TOR Forensics: Investigating the Tor Browser for Evidence
The TOR project is a popular anonymity platform used by many users all over the world. It uses Onion Routing where the end-user or initiator of network traffic encrypts traffic with multiple layers. The goal of TOR is the safe transportation of data.
Another factor of TOR is that it is associated with the dark web/darknet. Darknet websites are hidden from search engines, and normal browsers are not capable of accessing them. Such dark web websites use the .onion extension and users who wish to visit these dark web websites use TOR Hidden Wiki or other such services that provide the links to them.
In this post, we will discuss how to investigate the Tor browser for incriminating evidence.
How Tor Works
TOR forms a private network and rather than a direct connection, data packets are passed through several relays that hide the user’s tracks. TOR creates a very random route that is hard to follow for anyone who might be tailing the user. During a session, TOR will keep changing the route pattern periodically to keep no footprints about the internet activity of the user. You typically access TOR with its client application, the TOR browser, though other browsers can do this with the help of extensions.
The circuit is extended one hop a time; each relay knows which relay gave it data and where the data needs to go next. No single relay knows the entire path of the data travelled. Each hop gets a separate set of encryption keys; this way the hops can’t trace the connections that pass through.
TOR Forensic Artifacts
On the system where TOR is installed, the following locations are of high importance:
- \Data\Tor – Within this location, there are two entities that contain very important information:
- State – It contains the last execution date of the application.
- Torrc – It contains the path from where the Tor Browser was launched.
- \Data\Browser – It is the folder containing the user profile but does not have any usage traces. This consists of two files that contain the browser execution path:
- RAM Contents – The analysis of RAM contents give the investigators details about file types, downloaded content, etc.
- Prefetch file – Registry analysis gives details about TOR installation, last executed, and other details.
- Pagefile – Pagefile.sys contains information about HTTP while the user is in Private Browsing. TOR uses Mozilla Firefox’s Private Browsing feature.
Forensic Analysis of the TOR Browser
Once you successfully download and install the Tor Browser on the system, it will create a Tor Browser folder. We can collect some valuable evidence from the Tor Browser folder on a suspect’s machine. We move to folder
open the file named state in a notepad. In the figure below, we can see that this file provides us with information about the last local execution date and time of the Tor Browser.
Now we open a file name torrc under the folder
C:\Users\User\ Desktop\Tor Browser\Browser\TorBrowser\Data\Tor
This gives the drive location from where the Tor was launched (see figure below). So, if there are multiple Tor Browser folders on the suspect’s system, we can find paths including the drive letter from which the Tor browser was run.
Windows prefetch is another source of information about the TOR usage on the suspect system. You can view prefetch files at the location
In the Figure below, we have shown prefetch files on the Windows command prompt (you need Administrative Privileges to view prefetch files, so we suggest that you run the Command prompt as Administrator).
cd / # C:\ cd Windows # C:\Windows cd Prefetch # C:\Windows\Prefetch dir
You can also use a tool calledWinPrefetchview by Nirsoft for analyzing the prefetch files related to the TOR. The Figure below shows the TOR.EXE-633A039F.pf file. It indicates that the Tor browser was used on the system, and we can click on this file to get its properties.
In the Figure below we can see the created time, modified time, last accessed time, path, etc., for this file.
The extensions.ini and compatibility.ini files are at this location:
This also provides the Tor Browser execution path.
To get information about the website visited, bookmark, places, etc., Open the file places.sqlite from
Open this file in DB browser for SQLite which can be downloaded here. Launch the program, go to File menu ➤ Open Database…; browse to the directory specified above.
After successful installation of the Tor Browser, we visited the website http://ahmia.fl. In the table moz_hosts, we can see the list of website hosts we visited
In the table moz_places, we can see the list of websites’ URLs being visited
We bookmarked the website http://ahmia.fl. Here we can see these bookmarked websites in the moz_bookmarks table.