Authors - Lavu Uha Saranya, T.V.S.S. Reddy, I.V.M.K. Sarma, Dipesh Kumar Kushwaha, T.N.V.D. Sai Krishna Abstract - Digital Forensic investigations have typically focused on the identification of private browsing at the application layer using artifacts from memory and disk, as well as the fact that modern browsers rely extensively on the operating system for fundamental capabilities such as rendering, input processing, and networking. This paper extends the forensic scope by demonstrating that session Data related to private Sessions remain in shared Subsystems of the OS in Volatile Memory. In particular, This paper examines the three primary components of the linux desktop environment: the display compositor (GNOME shell); the Input Pipeline (IBus Daemon); and the network resolver (systemdresolved). utilizing physical memory acquisitions via LiME on an ubuntu 25.04 System, This paper monitored the migration of high entropy inputs across these subsystems. The results of this research indicate that critical session data including: Window metadata associated with wayland sessions; Plaintext keystroke data received through D-Bus; and fallback queries made via DNS-over-HTTPS were found to remain in OS Managed Memory for extended periods of time after the conclusion of the private browsing session. The author provides a reproducible framework for analysis of memory associated with the OS level and demonstrates that browser based privacy controls are structurally insufficient to fully sanitize volatile memory.
Open Zoom