TOR forensics

TOR Forensics: Investigating the Tor Browser for Evidence

The TOR project is a popular anonymity platform used by many users all over the world. It uses Onion Routing where the end-user or initiator of network traffic encrypts traffic with multiple layers. The goal of TOR is the safe transportation of data.

Another factor of TOR is that it is associated with the dark web/darknet. Darknet websites are hidden from search engines, and normal browsers are not capable of accessing them. Such dark web websites use the .onion extension and users who wish to visit these dark web websites use TOR Hidden Wiki or other such services that provide the links to them.

In this post, we will discuss how to investigate the Tor browser for incriminating evidence.

How Tor Works

TOR forms a private network and rather than a direct connection, data packets are passed through several relays that hide the user’s tracks. TOR creates a very random route that is hard to follow for anyone who might be tailing the user. During a session, TOR will keep changing the route pattern periodically to keep no footprints about the internet activity of the user. You typically access TOR with its client application, the TOR browser, though other browsers can do this with the help of extensions.

The circuit is extended one hop a time; each relay knows which relay gave it data and where the data needs to go next. No single relay knows the entire path of the data travelled. Each hop gets a separate set of encryption keys; this way the hops can’t trace the connections that pass through.

TOR Forensic Artifacts

On the system where TOR is installed, the following locations are of high importance:

  1. \Data\Tor – Within this location, there are two entities that contain very important information:
    • State – It contains the last execution date of the application.
    • Torrc – It contains the path from where the Tor Browser was launched.
  2. \Data\Browser – It is the folder containing the user profile but does not have any usage traces. This consists of two files that contain the browser execution path:
    • Compatibility.ini
    • Extension.ini
  3. RAM Contents – The analysis of RAM contents give the investigators details about file types, downloaded content, etc.
  4. Prefetch file – Registry analysis gives details about TOR installation, last executed, and other details.
  5. Pagefile – Pagefile.sys contains information about HTTP while the user is in Private Browsing. TOR uses Mozilla Firefox’s Private Browsing feature.

Forensic Analysis of the TOR Browser

Once you successfully download and install the Tor Browser on the system, it will create a Tor Browser folder. We can collect some valuable evidence from the Tor Browser folder on a suspect’s machine. We move to folder

C:\Users\username\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor

open the file named state in a notepad. In the figure below, we can see that this file provides us with information about the last local execution date and time of the Tor Browser.

Tor execution date and time
Tor execution data and time

Now we open a file name torrc under the folder

C:\Users\User\ Desktop\Tor Browser\Browser\TorBrowser\Data\Tor

This gives the drive location from where the Tor was launched (see figure below). So, if there are multiple Tor Browser folders on the suspect’s system, we can find paths including the drive letter from which the Tor browser was run.

Details of where Tor was launched

Windows prefetch is another source of information about the TOR usage on the suspect system. You can view prefetch files at the location

C:\Windows\Prefetch

In the Figure below, we have shown prefetch files on the Windows command prompt (you need Administrative Privileges to view prefetch files, so we suggest that you run the Command prompt as Administrator).

cd /
# C:\
cd Windows
# C:\Windows
cd Prefetch
# C:\Windows\Prefetch
dir
Windows prefetch files
Windows prefetch files

You can also use a tool calledWinPrefetchview by Nirsoft for analyzing the prefetch files related to the TOR. The Figure below shows the TOR.EXE-633A039F.pf file. It indicates that the Tor browser was used on the system, and we can click on this file to get its properties.

Evidence that Tor was used

In the Figure below we can see the created time, modified time, last accessed time, path, etc., for this file.

Properties of the Tor Prefetch file

The extensions.ini and compatibility.ini files are at this location:

C:\Users\Username\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default

This also provides the Tor Browser execution path.

To get information about the website visited, bookmark, places, etc., Open the file places.sqlite from

C:\Users\Username\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default

Open this file in DB browser for SQLite which can be downloaded here. Launch the program, go to File menu ➤ Open Database…; browse to the directory specified above.

After successful installation of the Tor Browser, we visited the website http://ahmia.fl. In the table moz_hosts, we can see the list of website hosts we visited

Websites visited
Websites visited

In the table moz_places, we can see the list of websites’ URLs being visited

URLs visited

We bookmarked the website http://ahmia.fl. Here we can see these bookmarked websites in the moz_bookmarks table.

Bookmarks
Bookmarks

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.