Safari’s Private Browsing feature may not be so private after all. Well, at least in part. I was thinking about this as I was checking out a new Quarantine Event forensic plugin in RECON for Mac OS X. I did a test on OS 10.10 where I downloaded a file using a “Private Window” in Safari. This is suppose to protect my web browsing activity by not recording it. I navigated to a website and downloaded a .dmg file that I knew would trigger a warning in Quarantine Events. I went back and, using RECON for Mac OS X, checked out the recovered data from my Quarantine Events database. There it was, sitting right in front of me, the website I went to and the file I downloaded complete with the date and time. RECON even told me I used Safari.
So it looks like even though Private Windows keeps some activity anonymous the Quarantine Events database still records certain web browsing activity. This information has obvious value to Mac Forensic Analysts.