Incognito Mode in Chrome, Private Browsing in Safari and Firefox plus InPrivate in Edge are widely believed to make the user anonymous. They do not. These modes prevent the local browser from saving history, cookies and form data on the device, but they do not hide the activity from the network, the websites visited, the operating system or anyone with forensic access to the device after the fact. Browser forensics regularly recovers private-mode browsing activity in litigation, employer investigations and incident response engagements.
What incognito and private modes actually do
Every major browser implementing a private browsing mode does roughly the same set of things on the local device. The browser does not save the browsing history to its main history database. Cookies created during the session are isolated to the session and discarded when the window closes. Form auto-fill suggestions from the session are not retained. Cached files downloaded during the session do not persist in the standard cache directory.
That is the entirety of the actual privacy guarantee. The local browser does not write standard browsing artifacts to disk. Every browser vendor states this clearly in their own documentation, often with explicit warnings that the mode does not provide anonymity from the network or from the websites visited.
The user-facing language describing private modes contributes to the misconception. Names like Incognito and Private Browsing suggest something stronger than what the feature actually delivers. Google's Incognito disclaimer page states that the mode does not hide activity from internet service providers, employers, schools or the websites visited. Apple's Safari Private Browsing documentation says similar. Mozilla's Private Browsing FAQ documents the same scope. The vendors are honest about the limits in their documentation; the public perception of the feature does not match.
Who can still see your incognito activity
Incognito mode does not hide your browsing activity from any of the following parties.
Your internet service provider. Every DNS lookup and every HTTPS connection is visible to your ISP. They see the domains you visit even when the page contents are encrypted. ISPs in many jurisdictions retain this data for months or years under legal data retention requirements. Incognito mode changes nothing about what your ISP logs.
The websites you visit. Every website you visit in incognito mode receives your IP address, browser fingerprint, time of visit and any data you submit to the site. Logged-in sessions remain logged in. Sites that fingerprint visitors (which is most sites that monetize via advertising) link your incognito visits to the same fingerprint they associate with your normal browsing.
Your employer or school network. Corporate and educational networks routinely deploy network monitoring, content filtering and TLS interception that capture all browsing activity regardless of browser mode. Incognito mode does not bypass these controls. The MDM agent on a corporate laptop sees what you browse.
Operating system telemetry. Windows and macOS both ship with diagnostic telemetry that captures process activity, network connections and (depending on settings) URL visits. The browser running in incognito mode is still a process the OS observes.
Anyone with forensic access to your device. This is where the Sherlock Forensics services practice routinely recovers incognito-session activity. Browser forensic artifacts beyond the standard history database persist on the device. The Sherlock Browser Viewer reads these artifacts as part of standard browser forensic examination.
How forensic examiners recover incognito browsing activity
Browser forensic recovery of private-mode activity uses several documented techniques that the browser vendor's privacy claim does not prevent. The recovery happens from forensic artifacts the browser leaves outside the main history database.
DNS cache analysis on the operating system retains domain lookups for some period after the browsing session closes. The OS-level DNS resolver cache shows what domains were queried, regardless of which browser asked. Forensic examiners pull the DNS cache from a forensic disk image captured with the Sherlock Disk Imager and document the queries.
Network packet capture, where available (corporate networks, ISP logs subject to subpoena or evidence captured during an active investigation), records every domain and every IP connection the device made during the incognito session.
Browser memory analysis on a powered-on system captures URL strings still resident in the browser process memory. Sherlock Forensics services examiners regularly recover URL strings from memory dumps during incident response.
Disk slack space and unallocated space analysis recovers cached file fragments from incognito sessions where the cache cleanup did not zero the storage blocks. The same techniques that recover deleted files (covered in our fact check on whether deleted files are gone forever) recover incognito cache content.
Windows Event Log analysis using the Sherlock Universal Events Viewer captures process creation events for the browser and may capture URL strings depending on audit policy. The event log shows when the browser was running and what executables it loaded, even when the browser itself recorded no history.
What incognito mode is actually useful for
Private browsing modes have legitimate use cases. They are useful for what they actually do, not for the anonymity many users think they provide.
Logging into a second account on a website that already has your primary account open in the regular browser session works in incognito because the cookie isolation prevents the two sessions from conflicting. This is a real productivity benefit.
Shopping for a gift on a shared device prevents the household member who uses the same browser profile from seeing the shopping history. This is what most consumers actually use private browsing for, and it works for that purpose.
Testing a website as a not-logged-in user without losing your login session in the regular window works because the incognito session has no shared cookies with the main session. Web developers use this constantly.
Reducing the local browsing fingerprint that another user of the same physical device would see is real and useful. The neighbor borrowing your laptop does not see your incognito history if you remembered to use incognito.
What actually provides anonymity online
If actual anonymity is the goal, the toolchain required is more involved than ticking a browser-mode checkbox. The Tor Browser routes traffic through multiple encrypted relay nodes, hiding the user's IP from the destination website. Privacy-focused VPNs hide the user's IP from the destination website at the cost of trusting the VPN provider with that data. Browser hardening (uBlock Origin, JavaScript disabling, fingerprint-resistance settings) reduces the unique signal that browser fingerprinting collects. None of this is what incognito mode provides.
For litigation involving browsing activity, assume that opposing counsel can recover the activity through forensic examination of the device or through subpoena of the network logs. Incognito mode is not a defense against this. Treat any browsing activity that needs to remain private from a determined adversary as visible by default.
Source citations
- Google Chrome Help Center documentation on Incognito Mode behavior and limitations
- Apple Safari User Guide on Private Browsing scope
- Mozilla Firefox Support documentation on Private Browsing capabilities and limitations
- Microsoft Edge documentation on InPrivate browsing scope
- NIST Special Publication 800-101 Revision 1: Guidelines on Mobile Device Forensics (browser artifact recovery sections)
- Aggarwal et al. (2010): "An Analysis of Private Browsing Modes in Modern Browsers" Stanford University Computer Security Lab
Sherlock Forensics recovers browser activity from forensic disk images as routine litigation casework. Talk to our team about browser forensic examination for your engagement.