Safari’s Private Browsing feature may not be so private after all.  Well, at least in part.  I was thinking about this as I was checking out a new Quarantine Event forensic plugin in RECON for Mac OS X.  I did a test on OS 10.10 where I downloaded a file using a “Private Window” in Safari.  This is suppose to protect my web browsing activity by not recording it.  I navigated to a website and downloaded a .dmg file that I knew would trigger a warning in Quarantine Events.  I went back and, using RECON for Mac OS X, checked out the recovered data from my Quarantine Events database.  There it was, sitting right in front of me, the website I went to and the file I downloaded complete with the date and time.  RECON even told me I used Safari.

Screen Shot 2014-12-05 at 1.54.31 PM


So it looks like even though Private Windows keeps some activity anonymous the Quarantine Events database still records certain web browsing activity.  This information has obvious value to Mac Forensic Analysts.