Forensic analysis of epic privacy browser on windows operating systems

Internet security can be compromised not only through the threat of malware, fraud, system intrusion or damage, but also via the tracking of internet activity. Criminals are using numerous methods to access data in the highly lucrative cybercrime business. Organized crime, as well as individual users, are benefiting from the protection of Virtual Private Networks (VPNs) and private browsers, such as Tor, Epic Privacy, to carry out illegal activity such as money laundering, drug dealing, the trade of child pornography, etc. News articles advising on internet privacy assisted in educating the public and a new era of private browsing arose. Although these measures were designed to protect legitimate browsing privacy, they also provided a means to conceal illegal activity. One such tool released for private browsing was Epic Privacy Browser. It is currently used in approximately 180 countries worldwide. Epic Privacy Browser is promoted as a chromium powered browser, specifically engineered to protect users' privacy. It operates solely in "private browser" mode and, after the close of the browsing session, it automatically deletes all browsing data. The developers of Epic Privacy Browser claim that all traces of user activity will be cleared upon close of the application. However, there is no forensic acquisition and analysis of Epic Privacy Browser in literature. In this paper, we contribute towards the goal of assisting forensic examiners with the location and type of evidence available through live and post-mortem state analysis of the Epic Privacy Browser on Windows 7 and Windows 10. This analysis identifies how the browser functions during use and where data can be recovered once the browser is closed, the necessary tools that will assist in the forensics discovery, and effective presentation of the recovered material.