. However that is exactly what private browsing capability now undermines. To put it another way, your computer can be your accuser, but it can also be your alibi. If you are innocent, InPrivate reduces the ability of your computer to be your alibi. While the chances of being caught in an embarrassing situation from viewing legal porn are higher, the consequences of being unable to defend against a much more serious charge of child pornography are dire.

Unfortunately the mere availability of private browsing, regardless of whether it is ever actually used, burdens the ability to show that the computer was not used for a particular activity. Microsoft forces every Internet Explorer user to specifically agree to activate the phishing filter, although one can hardly imagine a user not wanting to be warned about identity theft traps. By comparison ?porn mode?, despite the legal risks that come with it, requires behind-the-scenes administrative action to disable. Furthermore, if Microsoft and other browser providers were to simply log the beginning and ending of private sessions in the system log it would go far to continue to allow computer forensics to be equally useful in both prosecution and defense roles.

Fulcrum Inquiry performs financial investigations and computer forensic investigations.

______________

For the Technical Staff: How to Disable InPrivate Domain-Wide

1. Install Internet Explorer 8 on a Domain Controller Server. That will make extra settings available under Group Policy Management.

2. The group policy setting can be made either at the Machine or User Scope. Since it may be troublesome to explain why some users need an exception to be able to use ?porn mode?, the Default Domain Policy may be the best choice.

3. The setting is found in Administrative Templates\Windows Components\Internet Explorer\InPrivate\Turn off InPrivate Browsing

How to Disable InPrivate Through t74he Registry

1. Open Regedit.

2. The necessary setting is: HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy\EnableInPrivateBrowsing

3. It is a dword setting in which 1 or missing allows InPrivate and 0 disables it.