ABSTRACT
The Tor browser is a popular tool that is used by many users around the world. The browser is common among cyber criminals who use the tool to hide their activities. Until now, little research has been conducted by forensics researchers on the Tor browser, its application, and the data that can be obtained from the artefacts generated from its execution. In this work, we present a forensics analysis of the footprint left by the Tor application in the Windows environment. Our analysis focuses on three critical areas that are examined: network, memory, and hard disk. We provide a methodology that allows a structured forensic investigation. In this work, we examine multiple tools’ abilities in obtaining artefacts. The artefacts were identified not only when the Tor browser was running, but also when it was closed and uninstalled. We provide a methodology to analyse Tor applications with a focused case study of the Tor browser, allowing investigators to analyse Tor browsers and reproduce our results.
- Atta Al-Khaleel, Duaa Bani-Salameh, and Mohammed I Al-Saleh. 2014. On the memory artifacts of the tor browser bundle. In The International Conference on Computing Technology and Information Management (ICCTIM). 41.Google Scholar
- Khawla Abdulla Alghafli, Andrew Jones, and Thomas Anthony Martin. 2010. Forensic analysis of the Windows 7 registry. Journal of Digital Forensics, Security and Law 5, 4 (2010).Google Scholar
- Harlan Carvey. 2005. The Windows Registry as a forensic resource. Digital Investigation 2, 3 (2005), 201–205.Google ScholarDigital Library
- Andrew Case and Golden G Richard III. 2017. Memory forensics: The path forward. Digital Investigation 20(2017), 23–33.Google ScholarDigital Library
- Brendan Dolan-Gavitt. 2008. Forensic analysis of the Windows registry in memory. Digital investigation 5(2008), S26–S32.Google Scholar
- Ibrahim Ghafir, Jakub Svoboda, and Vaclav Prenosil. 2014. Tor-based malware and Tor connection detection. In International Conference on Frontiers of Communications, Networks and Applications (ICFCNA 2014 - Malaysia). 1–6.Google ScholarCross Ref
- Hamish Haughey, Gregory Epiphaniou, Haider Al-Khateeb, and Ali Dehghantanha. 2018. Adaptive traffic fingerprinting for darknet threat intelligence. In Cyber Threat Intelligence. Springer, 193–217.Google Scholar
- Manish Hirwani, Yin Pan, Bill Stackpole, and Daryl Johnson. 2012. Forensic acquisition and analysis of vmware virtual hard disks. In In SAM’12 - The 2012 International Conference on Security and Management (Las Vegas, NV, USA, July 2012).Google Scholar
- Ray Hunt and Sherali Zeadally. 2012. Network forensics: an analysis of techniques, tools, and trends. Computer 45, 12 (2012), 36–43.Google ScholarDigital Library
- Abid Khan Jadoon, Waseem Iqbal, Muhammad Faisal Amjad, Hammad Afzal, and Yawar Abbas Bangash. 2019. Forensic analysis of Tor browser: a case study for privacy and anonymity on the web. Forensic science International 299 (2019), 59–73.Google Scholar
- Joakim Kävrestad. 2018. Fundamentals of Digital Forensics: Theory, Methods, and Real-Life Applications. Springer.Google Scholar
- Albert Kwon, Mashael AlSabah, David Lazar, Marc Dacier, and Srinivas Devadas. 2015. Circuit fingerprinting attacks: Passive deanonymization of tor hidden services. In 24th USENIX Security Symposium (USENIX Security 15). 287–302.Google ScholarDigital Library
- Andreas Moser and Michael I Cohen. 2013. Hunting in the enterprise: Forensic triage and incident response. Digital Investigation 10, 2 (2013), 89–98.Google ScholarDigital Library
- Sasa Mrdovic, Alvin Huseinovic, and Ernedin Zajko. 2009. Combining static and live digital forensic analysis in virtual environment. In XXII International Symposium on Information, Communication and Automation Technologies. IEEE, 1–6.Google ScholarCross Ref
- Matt Muir, Petra Leimich, and William J Buchanan. 2019. A Forensic Audit of the Tor Browser Bundle. Digital Investigation 29(2019), 118–128.Google ScholarDigital Library
- Mohammed Abdul Qadeer, Arshad Iqbal, Mohammad Zahid, and Misbahur Rahman Siddiqui. 2010. Network traffic analysis and intrusion detection using packet sniffer. In Second International Conference on Communication Software and Networks. IEEE, 313–317.Google ScholarDigital Library
- Darren Quick and Kim-Kwang Raymond Choo. 2016. Big forensic data reduction: digital forensic images and electronic evidence. Cluster Computing 19, 2 (2016), 723–740.Google ScholarDigital Library
- Darren Quick and Kim-Kwang Raymond Choo. 2018. Digital forensic intelligence: Data subsets and Open Source Intelligence (DFINT+ OSINT): A timely and cohesive mix. Future Generation Computer Systems 78 (2018), 558–567.Google ScholarCross Ref
- Mamoona Rafique and MNA Khan. 2013. Exploring static and live digital forensics: Methods, practices and tools. International Journal of Scientific & Engineering Research 4, 10(2013), 1048–1056.Google Scholar
- Mohammad Saidur Rahman, Nate Matthews, and Matthew Wright. 2019. Poster: Video Fingerprinting in Tor. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS ’19). Association for Computing Machinery, New York, NY, USA, 2629–2631.Google ScholarDigital Library
- Jia-Rong Sun, Mao-Lin Shih, and Min-Shiang Hwang. 2015. A Survey of Digital Evidences Forensic and Cybercrime Investigation Procedure. International Journal of Network Security 17, 5 (2015), 497–509.Google Scholar
- Patrick Tobin, Nhien-An Le-Khac, and Tahar Kechadi. 2017. Forensic analysis of virtual hard drives. Journal of Digital Forensics, Security and Law 12, 1 (2017), 10.Google Scholar
- Tao Wang and Ian Goldberg. 2013. Improved Website Fingerprinting on Tor. In Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society (Berlin, Germany) (WPES ’13). Association for Computing Machinery, 201–212.Google ScholarDigital Library
- Aron Warren. 2017. Tor Browser Artifacts in Windows 10. Technical Report (2017), 1–32.Google Scholar
- Philipp Winter, Richard Köwer, Martin Mulazzani, Markus Huber, Sebastian Schrittwieser, Stefan Lindskog, and Edgar Weippl. 2014. Spoiled Onions: Exposing Malicious Tor Exit Relays. In International Symposium on Privacy Enhancing Technologies Symposium (PETS), Emiliano De Cristofaro and Steven J. Murdoch (Eds.). Springer, 304–331.Google Scholar
Index Terms
- Forensic analysis of Tor in Windows environment: A case study
Recommendations
Tor forensics: Proposed workflow for client memory artefacts
AbstractThe Internet is now part of everyday life, and plays a significant role in communication, online shopping, online banking, etc. However, one of the current issues with using the Internet is lack of security since it is still possible ...
A Forensic Audit of the Tor Browser Bundle
AbstractThe increasing use of encrypted data within file storage and in network communications leaves investigators with many challenges. One of the most challenging is the Tor protocol, as its main focus is to protect the privacy of the user, ...
A Forensic Qualitative Analysis of Contributions to Wikipedia from Anonymity Seeking Users
By choice or by necessity, some contributors to commons-based peer production sites use privacy-protecting services to remain anonymous. As anonymity seekers, users of the Tor network have been cast both as ill-intentioned vandals and as vulnerable ...
Comments