I have a CLI app in .NET Core 3 that is supposed to sit in your apps folder you have in your path, do something when you run it, then exit. Unfortunately, it needs a single line of configuration (an API key), which store in a text file. I want to keep the app portable (ie. avoid going into other directories), so I want to store the config file right next to the executable. And since I want it to be small and easily distributed, I set up .NET to merge and prune the EXE on build. (I think I got the idea from your blog btw, thanks! :) It is a simple app that does a single task, so I figure it should be one EXE, not 50 megabytes in 80 files. And there the problem lies: If the config file is right next to the exe, I need to know where the exe is located. BUT, it seems that when I have the entire app built into a single EXE like this, .NET actually extracts the embedded DLL to some temporary location in my filesystem, then runs it from there. Every method for finding the startup assembly's location I have found, either by googling or exploring with reflection while it runs, only gives me the location in the temp directory, not the one where the app was actually launched from. The app then attempts to load the config file from this temp directory, which obviously fails.

The Internet is an essential tool for everyday tasks. Aside from common use, the option to browse the Internet privately is a desirable attribute. However, this can create a problem when private Internet sessions become hidden from computer forensic investigators in need of evidence. Our primary focus in this research is to discover residual artifacts from private and portable web browsing sessions. In addition, the artifacts must contain more than just file fragments and enough to establish an affirmative link between user and session. Certain aspects of this topic have triggered many questions, but there have never been enough authoritative answers to follow. As a result, we propose a new methodology for analyzing private and portable web browsing artifacts. Our research will serve to be a significant resource for law enforcement, computer forensic investigators, and the digital forensics research community.

cs portable 1 6 exe

According to one study [1] there are two private browsing objectives. The first objective is to allow users to browse the Internet without leaving any trace. The second is to allow users to browse the Internet while limiting identity discoverability to websites. While both of these goals are important, our research will focus on discovering information from local storage devices since the majority of computer investigations involve search and seizure of local machines. One alternative to using private browsing modes is to surf the Internet using a portable web browser, such as one stored on a Universal Serial Bus (USB) flash drive. Therefore, web browsing sessions are more likely to be stored on the portable storage device itself instead of the computer or host machine.

Private and portable web browsing artifacts, such as usernames, electronic communication, browsing history, images, and videos, may contain significant evidence to an examiner. Prior research in this area is very limited. Referring back to one of the main studies on private browsing modes [1], this research lacks an in-depth analysis of deleted and volatile information pertaining to private browsing sessions. In another study focused on portable web browsers [2], many statements were made without the basis of true experimental findings. Furthermore, there are virtually no published studies on residual artifacts from current portable web browsers existing on host machines. In the past, similar studies have been conducted on the SanDisk U3 flash drive and its portable applications. Since U3-USB devices had a pre-installed read-only partition, it was challenging for forensic investigators to discover electronic evidence. In the latter year of 2009, SanDisk began phasing out support for U3 Technology and it has been discontinued because of many irresolvable issues [3].

Private and portable web browsing artifacts can be extremely valuable. Prior research either lacks significant findings or does not provide sufficient answers. We plan to overcome these shortcomings by analyzing both allocated and unallocated space on entire disks while measuring our results against multiple web browsers. Furthermore, we plan to analyze volatile data that may be available in an incident response.

This paper is organized as follows: Section 2 provides a list of background terms. Section 3 describes prior and related work in private browsing modes and portable web browsers. Section 4 discusses the four major browsers and their privacy capabilities. Section 5 discusses several different portable web browsers. Section 6 details the implementation and experiments. Sections 7 and 8 conclude the paper with some open questions, future work, and discussion.

One study on portable web browsers [2] explained that portable web browsing artifacts are primarily stored where the installation folder is located (removable disk). Residual artifacts, such as USB identifiers and portable programs, can be discovered by analyzing the Windows Registry and Windows Prefetch files. Furthermore, they state that if the removable disk is not accessible to the investigator, it is impossible to trace any further information. In regard to portable software discoverability, the researchers stated that it was difficult to determine portable web browser usage on a host machine. The majority of these statements were made without the basis of any true experimental findings. Therefore, every one of these statements will be fully tested in our research to determine authoritative answers. We plan to recover significant residual artifacts located on host machines testing several different portable web browsers. Even though USB identifiers are important to obtain, it is even more important to establish an affirmative link between user and session.

In comparison to current portable software, Sandisk and Microsoft worked together many years ago on a project called U3 Technology [5]. Essentially, the idea was to allow consumers to carry a portable disk containing personalized files and web browsers. U3 flash drives were pre-installed with a U3 Launchpad, similar to an OS start menu with various programs installed. There are two partitions to the U3 flash drive structure: one is a mass storage device and the other is a virtual CD-ROM. The virtual partition was actually an ISO image, which was why information was read but not written to the disk. According to one study [6], U3 devices created a folder on host machines and recorded user activity. Once the disk was ejected, a cleanup program was executed and automatically removed all user activity from that system. By analyzing the Windows Prefetch files, researchers were able to identify which programs were run from the U3 device.

In another study on battling U3 anti-forensics [7], U3 identifiers were discovered as well by analyzing the Windows Registry and Prefetch directory. The majority of traces were located within slack space and free space of the hard drive. For this reason, our research experiments will be conducted using separate physical hard drives to incorporate the possibility of discovering data within these areas. Even though sufficient evidence was obtained to support which U3 programs were launched, it was still extremely difficult for researchers to identify other significant artifacts. We will probably face the same barriers in our research. Overall, the U3 portable disk provided a sense of privacy and personalization to users. Over time, there had been numerous complaints about U3 devices such as potential incompatibility and malware-like behavior. SanDisk began phasing out support for U3 Technology in late 2009 [3] and the U3 disk has been discontinued.

To allow for certain portable browsers to work, a free program called PortableApps [12] was used for this research. PortableApps is similar to the previously mentioned U3 Launchpad in that it allows you to take portable applications with you as you go. It is based on an open source platform and will work with almost any portable storage device. Figure 1 shows how the launchpad is structured. In our study, the application was installed on a USB flash drive. Three portable web browsers were selected through PortableApps: Mozilla Firefox Portable 18.0.1 [13], Google Chrome Portable 24.0.1312.52 [14], and Opera Portable 12.12 [15]. The reason Apple Safari Portable was not selected because it was not in fact portable. The most updated version located was not a standalone executable program and it had to be installed onto the machine. According to Mozilla, the Portable Edition leaves no personal information behind on the machine it runs on [13]. All the portable browsers were essentially designed for users to carry customized browsers without leaving traces on machines. That is why artifacts, such as web browsing history, passwords, and auto-fill forms, are stored where the portable browser installation folder is located. Privacy modes can also be enabled to help block flash cookies and other artifacts from storing within the installation folder.

Next, each disk was installed with only one specific Internet browser pre-loaded from an external hard drive, except for the portable applications. The web browsers installed were Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and Google Chrome. Each browser was configured to launch automatically into private browsing mode except for Safari, which had to be done manually. It is important to note, since prior research [1] showed browser plug-ins and extensions to cause weakness to private browsing sessions, none were installed. It is also important to note that everything was pre-configured before connecting to the Internet. Figure 2 shows the hard drives being configured and labeled. 2ff7e9595c