When a user visits a web site, it automatically shares standard computer information with that web site. If the web site contains content provided by a third-party web site (for example a map, advertisement, or web measurement tools such as a web bug or scripts) some information about the user may be automatically sent to the content provider.
This type of arrangement can have several benefits. It lets the user conveniently access third-party content. The presence of advertising on a web site may let the web site provide access to premium content at no charge. However, there can be an impact on user privacy as a result because it is possible for the content providers to track the user across multiple web sites.
When InPrivate Filtering is used, some web sites might be prevented from automatically sharing details about the visit with the providers whose content is displayed. As a result, some content might be automatically blocked (such as weather information or advertisements). The user can manually allow blocked content by adjusting the InPrivate Filtering settings.
PrivacIE INDEX.DAT Entries
When performing a forensic examination of INDEX entries from Internet Explorer, you may come across numerous PrivacIE Type entries. These entries are URL records for third-party content providers.
If the user has InPrivate filtering on, the PrivacIE INDEX.DAT stores the URLs to third party content. They are not InPrivate browsing records. InPrivate Filtering helps prevent website content providers from collecting information about sites the user has visited.
For example, the Digital Detective web sites use Google Analytics to track information about visitors to our sites. Google tracks the data and provides webmasters with analytical tools to review the results.
If you switch InPrivate filtering on and visit the Digital Detective Website, you will find two entries in the PrivacIE INDEX which get generated from the visit.
The first entry is a web bug which takes the Google Analytic information as a command line paramter. The second entry is a Google Analytic script.
Removing InPrivate Filter Entries
The user can remove the (PrivacIE) entries relating to InPrivate Filtering in the same way as clearing the History or Cache. In the Delete Browsing History dialogue, there is an entry for InPrivate Filtering as shown below.
Internet Explorer can also be configured not to record this information, even if the functionality is active.
Recovering Evidence of InPrivate Browsing
I will post an article at a later date regarding InPrivate browsing and the recovery of InPrivate history.
The original KB Article is here: KB80054 What are Internet Explorer PrivacIE Entries
Uh, what? this article says, "PrivacIE entries are not from InPrivate browsing sessions." and then later on says, "If you switch InPrivate filtering on and visit the Digital Detective Website, you will find two entries in the PrivacIE INDEX which get generated from the visit."
ReplyDeleteArent those two entries contradictory?
No, they are not contradictory. One is referring to InPrivate browsing, and the other refers to InPrivate filtering. They are two different things.
ReplyDeleteSo what I'm hearing is that privacie entries are not created due to someone being in "InPrivate browsing" mode and visiting the site that is associated with the privacie record(s). It is due to "InPrivate filtering" being on when a site is visited and access to a third-party site could otherwise have caused "private" information to be shared.
ReplyDeleteHere's my question: I think I know the answer based on the above description, but if there are privacie entries associated with badsite (privacie:badsite.com/....), then that is an indication that badsite.com WAS visited, correct?
And since I'm on the subject of InPrivate browsing, how common is it to be able to observe any history records that were in temporary use while InPrivate browsing was turned on, or does IE do a pretty good job of not storing data in the first place or of cleaning everything that happens while in InPrivate browsing? Are there techniques to recovering such records? In our shop we use EnCase for forensics but we rely on NetAnalysis to process the index.dat, sqlite, etc. files we recover and/or extract. Thanks!