Empirical Evaluation of Android Browser Forensics and Artifact Persistence

Abstract

The widespread adoption of mobile devices has rendered mobile browsers critical repositories of sensitive personal and organizational data, making their analysis a cornerstone of modern digital forensics. This paper presents a systematic empirical evaluation of the forensic recoverability and interpretability of data from popular mobile browsers (Chrome, Firefox, Tor, DuckDuckGo, and Brave) on authentic Android 13 devices. By utilizing a rooted environment to bypass application sandboxing, we introduce a standardized scoring framework to quantify and compare the residual digital footprints left across diverse usage scenarios, including standard browsing, manual data deletion, and private/incognito modes. The study details a hybrid acquisition methodology that integrates persistent storage analysis with custom volatile memory extraction routines to capture ephemeral process data. Through a suite of controlled, realistic scenarios—encompassing form filling, virtual transactions, and anti-forensic activities—the results demonstrate that significant portions of user activity remained recoverable within the tested and evaluated experimental environment and browser configurations despite aggressive privacy-enhancing measures. Our findings reveal that while private modes effectively minimize the persistent filesystem footprint, volatile memory remains a fertile source of cleartext credentials and session identifiers. This recovery is particularly pronounced in Chromium-based browsers, whereas privacy-centric alternatives like Tor exhibit higher forensic resilience. Ultimately, this research underscores the importance of volatile memory acquisition in mobile investigations and provides an experimental systematic approach for evaluating the trade-offs between browser usability and forensic traceability in contemporary Android environments, demonstrating potential applicability to subsequent Android iterations.

1. Introduction

The widespread integration of mobile devices into both individual and corporate environments has profoundly reshaped digital ecosystems and placed mobile web browsers at the epicenter of modern Internet access and information exchange. Modern users increasingly rely on smartphones and tablets to perform a wide spectrum of activities, including online communication, financial transactions, social networking, and interaction with cloud-based services. This has turned mobile devices into rich corpuses of user-generated and application-driven data, much of which holds strong evidentiary value. In this context, mobile browser functionality encompasses not merely interface-related web content but also active sources of residual data that embody user intent and patterns of operating system (OS) interaction [1].

From a digital forensics point of view, recovering and examining browser-related artifacts is an essential part of any focused investigative methodology. It enables the reconstruction of user activities, even in circumstances where users attempt to conceal their actions through deletion, cache clearing, or the use of private browsing (incognito) modes. Browser remnants, incorporating history databases, cookies, cached objects, and local storage entries, often persist beyond user expectations, providing forensic analysts with valuable insights into prior device usage. However, the interpretation of such artifacts is inherently challenging; human-driven activity is shaped by uncertainty and contextual ambiguity, meaning digital traces cannot always be clearly identified as benign or malicious. During the last decade, novel Mobile Forensic (MF) methodologies have emerged, leveraging Hard Computing (HC) techniques to improve automation and analytical precision [2,3]. While these approaches have advanced the extraction and classification of digital artifacts, their deterministic nature may limit effectiveness when confronted with the inherent ambiguity of user activity. Consequently, there is a growing need for systematic, empirically grounded methodologies that integrate expert knowledge towards enhancing the consistency of forensic interpretation.

Motivated by these challenges, the work at hand contributes to improving the reliability and interpretability of mobile browser forensic analysis. The primary objective of this research is to empirically assess the extent to which user activities can be reconstructed from Android devices under realistic operational conditions. This investigation is further complicated by several contemporary forensic challenges, including the widespread use of the Android Keystore for credential encryption, the deliberate data minimization related to private browsing modes, and the substantial fragmentation across browser versions along with manufacturer-specific operating system modifications [4,5]. Successful recovery therefore necessitates a hybrid data extraction-oriented strategy incorporating persistence methods (e.g., SQLite databases and JSON files) combined with memory acquisition techniques capable of capturing ephemeral session tokens and volatile cookies [6,7].

Based upon existing knowledge and preliminary testing, the following hypotheses are formulated to guide the empirical evaluation of recoverability across storage layers and browsing scenarios:

• H1: A substantial portion of user activity can be reconstructed from browser artifacts, even following deletion attempts.
• H2: The deployment of custom scripts for RAM extraction significantly enhances forensic recovery by providing reliable, complementary data that is absent from persistent storage.
• H3: Private browsing and history clearing diminish, but do not entirely preclude, artifact recovery.
• H4: Different browsers exhibit differential levels of forensic resilience.

This work advances the hypothesis that user activity on mobile devices may remain forensically recoverable under controlled experimental conditions, even in the presence of contemporary privacy-preserving technologies. Residual artifacts residing in both volatile memory (RAM) and persistent storage remain potentially recoverable through the application of specialized forensic acquisition techniques within a rooted device environment. To validate this, a series of controlled yet representative real-life scenarios were systematically executed on authentic Android devices, as detailed in Section 4. Artifact persistence was scrutinized across five primary scenarios: Simple use (standard browsing/form-filling), Memory dump (direct acquisition via custom scripts), Clear history (post-browsing deletion), Combined scenario (deletion followed by RAM acquisition), and Private search (exclusive incognito mode usage).

Moreover, the artifacts generated under these experimental scenarios were systematically analyzed to assess the practical efficacy of contemporary digital forensic methodologies. We formulate the following research questions (RQs) to serve as guidance for the empirical evaluation:

• RQ1: To what extent can browser artifacts be recovered from authentic Android devices?
• RQ2: How does the utilization of Incognito/private browsing affect artifact recovery?
• RQ3: What is the efficacy of RAM dumps in reconstructing user activity?
• RQ4: How do different browsers compare in terms of recoverable artifacts?
• RQ5: How does explicit user-driven data deletion (e.g., “Clear History”) influence artifact availability across persistent storage and volatile memory?
• RQ6: To what extent are user-initiated anti-forensic actions (clearing browsing history or using private browsing mode) effective in eliminating traces?
• RQ7: How do different browser configurations influence artifact recoverability?

All in all, the presented research questions form the basis for the empirical approach to be taken upon the persistent storage analysis, volatile memory acquisition, and controlled user interaction situations that denote core contributions of the presented study. Above that, it should be pinpointed that the abovementioned hypothesis list is further contextualized in the experimental procedure through the research questions formulated below. More specifically, H1 corresponds to the overall recoverability of browser-based extracted artifacts across real-life case study scenarios (RQ1, RQ5); H2 is dedicated to the evaluation of volatile’s memory contribution to the acquisition of evidentiary elements (RQ3); H3 examines the impact of private browsing incognito mode and browser memory deletion upon digital footprints (RQ2, RQ6); and H4 considers browser-specific differences in forensic resistance. Moreover, based on the above research questions, this manuscript delivers several key contributions to the field of mobile browser forensics, including the development of a robust methodology for dual-source acquisition (disk and RAM) from rooted devices, the creation of a suite of reproducible usage scenarios for future benchmarking, and an empirical comparison of five major browsers (Chrome, Firefox, Tor, DuckDuckGo, and Brave) under realistic forensic conditions. Despite the fact that research questions concerning cross-tool reliability and the long-term persistence of artifacts following device restarts constitute important avenues for future investigation, they fall beyond the scope of the present study.

The remainder of this paper is structured as follows: Section 2 reviews the published literature. Section 3 presents the theoretical background. Section 4 describes the experimental methodology and testbed, while Section 5 discusses results regarding volatile and persistent artifacts. Section 6 offers a discussion structured around the RQs, and Section 7 concludes the study. For easier guidance throughout the manuscript, a list of abbreviations is included at the end of the article.

2. Related Work

Mobile browser forensics has witnessed remarkable growth in the past decade, reflecting the dynamic development of mobile Operating Systems (OSs), applications, and privacy-preserving techniques. Initially, researchers mainly concentrated on identifying and extracting evidence from persistent storage media. In this regard, Mahajan et al. [8] undertook a forensic analysis of Android-based applications, involving logical extraction through Cellebrite’s Universal Forensic Extraction Device (UFED) followed by a manual analysis of SQLite database files. Their experiments demonstrated the reliable recovery of chat logs, contacts, and multimedia content; however, the study was conducted exclusively on filesystem items. Volatile memory and private browsing modes were not examined, making the study’s application to privacy-preserving browsing minimal.

Alghafli et al. [9] extended the perspectives of MF acquisition by proposing a comprehensive taxonomy that categorizes methodologies into manual, logical, physical, and chip-off techniques. Leveraging tools such as Oxygen Phone Manager and Paraben Cell Seizure, they established key methodological trade-offs, finding that logical acquisition was easier to implement but ineffective at retrieving deleted data. However, browser-specific forensic activities and private browsing remained outside their scope. Furthermore, Thing et al. [7] focused on the volatile nature of MF evidentiary data by proposing an automated live memory forensic framework for Android. The research demonstrated that vital evidence, such as sent messages, can be found solely in volatile memory; however, an assessment of mobile browser activities was excluded.

Fernández-Fuentes et al. [10,11] contributed significantly to the evaluation of private browsing. In [11], the authors presented a five-stage monitoring framework dedicated to assessing private modes, incorporating file system monitoring via inotifywait and RAM acquisition via LiME. Their results indicated that while private browsing was effective against persistent artifacts, sensitive data, including credentials and URLs, could be recovered from memory. In [10], they further investigated artifact persistence at different temporal acquisition points (T1–T4), demonstrating that volatile memory contained high-value evidence even after browser shutdown [12]. While impactful, these studies were conducted on Linux desktop environments; similar research on modern mobile browsers has yet to be fully realized.

Husain et al. [13] presented the iPhone Forensic Framework (iFF) for low-cost acquisition, leveraging logical extraction of iTunes backups. While providing an accessible solution for resource-constrained investigations, it did not investigate private mode leakage or volatile memory remnants. Similarly, Barmpatsalou et al. [2,3] advanced intelligent forensic analysis using Neural Networks and Adaptive Neuro-Fuzzy Inference System (ANFIS) to detect suspicious communication patterns. Collectively, these studies moved the field toward hybrid and memory-aware approaches but did not specifically examine the forensic footprint of modern mobile browsers.

The ongoing evolution of forensic methodologies underscores the need for sophisticated frameworks and innovative evidence collection [14]. To address the challenges of private browsing, the Chracer methodology [15] enables the systematic extraction of artifacts from the volatile memory of Chromium-based browsers. Furthermore, computational solutions such as machine learning [16] and distributed ledger frameworks [17] are leveraged to automate data analysis and verify the integrity of the chain of custody in mobile cloud environments. In parallel with these technical advancements, recent research by Moreb et al. [18] and Rawtani et al. [19] emphasizes structured investigative workflows and the adaptation of tools to increasingly complex criminal tactics. In practice, comparative studies of industry-standard tools, including Autopsy, Belkasoft X, and Magnet AXIOM [20], provide critical benchmarks for selecting effective extraction methods within a unified forensic process.

In summary, despite substantial progress, a significant proportion of prior work continues to rely primarily on persistent storage acquisition, with limited integration of volatile memory analysis, particularly regarding contemporary Android environments. Moreover, many existing investigations have been conducted in emulated settings, which often fail to capture the hardware-specific constraints and artifact persistence characteristics observed on physical devices. Recent Android security enhancements, including reinforced sandboxing, hardware-backed keystores, and aggressive data minimization in private browsing modes, further complicate recoverability and necessitate updated experimental frameworks. Furthermore, few studies provide systematic cross-browser comparisons on modern platforms under realistic conditions. To address these gaps, this manuscript introduces a hybrid acquisition methodology integrating persistent and volatile memory analysis across five widely used mobile browsers on a physical Android 13 device. A key contribution is the proposal of the Recoverability Score (${\mathrm{RS}}_b$), a structured metric designed to provide a comparative assessment of forensic exposure across heterogeneous artifact categories.

The key characteristics of every study discussed in this section are summarized in

Table 1. Comparative summary of related work.

Study	Platform	Methodology	Tools Used	Key Findings	Limitations
Thing et al. [7]	Android	Live memory acquisition framework targeting RAM remnants	Custom RAM capture tools	Achieved near-complete recovery of outgoing messages from volatile memory	Not specifically focused on browser activity
Husain et al. [13]	iPhone	Logical acquisition via iTunes backup analysis avoiding firmware modification.	iFF framework	Demonstrated cost-effective and forensically sound data extraction	No browser or volatile memory analysis
Barmpatsalou et al. [2]	Mobile datasets	Systematic survey of methodological evolution and emerging challenges in MFs	Literature survey methodology	Highlighted evolution toward hybrid and memory-aware mobile forensic approaches	Not focused on browser forensics
Mahajan et al. [8]	Android	Logical acquisition and SQLite database analysis on physical devices.	Cellebrite UFED	Recovery of chats, contacts, and multimedia artifacts from persistent storage.	No volatile memory or browser-focused analysis
Alghafli et al. [9]	Mobile	Comparative taxonomy of acquisition methods into manual, logical, physical, and chip-off	Oxygen, Paraben, JTAG	Physical acquisition provides deeper evidentiary visibility than logical methods	No experimental evaluation of browser artifacts
Barmpatsalou et al. [3]	Mobile datasets	Intelligent classification using NN and ANFIS applied to communication datasets.	ADAET	Effective detection of suspicious communication patterns	Not browser-focused
Fernández-Fuentes et al. [10]	Linux	Five-stage forensic workflow for evaluating private browsing effectiveness	LiME, Volatility, inotifywait, wxHexEditor	Sensitive artifacts remained recoverable from memory	Limited to desktop environments
Fernández-Fuentes et al. [11]	Linux	Evaluation of evidence persistence at different post-session time intervals.	LiME, Volatility, wxHexEditor	Volatile memory retained sensitive browsing evidence even after browser closure	Focused on desktop systems; mobile browsers not evaluated
Casino et al. [21]	Multi-domain	Systematic literature meta-review	Scopus, Web of Science	Identified major research gaps in cross-device forensic investigations	No experimental validation
Choi et al. [15]	Chromium-based	Systematic discovery of browsing-related C++ objects in virtual memory	Chracer (PoC Tool)	Successfully extracted URLs, titles, and timestamps even in private mode	Requires specialized knowledge of Chromium internal structures
Joshi et al. [14]	Web Browsers	Multi-stage analysis of installation, execution, and anomalous behavior (crashes)	Windows 11 components	Innovative framework for artifact collection during browser life-cycle stages	Focused primarily on Windows 11 environment
Sheth et al. [16]	Android & iOS	Advanced acquisition leveraging ML, Deep Learning, and Blockchain for integrity	ML/DL Frameworks	Addressed modern encryption challenges and anti-forensics in mobile browsers	High computational overhead for real-time analysis
Rawtani & Hussain [19]	General Forensic	Overview of modern forensic devices and emerging trends	Literature Review	Categorized modern tools for criminal investigation	High-level overview; lacks specific mobile browser experiments
Khubrani [17]	Mobile	Analysis of challenges and proposal of blockchain-based solution	Theoretical framework	Blockchain can enhance integrity and chain of custody in mobile forensics	Conceptual; lacks experimental validation of browser data
Mehta et al. [20]	Mobile	Comparative study of forensic tools: Autopsy, Belkasoft X and Magnet Axiom	Autopsy, Belkasoft X, Magnet Axiom	Evaluated tool efficiency in data recovery and complexity	Comparison of tools rather than browser-specific artifacts
Moreb et al. [18]	Mobile	Novel framework for the forensic investigation process focusing on methodology	Process Model	Standardized steps for mobile evidence acquisition and preservation	Focuses on process flow rather than browser memory analysis
This work	Android 13	Hybrid persistent/volatile analysis—Artifact acquisition—${\mathrm{RS}}_b$ metric	Autopsy, ADB, Custom RAM Scripts	Multiple mobile browsers including privacy-focused ones	Limited to rooted environments

, which also includes the positioning of the current study.

3. Background

This section establishes the technical and procedural foundations of digital forensic practice, with particular emphasis on the architectural constraints of the Android ecosystem and the inherent tensions associated with forensic data acquisition.

3.1. Core Concepts and Forensic Artifacts

Digital forensics is the systematic identification, preservation, and analysis of electronic evidence. In mobile environments, this relies on the extraction of forensic artifacts, i.e., residual data traces produced by user or system activity. These artifacts are categorized by their state of persistence:

• Persistent storage: Data written to the flash-based file system, typically stored within SQLite databases (e.g., History, Cookies) or structured XML and JSON files.
• Volatile memory (RAM): Ephemeral data, including active session tokens, decrypted credentials, and memory-resident browser artifacts, which are typically lost upon process termination or device power loss.

3.2. The Acquisition Paradox: Accessibility vs. Admissibility

To access the sandboxed /data/ partition or perform a physical acquisition of a mobile device, investigators often require elevated system privileges, typically achieved through rooting (Android) or jailbreaking (iOS). However, from a digital forensic perspective, such procedures introduce a critical vulnerability with respect to evidentiary integrity and the preservation of forensic soundness.

Rooting inherently modifies the system partition, alters bootloaders, and may inject binaries into the OS. Such modifications conflict with the fundamental forensic principle of data immutability. In a judicial context, these changes can lead to challenges regarding the admissibility of evidence, as the state of the device is fundamentally altered during the acquisition process. Consequently, scientific research in this domain must carefully balance the requirement for root-level access to enable deep-tier forensic analysis with the necessity to preserve evidentiary integrity through rigorous documentation and the controlled use of non-persistent, bootloader-level exploitation techniques (e.g., custom recovery environments) designed to minimize the forensic footprint.

3.3. Web Browser Architectures on Android

Mobile browsers constitute high-value targets for forensic reconstruction due to the sensitive nature and evidentiary relevance of the data they manage within the Android operating environment.

3.3.1. Storage and Directory Structures

Browsers operate within sandboxed directories, usually located at /data/data/[package.name]. While implementations vary, they generally follow engine-specific patterns:

• Chromium-based (Chrome, Brave): Utilize a Default/ directory containing SQLite databases. Notably, while these browsers store autofill metadata (e.g., cardholder name and expiration date), they typically do not store CVV/CVC codes locally. This practice ensures compliance with the Payment Card Industry Data Security Standard (PCI DSS), an internationally recognized security framework that prohibits the persistent storage of sensitive authentication data following authorization in order to mitigate fraud risks arising from local system compromise.
• Gecko-based (Firefox, Tor): Employ a profile-based structure (e.g., ∗.default-release/). They store history in places.sqlite and session state in JSONLZ4 compressed files, which require specialized parsing for reconstruction.
• Privacy-focused (DuckDuckGo): Prioritize data minimization, where many session artifacts remain strictly volatile and are never committed to persistent storage.

3.3.2. Security and Encryption

To safeguard user data, Android browsers leverage hardware-backed Keystores. Sensitive fields, such as saved credentials, are encrypted via AES. Decryption typically requires the extraction of cryptographic keys from the Android Keystore system, a process that frequently necessitates a live, rooted execution environment or specialized bypass techniques to access memory-resident cleartext artifacts.

The exposure of credentials and session tokens in cleartext form carries security implications that extend substantially beyond the risks of account compromise and unauthorized access. Within modern cloud-integrated ecosystems, such exposures may further serve as vectors for advanced inference attacks, whereby adversaries exploit session-level metadata to derive sensitive user behavioral patterns or infer service utilization characteristics. Furthermore, compromising access to specialized accounts—particularly those associated with artificial intelligence development platforms or cloud-based analytics—may facilitate the reverse-engineering of proprietary models. By hijacking active sessions, an adversary may potentially infer information concerning underlying algorithmic structures or properties of the associated training data, thereby compromising both the intellectual property and operational security of the targeted machine learning services.

3.4. Normal vs. Private Browsing Modes

The forensic distinction between browsing modes is defined by storage persistence.

Table 2. Comparison of data storage between normal and private browsing.

Data Category	Normal Browsing	Private Browsing
History	Stored in persistent SQLite DB	Volatile; resides in RAM only
Cookies	Persistent (Cookies.db)	Session-only; cleared upon exit
Cache	Written to disk storage	Ideally volatile; fragments may leak to storage
Credentials	Encrypted in persistent DB	Not committed to disk
DNS/Network	OS-level cache	Visible in OS and network logs

summarizes these behaviors.

Notwithstanding the intended privacy guarantees of private browsing mode, forensic recovery of residual activity may remain feasible through volatile memory acquisition (i.e., capturing RAM while the session remains active) and the analysis of operating system-level data leakage. Examples include DNS cache entries and swap space artifacts, within which the operating system may transiently retain traces of browser activity.

4. Methodology

This study employs a systematic methodology for mobile browser forensics, integrating controlled testbed construction, scenario-based experimentation, and multi-modal artifact extraction. The approach synthesizes established frameworks for persistent storage analysis with advanced volatile memory acquisition techniques to achieve a comprehensive reconstruction of user activity [4,6,8,10].

4.1. Testbed

A dedicated forensic environment was established consisting of a physical mobile device and a Kali Linux workstation. The target device, a Xiaomi Redmi Note 4 (mido), features a Qualcomm Snapdragon 625 SoC, 4 GB of RAM, and 64 GB of storage. It runs a ported version of Android 13 (ARM64). To facilitate deep-level artifact access while maintaining environment stability, elevated privileges were obtained via Magisk-based systemless rooting [22], which allows access to protected partitions without permanently altering the /system block, preserving the integrity of the underlying OS. The workstation, a Kali Linux 2024.4 VM, served as the primary analysis node. Connection was maintained via the Android Debug Bridge (ADB) [23], facilitating command execution and data exfiltration. Detailed system specifications are provided in

Table 3. Testbed inventory detailing system architecture and connection method.

Machine	OS	Memory	Processors	Disk	CPU	Tools
Redmi Note 4	Android 13	4 GB	Octa-core 2.0 GHz	64 GB	ARM64/mido	Magisk root/ADB
Kali VM	Kali Linux 2024.4 amd64	24 GB	4 cores	40 GB	ARM64	Host VM/ADB bridge

.

4.2. Data Acquisition

To ensure a comprehensive analysis, two parallel acquisition strategies were implemented. Both methods followed a strict protocol to maintain forensic soundness, including the use of read-only extraction, MD5/SHA-256 integrity hashing, and comprehensive audit logging of all ADB commands.

4.2.1. Persistent Artifact Acquisition

Persistent artifacts were extracted from the browser’s sandboxed directories (typically /data/data/[package.name]). The workflow involved identifying critical SQLite databases (e.g., History, Cookies, Web Data) and JSON preference files. After read-only extraction via ADB, offline decryption was performed where necessary. Specifically, for Mozilla Firefox, the key4.db and logins.json files were processed using firefox_decrypt [24] to retrieve cleartext credentials.

4.2.2. Volatile Memory Acquisition and Custom Parsing

Capturing ephemeral data, such as active session tokens and private browsing fragments, required targeted memory dumps. Since standard tools often struggle with the aggressive memory management of Android 13, a custom Bash script was developed to automate the extraction of specific process memory via the Linux procfs virtual filesystem [25]. Algorithm 1 details the procedure for isolating and dumping readable virtual memory segments based on the browser’s Process ID (PID).

The memory segment extraction routine depicted in Algorithm 1 selectively targets all virtual memory regions with read permissions (r), as identified through the /proc/[PID]/maps interface. By focusing on these regions, the acquisition specifically captures the application heap, stack segments, and mapped shared libraries—areas that typically contain sensitive cleartext strings, session identifiers, and credential-related artifacts. Limiting extraction to readable segments minimizes the risk of access violations that occur when attempting to read protected memory areas, thereby improving acquisition reliability. To preserve the atomicity and integrity of the extracted state, the process is suspended via the SIGSTOP signal (Line 4) prior to extraction. This standard forensic practice prevents memory pagination changes and data overwrites, ensuring a synchronized snapshot of the virtual memory space. The process is resumed via the SIGCONT signal (Line 15) only after the extraction is complete. This suspension sequence guarantees the reproducibility of volatile artifacts by isolating the memory state from Android’s dynamic memory management during the acquisition window.

Algorithm 1 Volatile memory acquisition routine for Android applications.

Require: Application package name APP_PACKAGE Ensure: Per-segment binary dumps for all readable virtual memory regions of each process 1:     Create output directory: /sdcard/memdumps 2:     Obtain PIDs associated with APP_PACKAGE: PIDs ← pidof(APP_PACKAGE) 3:     for each PID in PIDs do 4:           Suspend process PID: kill -SIGSTOP PID 5:           Verify process PID is suspended 6:           Export memory map: save /proc/PID/maps to local storage 7:           for each entry e in the exported memory map do 8:                 Parse e to obtain address range and permissions 9:                 if permissions include read access (r) then 10:                      Compute start and end addresses 11:                      size ← end - start 12:                       Dump memory slice: dd if=/proc/PID/mem bs=1 skip=start count=size of=/sdcard/memdumps/dump_PID_start.bin 13:               end if 14:        end for 15:        Resume process PID: kill -SIGCONT PID 16:        Log completion for PID 17:   end for

Post-acquisition, the raw binary segments were parsed using Unix-standard utilities (strings, grep, hexdump) to identify patterns associated with HTTP headers, JWT tokens, and URL structures.

4.3. Experimental Scenarios

The browsers listed in

Table 4. Browsers used in the experiments.

Browser	Version	Notes/Features
Chrome	140.0.7339.52	Default configuration
Brave	1.82.165 (Chromium 140.0.7339.80)	Privacy-focused, ad-blocking browser
Firefox	142.0.1	Default search engine: Bing; open-source privacy features
DuckDuckGo	5.247.0	Tracking and threat protection enabled by default
Tor	14.5.6 (128.14.0 ESR)	Uses the Tor network for anonymous browsing

(Chrome, Brave, Firefox, DuckDuckGo, and Tor) were analyzed across five distinct scenarios conducted between May and September 2025. To ensure result stability and reproducibility, each scenario was repeated five times under standardized conditions, including the termination of background processes and maintained network latency. Acquisition timing was synchronized across all trials to minimize stochastic variance in artifact availability.

• Simple use: Standard browsing with persistent data retention. Disk acquisition was performed exactly 60 s after the final user activity to analyze filesystem-level artifacts.
• Memory dump: Acquisition of volatile RAM during an active session. Dumping was performed 30 s after the final interaction (e.g., field autofill) to capture transient cleartext credentials and session-specific data.
• Delete data: Analysis of the physical disk following the explicit deletion of browsing history, passwords, and cache via the browser’s settings menu.
• Delete & memory dump: A hybrid analysis cross-correlating persistent and volatile remnants. RAM acquisition occurred immediately following the “Clear History” command to evaluate immediate memory residency.
• Incognito Mode: Evaluation of artifact persistence and correlation during private sessions, where data is theoretically restricted to volatile storage.

As already mentioned, to ensure the stability and reproducibility of the results, each experimental scenario was repeated five times per evaluated browser under strictly controlled conditions. These conditions included the termination of background processes and the maintenance of consistent network latency. Furthermore, the timing of data acquisition was standardized across all case-study scenarios. Notably, the observed artifact recovery patterns remained invariant across all repetition cycles, with no significant deviations in the qualitative assessment of persistent or volatile artifact availability.

Building upon the aforementioned regulated repetition procedures, additional safeguard processes were introduced via the strict standardization of acquisition timing across all experimental scenarios to further ensure the consistency and interpretability of artifact persistence measurements. More specifically, for the evaluation of artifact persistence in storage, data collection was conducted 60 s after the conclusion of user activity to allow for any immediate automated cleanup processes to execute. In contrast, volatile memory acquisition followed a tighter window of 30 s. Specifically, memory dumps were triggered immediately following user actions such as autofill execution, session-based navigation, and form submission to capture cleartext credentials and transient session data. Furthermore, in scenarios involving data removal, memory was dumped immediately after the “Clear History” command to identify and quantify the remnants left in volatile memory following explicit user-initiated deletion. These controls ensure that the variations in artifact recoverability reflect systematic browser behavior rather than transient fluctuations in the device state.

Each scenario was evaluated using four primary metrics: Persistent Artifacts (PA), Volatile Artifacts (VA), Cross-Correlation (CORR) success, and Decryption (DEC) feasibility.

4.4. Methodological Challenges and Constraints

While robust, the methodology encountered several inherent technical limitations:

• Hardware-backed encryption: Credentials protected by the Android Keystore remained largely inaccessible without user-level authentication.
• Network protocol obfuscation: The use of TLS (RFC 8446) hindered the correlation of device-side artifacts with network-level traffic.
• Memory ephemerality: The effectiveness of Algorithm 1 is highly dependent on the timing of capture, as Android’s Low Memory Killer (LMK) may terminate background browser processes.

5. Results

This section presents the empirical findings evaluated across the five distinct scenarios of Section 4.3, using the recovery key: ✓ (Full), ⊙ (Partial/Hashed), and × (Absent). The observed consistency across multiple repetitions confirms that the differences in artifact recoverability are a result of systematic browser logic rather than transient, run-based variations.

5.1. Quantitative Baseline: Residual Data Footprint

To establish a baseline, the cumulative data volume recovered from each browser was measured. While data volume is not a direct count of discrete artifacts, it serves as a proxy for potential evidentiary yield, as larger datasets statistically increase the probability of identifying cache fragments, session logs, or credentials. However, a clear distinction must be made between total data volume and its actual forensic significance. Evidentiary value is determined not by storage capacity, but by the presence of high-impact interpretative components, such as passwords, session identifiers, and browsing history. Consequently,

Table 5. Total data captured per browser across all the scenarios defined in Section 4.3.

Browser	Scenario 1	Scenario 2	Scenario 3	Scenario 4	Scenario 5	Total
Chrome	363 MB	4.6 GB	52 MB	52 MB	1.1 GB	6.17 GB
Brave	308 MB	3.6 GB	51 MB	51 MB	1.2 GB	5.21 GB
DuckDuckGo	344 MB	3.8 GB	1.2 GB	1.2 GB	–	6.54 GB
Tor	73.8 MB	12 KB	600 MB	600 MB	–	1.27 GB
Firefox	12.9 MB	3.5 GB	554 MB	554 MB	1.1 GB	5.72 GB

integrates quantitative metrics with qualitative artifact identification and the Recoverability Score (RSb) to provide a more nuanced assessment of forensic exposure.

As shown in Table 5, DuckDuckGo (6.54 GB), Chrome (6.17 GB), and Firefox (5.72 GB) generated the largest cumulative data volumes across the evaluated scenarios. Notably, DuckDuckGo retained the largest persistent footprint despite its privacy-oriented design. This behavior is primarily attributed to the omission of the SQLite VACUUM command following data deletion, which leaves substantial residual content within SQLite freelists and unallocated storage regions. However, a critical distinction must be maintained between total data volume and its evidentiary significance. While DuckDuckGo’s footprint was quantitatively large, much of the recovered data consisted of low-context fragments. In contrast, browsers like Chrome and Brave, despite having smaller footprints in certain scenarios, yielded high-entropy artifacts such as cleartext passwords and session tokens, representing greater forensic relevance. Conversely, Tor produced the most constrained dataset (1.27 GB), validating its effective ephemeral session handling and aggressive data minimization.

Key quantitative observations:

• Volatile memory dominance: Scenario 2 (Memory dump) accounted for the majority of recovered data for four of the five browsers, validating Hypothesis H2 that RAM acquisition significantly enhances data yield. For instance, Chrome’s data volume surged from 363 MB in Scenario 1 to 4.6 GB in Scenario 2. Tor was the outlier, with a negligible 12 KB memory dump, suggesting active memory zeroing.
• Persistence after deletion: DuckDuckGo and Tor retained significantly larger persistent footprints (1.2 GB and 600 MB, respectively) following history clearing (Scenarios 3 & 4) compared to Chromium-based browsers (≈52 MB). This suggests high-volume persistent caching that bypasses standard “clear history” routines.
• Private browsing residue: Chrome, Brave, and Firefox yielded between 1.1 GB and 1.2 GB of data during private sessions (Scenario 5), confirming that Incognito modes did not preclude forensic recovery within the tested acquisition workflow and browser configurations from temporary filesystem areas or RAM.

5.2. Qualitative Artifact Analysis by Scenario

5.2.1. Scenario 1: Simple Use

This scenario establishes default retention behavior. As detailed in

Table 6. Artifact recovery across browsers in Scenario 1. Symbols denote artifact recovery status: ✓ (full recovery), ⊙ (partial or hashed recovery), × (not recovered).

Artifact	Chrome	Brave	Firefox	Tor	DuckDuckGo
Cookies	✓	✓	✓	✓	✓
Browsing history	✓	✓	✓	×	✓
Saved passwords	✓	⊙	✓	×	×
Session tokens	×	✓	✓	×	✓
Cards	⊙	×	×	×	×
Autofill	✓	×	×	×	×
Web cache	✓	✓	✓	×	✓

, Chrome and Brave exhibited high forensic yields, with cleartext recovery of history and cache. Chrome’s recovery of cleartext login credentials and autofill data, as depicted in Figure 1, confirms a high risk of exposure. Firefox credentials were encrypted but successfully recovered via firefox_decrypt. Notably, Tor was the most resilient among the evaluated browsers under the tested acquisition scenarios, yielding no history, passwords, or session tokens in this persistent-focused scenario. Conversely, DuckDuckGo retained a nearly full suite of artifacts, including session tokens and web cache.

5.2.2. Scenario 2: Memory Dump

The qualitative data in

Table 7. Artifact recovery across browsers in Scenario 2. Symbols denote artifact recovery status: ✓ (full recovery), ⊙ (partial or hashed recovery), × (not recovered).

Artifact	Chrome	Brave	Firefox	Tor	DuckDuckGo
Cookies	✓	✓	✓	×	✓
Browsing history	✓	✓	✓	✓	✓
Saved Passwords	✓	⊙	×	×	×
Session tokens	✓	✓	×	✓	✓
Cards	⊙	×	×	×	×
Web cache	✓	✓	✓	×	✓
Autofill	✓	×	✓	×	✓
Timezone/Data info	×	×	×	✓	×

demonstrates the power of RAM acquisition for forensic reconstruction. Chrome retained cleartext passwords and autofill data within the heap post-session. Brave showed moderate retention, with salted passwords present in volatile memory. Crucially, while Tor showed no history in the persistent storage of Scenario 1, it yielded recoverable history and session tokens within volatile memory during Scenario 2. Firefox proved more effective at purging sensitive inputs from RAM, with no passwords or session tokens recovered, though web cache and autofill data remained accessible.

A critical distinction must be maintained between volatile artifacts originating from browser-internal memory handling and those influenced by Android’s runtime memory management. The former category includes session tokens, autofill data, and credentials stored in heap-based buffers during active user interaction. Conversely, certain memory fragments may persist due to allocator reuse or delayed page deallocation mechanisms inherent to the operating system, rather than explicit browser logic. Consequently, the volatile artifacts reported here represent a synergistic effect of application-level persistence and platform-specific memory-handling characteristics under the evaluated acquisition conditions.

5.2.3. Scenarios 3 & 4: Data Deletion and Combined Acquisition

These scenarios tested the efficacy of “Clear History” functions. As shown in

Table 8. Artifact recovery across browsers in Scenario 3. Symbols denote artifact recovery status: ✓ (full recovery), × (not recovered).

Artifact	Chrome	Brave	Firefox	Tor	DuckDuckGo
Cookies	✓	✓	✓	✓	✓
Browsing history	✓	✓	✓	✓	✓
Saved passwords	✓	×	×	×	×
Session tokens	×	✓	✓	✓	×
Web cache	✓	✓	✓	×	×
Cards	✓	×	×	×	×
Autofill	✓	×	✓	×	×

, manual deletion often fails to purge high-value artifacts.

• Chrome resilience: Despite deletion, autofill and session information survived in memory, as seen in Figure 2. Chrome’s reliance on MD5 hashing for payment data provides minimal protection. Interestingly,

  Table 9. Artifact recovery across browsers in Scenario 4. Symbols denote artifact recovery status: ✓ (full recovery), × (not recovered).

  Artifact	Chrome	Brave	Firefox	Tor	DuckDuckGo
  Cookies	✓	✓	✓	✓	✓
  Browsing history	✓	✓	✓	✓	✓
  Saved passwords	×	×	×	×	×
  Session tokens	✓	✓	✓	✓	×
  Web cache	✓	✓	✓	×	×
  Autofill	✓	×	×	×	×
  Cards	✓	×	×	×	×

  shows that saved passwords were effectively cleared during combined acquisition, yet autofill and card data remained persistent.
• Firefox metadata: While primary records were cleared, structural metadata regarding closed tabs and deleted entries persisted in the SQLite databases, allowing for partial activity reconstruction.
• DuckDuckGo efficacy: In contrast to its large quantitative footprint, DuckDuckGo was highly resistant to qualitative recovery in Scenario 4, yielding no session tokens, cache, or credentials.

5.2.4. Scenario 5: Incognito

Results in

Table 10. Artifact recovery across browsers in Scenario 5. Symbols denote artifact recovery status: ✓ (full recovery), ⊙ (partial or hashed recovery), × (not recovered).

Artifact	Chrome	Brave	Firefox
Cookies	✓	✓	✓
Browsing history	✓	✓	×
Login	⊙	⊙	×
Session tokens	✓	✓	×
Web cache	✓	×	×
Autofill	✓	×	×

highlight that private modes offer varying degrees of protection. Chrome’s Incognito mode primarily affects user-facing visibility rather than system-level retention, with cookies, history, and cache fragments remaining recoverable. Firefox demonstrated the highest efficacy in this scenario, successfully preventing the retention of browsing history, logins, session tokens, and cache.

5.3. Recoverability Score

To provide a standardized measure of the forensic footprint, we propose the Recoverability Score (${\mathrm{RS}}_b$). This metric evaluates the quantity, quality, and forensic significance of recoverable artifacts across heterogeneous scenarios:

$${\mathrm{RS}}_b=\left(\sum _{sc}{s}_{sc}·\sum _{art}{w}_{art}·a_{art,b,sc}\right)-P_b$$

(1)

where:

• b: The evaluated browser, e.g., Chrome, Firefox, Tor, etc.
• $sc$: The usage scenario, e.g., Simple use, Memory dump, Incognito, etc.
• $s_{sc}$: Scenario Weight (a scalar value), representing the inherent forensic importance or frequency of the scenario, e.g., a memory dump might be weighted higher than simple use.
• $art$: The Artifact Category, e.g., cookies, saved passwords, Web cache, representing the specific type of evidence recovered.
• $w_{art}$: Artifact Weight, reflecting the forensic sensitivity and criticality of the artifact: Credentials [3], Tokens/Cards [2], History/Cookies [1].
• $a_{art,b,sc}$: Artifact Recovery Factor, quantifying the quality of the recovered data for browser b in scenario $sc$: Full [1.0], Partial [0.5], None [0]
• $P_b$: Privacy Penalty (a scalar penalty term), applied to browsers that operate under a default or dedicated private/incognito mode, reflecting the expected and often advertised reduction in traceability: Tor/DuckDuckGo [2.0], Firefox [0.7], Brave [0.5], Chrome [0.0].

The calculated ${\mathrm{RS}}_b$ are summarized in

Table 11. Recoverability scores (${\mathrm{RS}}_b$) and ranking.

Browser	${\mathbf{RS}}_{\mathit{b}}$	Forensic Profile
Chrome	120.0	High Exposure/Maximal retention
Brave	82.5	Moderate exposure
Firefox	74.3	Moderate exposure
Tor	34.0	Low Exposure/High privacy
DuckDuckGo	32.0	Low Exposure/High privacy

. A higher score correlates with a larger forensic footprint and greater forensic exposure. The disparity between Chrome (120.0) and DuckDuckGo (32.0) validates that privacy-focused browsers significantly reduce the likelihood of successful forensic reconstruction.

The rationale behind the Weighted Artifact Relevance Tiering (WART) reflects a hierarchical assessment of forensic evidentiary criticality and the potential for downstream exploitation. Artifacts are weighted as follows:

• Weight 3 (high impact): Credentials (passwords/logins) are assigned the highest weight as their recovery facilitates immediate account compromise and identity takeover.
• Weight 2 (medium impact): Session tokens and payment card data are weighted accordingly due to their critical role in maintaining authenticated sessions or exposing sensitive financial metadata.
• Weight 1 (contextual impact): Browsing history and cookies are assigned the lowest weight, as they primarily provide contextual behavioral evidence rather than direct access to protected services.

This weighting strategy ensures that the Recoverability Score (RSb) functions as a nuanced indicator of forensic exposure, balancing the total volume of recovered data with its qualitative evidentiary significance and privacy risk.

5.4. Results Summary

This analysis highlights the trade-offs between browser functionality and forensic volatility. The experiments prove that volatile memory acquisition is indispensable; in several instances, critical session tokens were recovered from RAM that were entirely absent from the persistent file system. Ultimately, the results demonstrate that forensic significance is not a function of data volume, but of artifact quality. Despite DuckDuckGo producing large raw data sizes, its Recoverability Score remained low due to the lack of actionable, high-weight artifacts like cleartext passwords.

6. Discussion

This section interprets the empirical findings by addressing the Research Questions (RQs) established in Section 1. The discussion synthesizes results from artifact recovery experiments across multiple browsers and scenarios, providing a critical evaluation of mobile browser security and forensic volatility on the Android platform. A primary limitation of this study is its reliance on a rooted environment for forensic data acquisition. Elevated privileges were required to access protected application storage and process memory regions, specifically to inspect the /proc/ filesystem and perform controlled dumps of volatile heap regions containing session fragments and credential-related artifacts. In real-world forensic practice, investigators frequently encounter non-rooted devices where the Android security model restricts such access, rendering the collection of these high-impact assets technically infeasible. Consequently, the findings reported here should be interpreted as the “upper limit” of artifact extraction under optimal acquisition conditions. In non-rooted environments, the availability of browser history, saved credentials, and session-related remnants would likely be significantly more restricted. Future work will investigate alternative acquisition strategies to quantify artifact availability across varying levels of forensic access.

The overarching trend indicates that Chromium-based browsers (Chrome and Brave) maintain a persistent digital footprint, facilitating high recovery rates of sensitive user data. Conversely, Tor and DuckDuckGo demonstrate a robust privacy-by-design architecture, successfully minimizing both persistent and volatile traces. Central to this discussion is the proven utility of volatile memory acquisition, which consistently recovered ephemeral artifacts—such as session tokens and transient credentials—that were absent from persistent storage.

It is important to emphasize that the enhanced forensic resilience identified in Tor and DuckDuckGo is primarily attributable to application-layer architectural designs, such as volatile session handling and stringent management of ephemeral heap-based data. While modern Android iterations (Android 12 and later) have introduced advanced sandboxing and memory-tagging practices, the ephemeral nature of these artifacts is fundamentally a result of the browsers’ intrinsic privacy frameworks. Consequently, these security advantages are likely to persist across various Android distributions. However, researchers should remain cognizant that kernel-level variances, manufacturer-specific memory management policies, and hardware-constrained resource allocation may still introduce minor fluctuations in the temporal persistence of artifacts across different devices.

6.1. Artifact Recovery Extent and Browser Comparisons (RQ1, RQ4)

A significant volume of browser artifacts is recoverable from Android devices; however, the depth and quality of recovery are highly browser-dependent. As evidenced by the Recoverability Scores (${\mathrm{RS}}_b$) in Table 11, Chrome (120.0) and Brave (82.5) yield the most comprehensive forensic profiles. The high ${\mathrm{RS}}_b$ for these browsers stems from their design philosophy, which favors session continuity and user convenience over data minimization.

Moreover, the results summarized in

Table 12. Recovery of browser artifacts per browser (H: High, M: Medium, L: Low, N: None).

Browser	Cookies	History	Passwords	Session Tokens	Autofill	Cache
Chrome	H	H	H	M	H	H
Brave	H	H	H	M	M	H
Firefox	M	M	L	L	M	M
Tor	L	L	N	N	N	L
DuckDuckGo	M	M	N	N	N	L

confirm that Chrome and Brave prioritize user convenience (e.g., autofill and persistent sessions), which inadvertently maximizes the forensic footprint. Firefox occupies a middle ground, primarily retaining history and cookies while employing more effective credential protection through its internal encryption mechanisms. Tor’s minimal footprint validates its isolation protocols, demonstrating a high resistance to post-mortem forensic reconstruction.

6.2. Impact of Private Browsing and Anti-Forensic Actions (RQ2, RQ5)

The experiments confirm that Private browsing/Incognito modes effectively minimize the persistent file system footprint but fail to achieve total data erasure. This addresses RQ2 by highlighting a “false sense of security” regarding volatile memory:

• Volatility resilience: Chrome and Brave continued to host session tokens in RAM immediately following the termination of a private session. This suggests that “Incognito” refers more to storage exclusion than memory sanitization.
• Form completion as an exposure vector: Activities involving form completion and autofill—even within private modes—dramatically increased the recovery of sensitive data. In Chrome, address and payment fragments persisted in memory despite the session’s private status.
• Imperfection of manual deletion: User-initiated data clearing successfully removed primary SQLite records but failed to purge volatile remnants. This confirms for RQ5 that user (manual anti-forensic) actions like Clear History are asynchronous with memory-resident data, leaving a significant window for live response recovery.

6.3. Efficacy of Volatile Memory Acquisition (RQ3, RQ7)

Memory dumps are established as a mandatory component of mobile forensics. In this study, RAM acquisition was the sole method for recovering ephemeral session data and recently visited URLs in browsers configured for clear on exit. While persistent artifacts, e.g., cookies, history, exhibit long-term stability in storage, the probative value of memory artifacts is time-sensitive. Regarding RQ7, our findings show that while short-lived session data can survive brief process suspensions, it is rapidly overwritten during active device use. Contrary to persistent storage, which follows standard file deletion markers, volatile artifacts are subject to immediate memory reallocation by the Android kernel. Consequently, the immediacy of capture is the primary determinant of forensic success in memory-centric investigations.

The volatile memory artifacts identified in this study reflect the interplay between browser-specific design choices and Android’s memory-management subsystem. For instance, high-entropy strings such as session IDs detected in active heap regions are directly linked to application-layer buffering. However, the persistence of these artifacts following explicit user deletion may be further extended by delayed memory cleanup or page-retention functions of the Android runtime. While these interactions are likely representative of modern Android architectures, the results should be viewed as an outcome of the joint influence of browser strategies and platform-specific memory handling. Future studies across disparate OS versions will be necessary to further decouple these variables.

6.4. Comparative Analysis with Prior Mobile Browser Forensics Literature

Anti-forensic measures, including app cleaners, encrypted containers, and private modes, hinder but do not fully eliminate forensic traces. Specifically, app cleaners frequently target the /cache/ and /history/ directories while overlooking critical /proc/ entries and system-wide DNS caches. Furthermore, while the Android keystore shields stored credentials, cleartext fragments often reside within the application heap during active use. Consequently, browser configuration remains a critical variable; enabling data clearing on exit significantly reduces the post-mortem footprint but leaves the live response footprint, captured via memory dump, largely intact.

The findings of this study both corroborate and significantly extend the established literature in mobile browser forensics. Consistent with prior research, our results confirm that persistent artifacts remain recoverable post-deletion, specifically within SQLite freelists and unallocated storage regions. Furthermore, the successful recovery of session fragments from volatile memory validates the critical role of RAM extraction in mobile investigations, as highlighted in previous case studies.

However, this work extends the current literature by proposing a hybrid acquisition framework that integrates persistent and volatile artifact analysis across five contemporary browsers on a physical Android 13 device. This approach addresses common limitations in earlier research, such as reliance on emulators or restricted single-browser scopes. Additionally, the introduction of the Recoverability Score (RSb) provides a structured metric for evaluating evidentiary exposure across heterogeneous artifact categories, enabling a more systematic interpretation of cross-browser forensic resilience.

Finally, our results refine a prominent assumption in the field that privacy-focused browser design automatically ensures the absence of forensic evidence. We demonstrate that minimal storage persistence is not synonymous with an absence of volatile traces, emphasizing the necessity of synchronized disk and memory extraction to achieve a comprehensive evaluation of modern mobile browser security. Ultimately, these findings have significant implications for automated threat-hunting workflows in mobile and IoT-integrated environments. Memory-resident authentication artifacts, such as those identified in this study, can serve as high-fidelity indicators of compromise (IoCs) or user activity compromise. By leveraging techniques such as runtime memory monitoring and endpoint telemetry analysis, defenders can utilize these forensic footprints to detect unauthorized access or lateral movement in real-time, even when persistent logs have been cleared.

6.5. Methodological Implications for Investigators

A hybrid forensic methodology, combining physical/logical extraction with timely memory acquisition, is the only reliable path to a comprehensive reconstruction. No single tool proved sufficient; while standard parsers (e.g., Autopsy) effectively handle SQLite databases, custom parsing scripts (as described in Algorithm 1) were required to extract actionable intelligence from raw RAM dumps. For practitioners, the choice of browser fundamentally dictates the expected evidence yield and the necessary speed of acquisition.

7. Conclusions and Future Directions

This study has provided a systematic forensic evaluation of browser artifacts on the Android 13 platform, demonstrating the critical interplay between browser architecture and data persistence. By establishing the Recoverability Score (${\mathrm{RS}}_b$), we have quantified the forensic gap between mainstream browsers like Chrome and privacy-centric alternatives like Tor and DuckDuckGo. The empirical results confirm that while persistent storage remains a primary evidence source, volatile memory acquisition is essential for bypass-based recovery of ephemeral session data. Ultimately, this research underscores that browser privacy features often prioritize the obfuscation of user-facing history over the true sanitization of system-level and memory-resident traces.

Future research should focus on validating and extending these findings through several key avenues. Expanding the study to include a broader spectrum of Android hardware is essential, as memory management and wear-leveling algorithms—the techniques used by flash controllers to evenly distribute write cycles and prolong storage life—can significantly influence how long “deleted” data persists in physical blocks. Furthermore, applying the ${\mathrm{RS}}_b$ model to other mobile OSs, such as iOS, would determine if the observed forensic profiles are cross-platform.

The findings of this study must be interpreted within the specific parameters of the experimental environment detailed in Section 4.1. While the observed artifact persistence patterns remained consistent across the evaluated configurations, these results may not generalize to the full spectrum of Android devices, browser versions, or acquisition conditions. Future research using machine learning-oriented techniques can extend this investigation by exploring the automated detection of ephemeral data within private sessions and identifying residual memory signatures. Furthermore, as already pointed out, the volatile artifacts identified in this study provide a rich data source for advanced anomaly detection models in mobile-integrated IoT settings. Specifically, high-entropy remnants such as session tokens and credential fragments could be utilized as features within Graph Neural Diffusion Network (GNDN) frameworks for automated threat hunting. Such models could leverage the structural and temporal dependencies of memory-resident artifacts to detect lateral movement or session hijacking in complex, heterogeneous environments. In parallel, future research will explore the formal mapping of these forensic footprints into graph-based representations to quantify their efficacy in identifying Advanced Persistent Threats (APTs) through automated endpoint telemetry. Above that, it is a fact that the tension between forensic accessibility and user privacy necessitates the exploration of privacy-preserving collaborative frameworks. Future research should investigate the integration of Federated Learning (FL) to enable cross-jurisdictional forensic analysis. By utilizing FL, investigators can collaboratively develop and refine artifact detection models across distributed datasets without compromising the raw, sensitive data of individual users. This approach would be particularly valuable for identifying emerging mobile threats while adhering to increasingly stringent data protection regulations. Specifically, the integration of secure aggregation protocols within an FL architecture provides a robust defense against data exposure during collaborative analysis. By ensuring that the central server only accesses aggregated model parameters rather than individual forensic data points, investigators can collectively identify browser-based vulnerabilities while maintaining the confidentiality and integrity of the evidence.

Moreover, as Android versions beyond 13 introduce enhanced file-based encryption, it is also vital to quantify the forensic cost of these security measures. Transitioning from snapshot-based acquisition to event-driven memory capture—triggering RAM dumps immediately upon actions like form submission—would represent a significant methodological advancement. By incorporating system-level metadata and kernel logs into the ${\mathrm{RS}}_b$ model, future work could provide a more holistic assessment of a device’s total digital exposure. Finally, conducting field studies in non-controlled environments will be necessary to confirm whether these laboratory-derived forensic footprints hold true under the complexities of real-world device operation.