See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/332004753

Forensic Analysis of Tor Browser: A Case Study for Privacy and Anonymity on
the Web

Article  in  Forensic Science International · March 2019

DOI: 10.1016/j.forsciint.2019.03.030

CITATION READS

1 2,571

5 authors, including:

Abid Khan Jadoon Waseem Iqbal

National University of Sciences and Technology National University of Sciences and Technology
2 PUBLICATIONS   2 CITATIONS    35 PUBLICATIONS   83 CITATIONS   

SEE PROFILE SEE PROFILE

Muhammad Amjad Hammad Afzal

National University of Sciences & Technology National University of Sciences and Technology
18 PUBLICATIONS   34 CITATIONS    62 PUBLICATIONS   273 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Information Security Mechanism for Real Wireless Mesh Network Scenario (E-healthcare) View project

Using Trust in collaborative filtering for recommendations View project

All content following this page was uploaded by Waseem Iqbal on 04 August 2019.

The user has requested enhancement of the downloaded file.

 Forensic Science International 299 (2019) 59–73

Contents lists available at ScienceDirect

Forensic Science International

journal homepage: www.elsevier.com/locate/forsciint

Forensic Analysis of Tor Browser: A Case Study for Privacy and

Anonymity on the Web
Abid Khan Jadoon, Waseem Iqbal, Muhammad Faisal Amjad, Hammad Afzal,
Yawar Abbas Bangash
Department of Information Security, National University of Sciences and Technology (NUST), Islamabad 46000, Pakistan

A R T I C L E I N F O A B S T R A C T

Article history: Web browsers are among the most commonly used applications to access the web from any platform
Received 24 November 2018 nowadays. With recent digital incidents involving breach of data, users are becoming more cognizant of
Received in revised form 15 March 2019 the threat posed by malicious actors having access to personal data as well as vulnerable applications
Accepted 18 March 2019
which may compromise their data. For this very reason, users are being offered privacy preserving
Available online 26 March 2019
solutions for trust maturity. The onion router (Tor) browser is one such application which not only
ensures the privacy preservation goals but also provides promising anonymity. Due to this feature,
Keywords:
majority of the users use Tor browser for normal use as well as malign activities. In order to validate the
Web browser forensics
Private BROWSING
claims of Tor browser and help digital forensic investigators and researchers, we created different
Tor scenarios to forensically analyze the Tor browser privacy and anonymity. As a result of the findings, it can
Onion routing be concluded that the Tor browser leaves plethora of sensitive digital artifacts on host machine, which
Anonymity can be further used to compromise user data.
© 2019 Published by Elsevier B.V.

1. Introduction to connect to the Tor overlay network to route users’ traffic. Tor
browser is a modified version of Mozilla Firefox with some extra
Anonymity and privacy are two main elements to protect features for anonymity and privacy. Some of these features are the
freedom of speech. Goal of anonymity is to protect all the Tor launcher, Tor button, no script and HTTPS-Everywhere. By default,
information which can reveal real identity of user information browsing is configured for private mode with the option to clear
like real name, location, IP address etc. The goal of privacy is to browsing activity and its related artifacts such as cookies and
make sure that any organization or entity does not collect or store other browsing related data after closing of the browser.
any personal or private information like user browser history, According to a study [2], local DNS resolver and swap partition
location information, account details etc without user's knowl- used for memory swapping are two big challenges to private
edge. Currently Tor project is working with the objective to protect browsing. Private browsing may leave many artifacts on host
user anonymity and privacy over the internet. machine [39,43] and it does not provide the level of privacy
Tor project was initiated in 1995 by US Naval Research claimed by its vendors [31,8]. The research showed that artifacts
Laboratories [24]. The main goal of their project was to separate can be recovered from memory if the browser which is used for
identification information from routing and to design an anony- private browsing is open at the time of acquisition [21]. In other
mous communication network for military communication. After cases, many useful artifacts were recovered from paged memory
public disclosure, it was deeply studied and extensive research has even after the browsing session was closed [45,16]. [19] shows that
been carried out leading to different revisions of the project such there is a lack of awareness and many misconceptions about
as [47,23,46,14,51]. According to the latest report published by Tor private browsing. Current Browser forensic tools only target
metrics [50], there are more than 2.5 million active Tor users with specific browsers or specific information files. In cases where a
6000+ nodes carrying their traffic and providing 25.5 Gbps suspect used many browsers for criminal activities, these tools are
bandwidth for the Tor network. Tor browser is the easiest way not so effective because the evidence is spread across many files
and locations so analyzing a single browser or specific information
file does not provide all the artifacts about user activity. [38]
proposed a new methodology to overcome these limitations and
E-mail addresses: [email protected] (A.K. Jadoon),
[email protected] (W. Iqbal), [email protected] (M.F. Amjad), introduced a new tool (web browser forensic analyzer) which
[email protected] (H. Afzal), [email protected] (Y.A. Bangash). integrates forensic analysis of different browser.

https://doi.org/10.1016/j.forsciint.2019.03.030
0379-0738/© 2019 Published by Elsevier B.V.
60 A.K. Jadoon et al. / Forensic Science International 299 (2019) 59–73

Fig. 1. Onion routing.

There have been studies with good analysis of Tor Browser to ensure users anonymity. Routing of data through Tor network is
[11,3,57], however, there are still some areas which are not depicted in Fig. 1.
comprehensively addressed. For instance, analysis of memory and Anonymity on the other hand, is provided by Tor network by
hard disk for network1 and browsing artifacts of Tor browser on ensuring that even the relay nodes of the overlay have knowledge
Windows 8.1 is not performed. The presented research in this about the predecessor and successor relay nodes in the entire virtual
paper focuses on analyzing the Windows 8.1 memory and hard circuit. To further enhance the anonymity property, every new
disk to recover all those artifacts which were not addressed in virtual circuit is established using a newly selected set of relay nodes.
previous researches.
Rest of the paper is organized as follows: Introduction to Tor 3. Related work
network and related research work in area of privacy and
anonymity for browsing is discussed in Sections 2 and 3. followed In today's era of surveillance, online anonymity is very important,
by proposed methodology and experimental setup part. Whereas especially in the context of freedom of expression [15]. One of the
the results obtained from these experiments are discussed in earliest researches in the domain of anonymity was presented in [7]
Section 5. Comparison with existing research is done in Section 6 of in which the mix-net was proposed. This work was later used to
the paper. Last part concludes the paper along with a brief design many other anonymity solutions. Mix-net uses layers of
discussion and future work. encryption and series of mixes over the network. The first practical
anonymity service provider was Remailer [22][29]. Similarly, the
2. Tor working methodology work in [26] demonstrated a remailer which replaced users’ real ID
with anonymous ID in messages using a mapping database. In this
Tor consists of a global overlay network of relays which helps in service, anonymity for users was better than the anonymity for
the achievement of privacy and anonymity for user Internet traffic. service provider. This service was shut down in 1996 due to legal
For every communication, the Tor network creates a virtual circuit problems with the church of Scientology [27].
comprising a minimum of three successive, randomly selected Cypherpunk remailer [30], also known as type I remailer, was
relays. Information about the relays is downloaded by the Tor based on Chaums mix-net [7]. It used public key cryptography for
client at source machine from a directory server. Encryption keys message encryption [42]. Mix master [35] was an upgraded version
are exchanged with the selected relays using the Diffie–Hellman of Cypherpunk which used message splitting and padding
key exchange protocol. At the source node, the data packets are techniques. This remailer was good in providing online anonymity
encrypted multiple times, once for every relay node using that but was vulnerable to tagging and blending attacks which were
relay's encryption key before forwarding the packets towards their later patched in Mixminion remailer [10].
destination. Therefore, the outer most layer of encryption is Later systems such as The Eternity service [4], Free Heaven [13]
decrypted by the entry node whereas the inner most layer of and Freenet [9] implemented the idea of online anonymous storage.
encryption is meant for the exit node to decrypt. Every relay node The eternity service provided anonymous storage of a file for a long
decrypts the received packet using its own decryption key in order period of time [13]. It used Rabin's information dispersal Algorithm
to discover the next hop address for the received packet. In this (IDA) [40] for dividing file into many parts before sharing with other
manner, every Tor node has the knowledge about relay nodes only servers. Another system, known as Freenet, was a peer to peer (P2P)
one hop away from itself. At the exit node, the inner-most layer of network which offered storage and retrieval of data anonymously.
encryption is decrypted and the un-encrypted data packet is Other systems such as Crowds [41] and Publius [56] provided
forwarded towards its final destination. Thus, the privacy of users’ services of anonymous web transactions and message publishing on
data is preserved until last hop. In case of https over Tor network, World Wide Web (WWW). Tarzan [18] provided anonymity during
data between last hop and destination is also encrypted. web browsing. These systems provided adequate anonymity but at
Furthermore, Tor browser change its path after every ten minute the same time, suffered from high latency.
In 1995, US Naval research laboratory started a project to design
anonymous network for military communication. This project was
named as Onion routing [47,23]. It was a low latency network and used
1
Tor Relays detail, Public keys. layer of encryption and onion network for anonymity. Later, the second
 A.K. Jadoon et al. / Forensic Science International 299 (2019) 59–73 61

generation [14] of this project was named TOR (The Onion Router). Tor 4.1. Experimental setup
Browser is free software made by Tor project [51] to access Tor
network. It routes user browser traffic through Tor network. For In order to work in clean environment, a shredded storage is
ensuring users privacy, it only runs in private browsing mode. It utilized for operating system installation and data storage. In order to
provides a high level of anonymity over the Internet. Due to the level of analyze the registry, memory and storage artifacts, virtual environ-
anonymity offered by this browser, soon it became a favorite tool of ment is used. A list of tools used during this investigation are listed as:
cyber criminals. Backtracking Tor user over the internet is very
challenging and therefore, network and disk forensics is extremely
MiniTool Partition Wizard Free 9.1 [34]
important in cases where Tor browser is used for illegal activities [17].
VMware Workstation 12 Pro (Version 12.5.7) [53]
There is a research gap in the area of Tor memory forensics. [12]
Window 8.1 (64 bit) [33]
highlights this issue and proposed a theoretical framework for Tor
Tor Browser 7.0.2 (32 bit) [48]
browser memory analysis. In [44], the authors showed many
Google Chrome [25]
security issues present in this browser but these issues were
Regshot 1.9.0 [6]
resolved in later versions. Most artifacts from memory can be
Volatility 2.6 Windows Standalone Executable (x64) [54]
recovered when Tor browser is open during acquisition [3].
Hex workshop v6.7 (64 bit) [5]
Authors of [11] presented a detailed analysis of Tor browser. They
AccessData FTK Imager v 4.1.1.1 [1]
analyzed Windows 7 for pre- and post-Tor execution artifacts.
Magnet AXIOM v 1.2.0.6464 (Trial Version) [32]
Authors of [57] have shown the recovery of many artifacts of Tor
Bulk extractor 1.6.0 [20]
browser from Windows 10 memory using volatility framework.

4. Proposed methodology 4.2. Browsing activity

Objective of this research was to collect all the Tor artifacts from In order to perform forensic analysis of the Tor browser, we
registry, memory and storage of host machine. For detail analysis simulate all the activities that a normal user performs using the
different scenarios were also considered. In registry analysis browser. Two Gmail, one Yahoo mail, one Instagram, two Twitter,
artifacts add or removed during installation and uninstallation three Facebook accounts (including one account for Facebook
were collected. While for memory and storage analysis scenarios of onion website) and two Skype accounts are created. Some
browser open and closed were considered. random contents are posted on these accounts before the start of
The overall methodology adopted in this work is illustrated in our investigation. From these accounts one Gmail, one Facebook,
Fig. 2. An extensive literature review about the Tor paradigm is one twitter and one Skype are used on Google Chrome for
performed to define the objectives of research. Gap analysis is exchanging emails and messages with the rest of the accounts
carried out with previous researches to further elaborate the used for Tor browser. Details about all of the accounts used and
objectives. A real environment is simulated for the proof of activities performed using Tor browser are given in Table 1.
concept. Once the results are acquired, they are analyzed in detail After completing all these activities, all downloaded images and
and compared with existing works. torrent files (.torrent files) are deleted from the system as well as

Fig. 2. The flowchart of research methodology.

62 A.K. Jadoon et al. / Forensic Science International 299 (2019) 59–73

Table 1
A summary of user browsing activities for simulation.

Website Activities Accounts used on Tor Accounts used on Chrome

Search engine
Browsing website – –
www.duckduckgo.com
Key word search

Download/save images
Gmail
Browsing website [email protected] [email protected]
www.accounts.google.com
Login Exchange emails and attachments with Tor

Send emails to Gmail (for Chrome user) and user Gmail account
Yahoo (for Tor user)

Receive emails from Gmail (for Chrome user) and
Yahoo (for Tor user)

Read emails

Send email attachments

Receive email attachments

Online view MS Word &pdf document
attachments
Google Drive www.drive.google.
Browsing website [email protected] Same account as used above
com
Save word &pdf email attachments to drive Sent and receive attachments

view/read these attachments from drive online
Yahoo mail www.login.yahoo.com
Browsing website [email protected]

login

Sent mails to chrome user Gmail and Tor user
Gmail accounts

Receive mails from chrome and Tor user Gmail
accounts

Read emails

Sent email attachments

Receive email attachments

Download pdf attachment
[email protected] Same account as used above
Same activities as done with Gmail account
Twitter www.twitter.com
Browsing website user3_tor user3_chrome

login @user3_tor @user3_chrome

Tweet

Like tweet

Retweet

Comment

Visit accounts

follow

Chat with chrome user twitter account
Instagram www.instagram.com
Browsing website user4_tor –

login @user4_tor

Visit accounts

Follow

Like pictures

comment
Facebook www.facebook.com
Browsing website user5_tor user5_chrome

login

like pages and posts

share posts

comments on posts

visit pages and user profiles

search accounts

receive friend request

chat with chrome user Facebook account
Onion Facebook Same as done above in Facebook user6_tor Same account as used above
facebookcorewwwi.onion
Skype
Browsing website user7_tor user7_chrome
www.skype.com
login
login.skype.com
search accounts

chat with skype user on chrome
YouTube www.youtube.com
Browsing website – –

Search keyword/videos

Watch videos
Google maps maps.google.com
Browsing website – –

Search places
Torrents academictorrents.com
Browsing website _ _

magnet links a

download.torrent file
Research papers
Browsing websites – –
www.garykessler.net
open pdf research paper online
www.blackhat.com
view/read 2 Anti-forensics papers &3
http://icitech.org Ransomware papers
www.clarecomputer.com
Mail2Tor email accounts
Browsing website Darkweb_user@mail2tor. –
mail2tor2zyjdctd.onion
Create email account com
a
Downloading torrents using magnetic link did not work in Tor browser.
 A.K. Jadoon et al. / Forensic Science International 299 (2019) 59–73 63

the recycle bin before taking the snapshots of the virtual that these keys are added in different order under different
machines. scenarios which are explained below.
Best effort has been made to cover all possible activities that can
be performed using the Tor browser. Depending on the intention of
Install and Run In this scenario, the browser is installed with
user, similar activities can be performed by normal user for selecting the “Open browser automatically after installation”.
legitimate purpose or by a malicious user with some criminal After installation, browser is automatically opened. The first two
intentions like cyberstalking, cyberbullying and sending hoax keys got added to registry. Third key got added when browser
emails etc. Two such case studies where social media and email was run next time after closing.
platforms on Tor browser were used for committing crime can be
Install only In this scenario, the browser is installed without
found here [36,37,52]. selecting the “Open browser automatically after installation”.
First key is added after installation is completed. Second and
4.3. Data acquisition third keys are added when browser is opened.

Acquisition is done in three phases; Registry, Tor only memory, These scenarios will be very helpful in cases where investigator
memory and storage. In each phase Tor is installed from external are interested to know that whether user just installed the Tor
storage. After completion of each phase, system is reverted to clean browser or used it as well after installation. For further details,
state to ensure that no artifacts from previous phase remain on the refer to Table 2.
system. Some concepts which are used hereafter in this paper are
explained below: 5.2. Memory analysis

Tor Only memory Tor browser is installed and executed. Memory analysis is performed in two phases. In first phase, “Tor
Browser is connected to the Tor network. No browsing activity browser only artifacts” are searched for, whereas in second phase,
is performed during this slot. VMware snapshot is taken during “browsing artifacts” are also searched.
this state of the system referred as the second snapshot.

Browser Open After completing browsing activates given in 5.2.1. Tor only artifacts
Table 1, browser is remained open on last opened tab of last Software leaves many artifacts on host machine after installa-
visited site. During this time, VMware snapshot is taken, referred tion. This part of research focuses on recovering all these artifacts
as the third snapshot. which Tor browser leaves on host machine after installation and

Browser closed Subsequent to the “Browser Open” scenario, execution. Volatility framework is used for forensics analysis of
browser is closed and snapshot is recorded, referred as the fourth acquired memory image. List of all recovered artifacts and
snapshot. commands used are given in Table 3. The explanation about all
commands and recovered artifacts are shown here [55]. Analysis of
memory for running processes shows that Tor browser has two
4.3.1. Registry acquisition processes in memory, Firefox.exe (pid = 3548) and tor.exe (pid =
Registry acquisition is accomplished in three steps i.e. pre- 3668). Using process ids of these two processes, other artifacts
installation, post-installation and post uninstallation. Snapshots linked to them are also recovered. In version information artifacts,
are dumped to the external storage to ensure the host integrity. key words “firefox” and “tor.exe”’ are used to locate version
information of these two processes. For processes tree, process list
4.3.2. Memory acquisition and virtual addresses, dot diagrams are also generated. Results
Memory acquisition has been categorized into two parts i.e. Tor given in Table 3 can be downloaded from here.3 A similar analysis is
only and Tor browsing stage. In Tor browsing stage there exists two also performed in [57]. They used Tor browser v5 on Windows 10
scenarios i.e. browser open and closed. for the analysis.

4.3.3. Storage acquisition 5.2.2. Browsing artifacts

Similar to the memory acquisition, “Browser Open” and In this phase, the artifacts about user browsing activities in
“Browser Closed” are considered. To ensure that all artifacts from memory are searched. As explained in Data Acquisition, third
storage are recovered “vmdk files” of host system, third and fourth snapshot of VMware is taken for “Browser Open” scenario while
snapshot are acquired. forth was taken for “Browser Closed” scenario. Memory images (.
vmem files) of these two VMware snapshots are analyzed for
5. Analysis and results browsing artifacts. Bulk extractor and Hex workshop are used for
analysis. Most of analysis is performed using Bulk extractor. String
Forensics analysis is done in three phases. In first phase, registry search is used in Bulk extractor to find links of user social media
snapshots are analyzed while memory and storage images are account profiles, visited profiles watched videos, keywords
done in next two phases. searched and other artifacts. These strings are taken from visited
sites addresses, user names which are used during user browsing
5.1. Registry analysis activities phase. All these artifacts can be found without using
strings searches by just analyzing all the sites extracted by Bulk
Registry snapshots are acquired and then analyzed using extractor, however, this method is time consuming as compared to
Regshot tool. The analysis shows that this browser add three string searches. For searching email text in memory, Hex work-
registry keys during installation. All these keys remain in registry shops is used. Memory image is opened in Hex workshop and
after uninstallation which indicates that it does not clear its different strings searches are performed to find these emails.
registry artifacts during uninstallation2 [49]. It was also noticed Strings from email text which are sent and received during user

2 3
According to the Tor project website, uninstallation of Tor browser simply https://www.dropbox.com/sh/06pmf2jml4muur6/AABfzbRZ2pYIlKRcJ-
deletes Tor browser folder and browser shortcut from system as well as recycle bin. K0itHmna?dl=0.
64 A.K. Jadoon et al. / Forensic Science International 299 (2019) 59–73

Table 2
Registry artifacts.

S. No. Location of registry keys Description

1 HKUnS-1-5-21-3610041324-1787688552-2397930110-1001nSoftwarenMicrosoftnWindows Registry key shows name of Tor
NTnCurrentVersionnAppCompatFlagsnCompatibility AssistantnStorenSIGN.MEDIA=33C3D38 torbrowser-install-7.0.2_en- browser setup file used for
US.exe: 53 41 43 50 01 00 00 00 00 00 00 00 07 00 00 00 28 00 00 00 38 3D 3C 03 B6 60 3C 03 01 00 00 00 00 00 00 00 00 installation
00 01 06 00 01 00 00 97 5F D8 91 C9 9E CE 01 00 00 00 00 00 00 00 00
2 HKUnS-1-5-21-3610041324-1787688552-2397930110-1001nSoftwarenMicrosoft nInternet Registry key shows Audio settings
ExplorernLowRegistrynAudionPolicyConfig nPropertyStoren6ae17f4a_0n: “{2}.nn?n and location of firefox.exe file
hdaudio#func_01&ven_15ad&dev_1975 &subsys_15ad1975&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}n
elineouttopo/00010001| nDevicenHarddiskVolume1nUsersnAbid JadoonnDesktopnTor BrowsernBrowsernfirefox.exe%b
{00000000-0000-0000-0000-000000000000}”
3 HKUnS-1-5-21-3610041324-1787688552-2397930110-1001nSoftwarenMicrosoftnWindows Registry key shows location of
NTnCurrentVersionnAppCompatFlagsnCompatibility AssistantnStorenC:nUsersnAbid JadoonnDesktopnTor installed Tor browser and firefox.exe
BrowsernBrowsernfirefox.exe: 53 41 43 50 01 00 00 00 00 00 00 00 07 00 00 00 28 00 00 00 00 28 05 00 94 FA 05 00 01 00 file. It also shows that Firefox.exe file
00 00 00 00 00 00 00 00 03 06 00 01 00 00 97 5F D8 91 C9 9E CE 01 00 00 00 00 00 00 00 00 is located inside Tor Browser folder.

Table 3 browser for routing its traffic. Other information include IP

Tor only artifacts.
address, Ports, Bandwidth, Name and Fingerprint, Tor version used
S. No. Artifacts recovered Commands used by this relay, date and time of user browser connection and status
1 Processes list Pslist, psscan (entry or exit). Figs. 4 and 5 are screenshot of public keys and other
2 Process Tree pstree information in memory image of third VMware snapshot. Same
3 Dynamic-link library (Dlls) dlllist, ldrmodules artifacts can also be found in “cached-certs”, “cached-microdesc-
4 Dll Dump dlldump
consensus”, “cached-microdescs” and “cached-microdescs.
5 handles handles
6 Security Identifiers getsids
new” files present at TorBrowser/Browser/TorBrowser/Data/
7 process privileges privs Tor. These files are analyzed in Hex Workshop as shown in A, B,
8 process's environment variables envars C and D. These artifacts can be helpful for law enforcement
9 version information embedded in PE files verinfo agencies in case of backtracking a Tor user for any illegal activity by
10 process's executable Dump procdump
collecting artifacts from these relays regarding browsing activity of
11 Files dump dumpfiles
12 virtual addresses Vadinfo, vadwalk, vadtree the user. All the artifacts found in both memory images were
13 ETHREAD objects thrdscan identical which shows that Tor browser does not clear user
15 network artifacts netscan browsing history from memory while closing the application.
16 registry key printkey
Summary of all the artifacts found in memory about user browsing
activities are listed in Table 4. Screenshots of some of these artifacts
are given in Fig. 6 and . All these artifacts are found using bulk
activities part are used. These emails can also be found in memory extractor except inbox messages of Gmail and yahoo mail which
without using string searches by viewing all strings present in were found using Hex workshop.
memory from start to the end using hex workshop. But this
method is very time consuming in cases of large memory images. 5.3. Hard disk analysis
All inbox emails including unread emails of Gmail and Yahoo
accounts used with Tor browser are present in memory. Some of In this part, analysis of virtual storage is performed. Four VMDK
the emails found in memory image of third snapshot using string files are analyzed which include two VMDK file (OS,snapshot) for
searches are shown in Fig. 3. “Browser Open” scenario while two for “Browser Closed” scenario.
Using string “PUBLIC KEY” and “Relay=” public keys and other Both Snapshot VMDK files are converted to EnCase image file
useful information can also be found about Tor relays used by Tor format before starting of analysis.

Fig. 3. Email text found in memory.

 A.K. Jadoon et al. / Forensic Science International 299 (2019) 59–73 65

Fig. 4. Public keys of Tor relays in memory.

Fig. 5. Relays information present in memory.

5.3.1. Hard disk artifacts with open browser Axiom had all the download data. Downloaded images were show
Artifacts that are present in hard disk when browser is open under media artifacts and downloaded torrent files were under
were searched in this part of analysis. Both OS VMDK file and peer to peer artifacts. Axiom also recovered many other images
snapshot VMDK file of third snapshot were analyzed with Magnet from OS internal application but none of them were from browsing
Axiom [32]. Hex Workshop was used for searching registry activity except downloaded images. Tor browser icon was also
artifacts present in these VMDK files. Magnet Axiom has support present in recovered images which clearly indicate that Tor
for OS VMDK file but no support for snapshot VMDK file. Using browser was installed on the system. No other instance was found
image conversion procedure adopted in [28] we use FTK imager to under axiom OS artifacts Except location of firefox.exe as shown in
convert this VMDK file into EnCase Image File Format which is Appendix H. All registry artifacts were present.4
supported by Axiom. Using FTK imager MD5 and SHA1 hashes
were computed and compared before and after conversion as 5.3.2. Artifacts – hard disk with closed browser
shown in Appendix I to ensure integrity of converted snapshot In this part of analysis, all those Tor browser artifacts were
VMDK files. MD5 and SHA1 hash were also computed for OS virtual searched which were present in hard disk after browser was
hard disk file with FTK imager. No Tor browser artifacts were found closed. All steps performed in previous part of hard disk analysis
on OS VMDK file. For registry artifacts this VMDK file is viewed in for snapshot VMDK file, MD5 and SHA1 hashes computing for both
Hex Workshop and different strings searches were performed. converted snapshot VMDK file and OS VMDK file were also
Strings “firefox.exe%b” and “SIGN.MEDIA=33C3D38” were used in
these searches. No registry artifacts were present in OS VMDK file.
However many artifacts were recovered from analysis of converted 4
This is “Install and Run” scenario so only key 1 and 2 will be present as explained
snapshot VMDK file as shown in Table 5. Artifacts found by Magnet in Section 5.1.
66 A.K. Jadoon et al. / Forensic Science International 299 (2019) 59–73

Table 4
Browsing artifacts in memory.

S. Application/data Artifacts found Artifacts found Artifacts found Artifacts not found
No. searched while Tor browser while Tor browser
was open was closed
1 Search Engine/ Yes Yes All links visited by user including:
Bulk extractor was unable to recover
DuckDuckgo
Links of viewed and download images download images

All searched key words
2 Gmail – – All email addresses of senders and receivers as
Sent Messages
shown in Appendix E
Attachment files(word and Pdf)

Inbox messages including unread messages

Links of all email attachment files
3 Google Drive – – All Google drive links visited by user including: Nil

Links of online viewed/read drive documents
4 Yahoo mail – –
Same Artifacts as Gmail
Same Artifacts Gmail
5 Twitter – – All Twitter links visited by user including:
Liked tweets

User profile link as shown in Fig. 6
Shared tweets

Profile links of viewed/visited twitter accounts
Comments

Links of all those twitter accounts which were
Chat
visited/viewed before following them
User Profile picture

Links of all those followed twitter accounts
which were followed
without visiting/viewing them
6 Instagram – – All Instagram links visited by user including
Liked pictures
including:
Comments

User profile link as shown in Appendix F
Chat

Profile links of viewed/visited instagram
User Profile picture
accounts
Links of all those followed instagram

Links of all those instagram accounts which were accounts which were followed without
visited/viewed before following them visiting/viewing them
7 Facebook and – – All Facebook and Facebook Onion links visited by
Liked posts
Facebook Onion user including:
Comments

User profile link as shown in Appendix G
Shared posts

Profile links of viewed/visited facebook accounts
Chat
and pages
User Profile picture

keyword searched

Links of all those facebook accounts and pages
which were visited/viewed before liking thema
8 Skype – –
All Skype links visited by user which clearly
Chat
shows that Skype account has been used by user on
Contacts
this browserb
User Profile picture
9 YouTube – – All YouTube links visited by user including links of: Nil

Keyword searched

Watched videos
10 Google Maps – – All Google maps links visited by user including Nil
links of:

Keyword searched

Links of viewed location
11 Torrent/ – – All links of Academictorrents website visited by
Bulk Extractor was unable to recover
Academictorrent user including: downloaded torrent files
site
Links of viewed torrents

Magnetic links of downloaded torrent files
12 Research papers – – Links of all research paper websites visited by user Nil
including:

Links of online viewed/read pdf research papers
13 Mail2tor – –
All links of Mail2tor website visited by user Nil

Email address of account created by user
a
No such pages were liked which were not visited/viewed by user.
b
Unlike Facebook and Twitter, Skype links does not provide any information about user's profile and keywords searched.

repeated in this section. For searching artifacts same tools and Winkler et al. [11] performed analysis of Tor Browser on
methods were used as in previous section of hard disk analysis. No window 7. They considered three case scenarios namely Pre-tor,Tor
Tor browser artifacts were present in OS VMDK file. In converted active and Post-tor. They performed memory analysis in all these
snapshot VMDK file we found some artifacts which are given in scenarios for finding Tor artifacts. Their research lacked in analysis
Table 5. Registry key7 and location of firefox.exe were the only of hard disk and Tor only artifacts in memory as shown in Table 6.
artifacts that were present in converted snapshot VMDK file. These two areas are very important for forensics investigators.
Many useful artifacts can be recovered from these areas as can be
6. Comparison with existing research seen from our results. Another problem with this research was that
it was done on Windows 7 which is old operating system and most
A lot of research has been done on security and privacy of Tor of current user are shifted to window 8 or 10.
network but there is a research gap in the area of Tor Forensics. Atta et al. [3] also done similar analysis of Tor browser on
Limited research has been done in this field. We found only Window 7. They analyzed system memory for Tor artifacts. There
three researches in which forensics analysis of Tor browser was main focus was recovering artifacts about user browsing activities
performed. Detail comparison between existing research and our from memory. They consider only a limited set of browsing
experimentation is shown in Table 6. activities and these activities does not reflect browsing habits of a
 A.K. Jadoon et al. / Forensic Science International 299 (2019) 59–73 67

Fig. 6. Twitter artifacts recovered by bulk extractor from memory images.

Table 5
Summery of Tor browser hard disk artifacts.

Instance Open Tor browser Closed Tor browser

OS Vmdk File Converted Snapshot Vmdk File OS Vmdk File Converted Snapshot Vmdk File
Browsing
No artifacts
No artifacts found
No artifacts
No artifacts found
Pictures –
Only Tor browser icon was present in recovered pictures –
No artifacts found

No picture and videos were present from browsing activities
Downloads – All downloads were present –
No artifacts found

Downloaded pictures

Downloaded torrent files(.torrent files)
Operating system –
Only location of firefox.exe was present –
Only location of firefox.exe was present

No other artifacts of Tor browser were present
No other artifacts of Tor browser were present
Registry artifacts –
Two registry keys 1 and 2 were present and third key was –
Two registry keys key 1 and key 2 were present
missing and third key was missing

Table 6
Tor browser analysis and artifacts comparison.

Authors Registry artifacts Memory artifacts Hard disk artifacts Network artifacts

Tor browser installation Tor browser un-installation Tor only Browsing Browser open Browser closed
Our work U U U U U U 
Winkler et al. [11] U U  U   U
Atta et al. [3]    U   
Aron et al. [57] U  U  U  

normal user.5 Three important areas hard disk, registry and Tor artifacts related to browsing activities were searched in system
only artifacts in memory were missing in their research. This paper memory and hard disk.
also claim that Tor browser clear all its remnants after closing In this research, all possible artifacts are recovered from host
which is not true as can be seen from our analysis results. system. We also consider different test scenarios which a forensic
Aron et al. [57] demonstrates the forensic analysis of Tor investigator can face during investigation. Recovering relays
browser on Windows 10. Registry artifacts added during installa- information from memory and hard disk is very important. These
tion and Tor only artifacts in memory are analyzed. Authors used information will be very helpful in backtracking Tor user. Specially
latest version of Windows and Tor browser for this research. information of exit node is most important because at exit node all
However, authors did not analyze registry for artifacts that remain data is in plain text. If any user or attacker share any personal
after uninstallation of Tor browser. Another missing part in this information then by analyzing exit node and extracting those
research was, no browsing activities were performed and no information will help law enforcement agencies to identify him.
None of previous research recover relay information artifacts from
memory and hard disk.
Browsing artifacts are very important because from these
5
Use of social media, email etc. were not considered in these activities. artifacts we can find out all the browsing activities perform by user.
68 A.K. Jadoon et al. / Forensic Science International 299 (2019) 59–73

Our research is the only research that recover those artifacts from there are no specific tools for this browser. Digital Forensics
window 8.1 memory. In previous researches they only recover industry need to develop tool for this browser. Our research will be
similar artifacts from window 7 memory but none of them recover very helpful in designing and developing these tools. Backtracking
it from window 8.1 or 10 memory. Tor user on network is very challenges. Network artifacts we found
Our focus was to use such tools which is either open source or in memory as shown in Fig. 5 will be very helpful for security and
available as demo version so that anyone can reproduce our results law enforcement agencies in cases were backtracking of Tor user is
without purchasing commercial tools. This research will also be required.
very help for researchers and investigator with limited budget.
8. Conclusions and future work
7. Discussion
This paper presents a forensics analysis of Tor browser on
Censorship and surveillance are two biggest challenges to Windows 8.1. We analyzed system registry, memory and hard disk
freedom of expression. To overcome these challenges more and for all the artifacts that Tor browser leaves on user system when
more sites are shifting to onion domain so it is expected that in browser is open and after it is closed. We looked for the artifacts
near future Tor browser will be among top five browsers in cyber about Tor installation, usage and browsing activities. Our results
market. Although this browser provide privacy but not as much as show that the Tor browser leaves many artifacts on user system
it can be seen from our results, especially from memory analysis especially in system memory.
results, that it leave many artifacts in memory even after closing Network forensics is very important part of digital investi-
the application. This browser is not perfect but still with all these gation. In future research we are interested in network forensics
weaknesses, it is good enough because it provides both privacy and of the Tor browser. This will help us to fully understand
anonymity at the same time. It offers features like tor button, no forensics behavior of this browser. We are also interested in
script and HTTPS-Everywhere which further improve its anonymi- forensics analysis of orfox which is android version of this
ty and privacy. browser. Orbot is another android app which work as Tor proxy.
We can learn many things about user browsing activities from Forensics analysis of this app is also include in our future research
the memory analysis results. These results can be helpful for Law goals.
Enforcement Agencies in cases where a Tor browser user is under
investigation. It will also be helpful for Tor browser developer to Appendix A. Tor public keys in storage
improve security and privacy of their browser in upcoming
versions. Forensics tools are available for all major browser but Fig. 7

Fig. 7. Public keys of Tor relay in cached-certs file.

 A.K. Jadoon et al. / Forensic Science International 299 (2019) 59–73 69

Appendix B. Relays information in storage

Fig. 8

Fig. 8. Relays information present in cached-microdesc-consensus file.

Appendix C. Tor public keys in storage

Fig. 9

Fig. 9. Public keys of Tor relay in cached-microdescs file.

70 A.K. Jadoon et al. / Forensic Science International 299 (2019) 59–73

Appendix D. Tor public keys in storage

Fig. 10

Fig. 10. Public keys of Tor relay in cached-microdescs.new file.

Appendix E. Email artifacts in memory

Fig. 11

Fig. 11. Email artifacts recovered by bulk extractor from memory images.
 A.K. Jadoon et al. / Forensic Science International 299 (2019) 59–73 71

Appendix F. Instagram artifacts in memory

Fig. 12

Fig. 12. Instagram artifacts recovered by bulk extractor from memory images.

Appendix G. Facebook artifacts in memory

Fig. 13

Fig. 13. Facebook artifacts recovered by bulk extractor from memory images.
72 A.K. Jadoon et al. / Forensic Science International 299 (2019) 59–73

Appendix H. Tor browser artifacts in storage

Fig. 14

Fig. 14. Tor browser artifacts in storage.

Appendix I. Forensics hashes

Fig. 15

Fig. 15. Hashes of hard disk image files for Tor browser open and closed status.
 A.K. Jadoon et al. / Forensic Science International 299 (2019) 59–73 73

References [30] S. Levy, Crypto Rebels. High Noon on the Electronic Frontier, (1996) , pp. 185–
205.
[1] ACCESSDATA GROUP, Inc, Ftk Imager, (2017) Available at: https://accessdata. [31] J.C. Liou, M. Logapriyan, T.W. Lai, D. Pareja, S. Sewell, A study of the internet
com/product-download/ftk-imager-version-4.1.1. privacy in private browsing mode, Proceedings of the 3rd Multidisciplinary
[2] G. Aggarwal, E. Bursztein, C. Jackson, D. Boneh, An analysis of private browsing International Social Networks Conference on SocialInformatics, Data Science
modes in modern browsers, Proceedings of the 19th USENIX Conference on 2016, ACM, 2016, pp. 3.
Security, USENIX Association, 2010, pp. 6. [32] Magnet Forensics Inc, Magnet Axiom, (2017) Available at: https://www.
[3] A. Al-Khaleel, D. Bani-Salameh, M.I. Al-Saleh, On the memory artifacts of the magnetforensics.com/try-magnet-axiom-free-30-days/.
tor browser bundle, The International Conference on Computing Technology [33] Microsoft, Window 8.1, (2017) Available at: https://www.microsoft.com/en-
and Information Management (ICCTIM), Society of Digital Information and us/software-download/windows8.
Wireless Communication, 2014, pp. 41. [34] MiniTool Solution Ltd, Minitool Partition Wizard, (2017) Available at: https://
[4] R. Anderson, et al., The eternity service, Proceedings of PRAGOCRYPT (1996) www.partitionwizard.com/download.html.
242–252. [35] U. Möller, L. Cottrell, P. Palfrader, L. Sassaman, Mixmaster Protocol-Version 2,
[5] BreakPoint Software, Inc, Hex workshop, (2017) Available at: http://www. (2003) Available at: www.abditum.com/mixmaster-spec.txt.
bpsoft.com/downloads/. [36] Office of Public Affairs, D.o.J, Massachusetts Man Arrested and Charged with
[6] M. Buecher, XhmikosR, TiANWEi, Regshot, (2017) Available at: https:// Cyberstalking Former Roommate, (2017) Available at: https://www.justice.
sourceforge.net/projects/regshot/files/latest/download. gov/opa/pr/massachusetts-man-arrested-and-charged-cyberstalking-for-
[7] D.L. Chaum, Untraceable electronic mail, return addresses, and digital mer-roommate.
pseudonyms, CACM 24 (1981) 84–90. [37] Office of Public Affairs, D.o.J, Massachusetts Man Sentenced to More than 17
[8] H. Chivers, Private browsing: a window of forensic opportunity, Digital Invest. years in Prison for Cyberstalking Former Housemate and Others, Computer
11 (2014) 20–29. Hacking, Sending Child Pornography and Making over 100 Hoax Bomb Threats,
[9] I. Clarke, O. Sandberg, B. Wiley, T.W. Hong, Freenet: a distributed anonymous (2018) Available at: https://www.justice.gov/opa/pr/massachusetts-man-
information storage and retrieval system, Designing Privacy Enhancing sentenced-more-17-years-prison-cyberstalking-former-housemate-and-
Technologies, Springer, 2001, pp. 46–66. others.
[10] G. Danezis, R. Dingledine, N. Mathewson, Mixminion: design of a type iii [38] J. Oh, S. Lee, S. Lee, Advanced evidence collection and analysis of web browser
anonymous remailer protocol, Proceedings 2003 Symposium on Security and activity, Digital Invest. 8 (2011) S62–S70.
Privacy, IEEE, 2003, pp. 2–15. [39] D.J. Ohana, N. Shashidhar, Do private and portable web browsers leave
[11] W. Darcie, R. Boggs, J. Sammons, T. Fenger, Online Anonymity: Forensic incriminating evidence?: a forensic analysis of residual artifacts from private
Analysis of the tor Browser Bundle, (2014) . and portable web browsing sessions, EURASIP J. Inform. Security 2013 (2013) 6.
[12] D. Dayalamurthy, Forensic Memory Dump Analysis and Recovery of the [40] M.O. Rabin, Efficient dispersal of information for security, load balancing, and
Artefacts of Using tor Bundle Browser – The Need, (2013) . fault tolerance, J. ACM 36 (1989) 335–348.
[13] R. Dingledine, M.J. Freedman, D. Molnar, The free haven project: distributed [41] M.K. Reiter, A.D. Rubin, Crowds: anonymity for web transactions, ACM Trans.
anonymous storage service, Designing Privacy Enhancing Technologies, Inform. Syst. Security 1 (1998) 66–92.
Springer, 2001, pp. 67–95. [42] T. Rid, The Cypherpunk Revolution, (2017) . (accessed on 1.25.2017) http://
[14] R. Dingledine, N. Mathewson, P. Syverson, Tor: The Second-Generation Onion projects.csmonitor.com/cypherpunk.
Router. Technical Report, Naval Research Lab, Washington, DC, 2004. [43] H. Said, N. Al Mutawa, I. Al Awadhi, M. Guimaraes, Forensic analysis of private
[15] M. Edman, B. Yener, On anonymity in an electronic society: a survey of browsing artifacts, 2011 International Conference on Innovations in Informa-
anonymous communication systems, ACM Comput. Surv. 42 (2009) 5. tion Technology (IIT), IEEE, 2011, pp. 197–202.
[16] J. Filleau, M. Zizyte, What Private Browsing Leaves Behind, (2016) 12 Dec. [44] R.A. Sandvik, Forensic Analysis of the tor Browser Bundle on os x, linux, and
[17] D. Forte, Advances in onion routing: description and backtracing/investigation Windows, (2013) .
problems, Digital Invest. 3 (2006) 85–88. [45] K. Satvat, M. Forshaw, F. Hao, E. Toreini, On the privacy of private browsing – a
[18] M.J. Freedman, R. Morris, Tarzan: a peer-to-peer anonymizing network layer, forensic approach, Data Privacy Management and Autonomous Spontaneous
Proceedings of the 9th ACM Conference on Computer and Communications Security, Springer, 2014, pp. 380–389.
Security, ACM, 2002, pp. 193–206. [46] P. Syverson, A peel of onion, Proceedings of the 27th Annual Computer Security
[19] X. Gao, Y. Yang, H. Fu, J. Lindqvist, Y. Wang, Private browsing: an inquiry on Applications Conference, ACM, 2011, pp. 123–137.
usability and privacy protection, Proceedings of the 13th Workshop on Privacy [47] P.F. Syverson, D.M. Goldschlag, M.G. Reed, Proceedings of 1997 IEEE
in the Electronic Society, ACM, 2014, pp. 97–106. Symposium on Anonymous Connections and Onion Routing, Security and
[20] S. Garfinkel, A. Bruce, Bulk extractor, (2017) Available at: http://downloads. Privacy, 1997, IEEE, 1997, pp. 44–54.
digitalcorpora.org/downloads/bulk_extractor/newer_dev/. [48] TOR Project, Tor Browser, (2017) Available at: https://www.torproject.org/
[21] A. Ghafarian, S.A.H. Seno, Analysis of privacy of private browsing mode projects/torbrowser.html.en.
through memory forensics, Int. J. Comput. Appl. 132 (2015). [49] TOR Project, Tor Faq, (2017) Available at: https://www.torproject.org/docs/faq.
[22] I. Goldberg, D. Wagner, E. Brewer, Privacy-enhancing technologies for the html.en#HowUninstallTor.
internet, Proceedings of Compcon’97, IEEE, 1997, pp. 103–109. [50] TOR Project, Tor Metrics, (2017) Available at: https://metrics.torproject.org.
[23] D. Goldschlag, M. Reed, P. Syverson, Onion routing, CACM 42 (1999) 39–41. [51] TOR Project, The tor Project: Anonymity Online, (2017) Available at: https://
[24] D.M. Goldschlag, M.G. Reed, P.F. Syverson, Hiding routing information, www.torproject.org.
International Workshop on Information Hiding, Springer, 1996, pp. 137– [52] U.S. Attorney's Office District of Massachusetts, D.o.J, Harvard Student Charged
150. with Bomb Hoax, (2013) Available at: https://www.justice.gov/usao-ma/pr/
[25] Google, Google Chrome, (2017) Available at: https://www.google.com/ harvard-student-charged-bomb-hoax.
chrome/browser/desktop/index.html. [53] VMware, Vmware Workstation Pro, (2017) Available at: https://www.vmware.
[26] S. Helmers, A brief history of anon.penet.fi – the legendary anonymous com/products/workstation-pro/workstation-pro-evaluation.html.
remailer, Comput Mediated Commun. Mag. 4 (1997) 9. [54] Volatility Foundation, An Advanced Memory Forensics Framework, (2017)
[27] J. Helsingius, Johan Helsingius gets Injunction in Scientology Case Privacy Available at: http://www.volatilityfoundation.org.
Protection of Anonymous Messages still Unclear, (1996) . [55] Volatility Foundation, Command Reference, (2017) Available at: https://
[28] M. Hirwani, Y. Pan, B. Stackpole, D. Johnson, Forensic acquisition and analysis github.com/volatilityfoundation/volatility/wiki/Command-Reference.
of vmware virtual hard disks, Proceedings of the International Conference on [56] M. Waldman, A.D. Rubin, L.F. Cranor, Publius: a robust, tamper-evident
Security and Management (SAM), The Steering Committee of The World censorship-resistant web publishing system, USENIX Security Symposium
Congress in Computer Science, Computer Engineering and Applied Computing (2000) 59–72.
(WorldComp), 2012, pp. 1. [57] A. Warren, Tor Browser Artifacts in Windows 10, (2017) Retrieved from SANS
[29] D.J. Kelly, A Taxonomy for and Analysis of Anonymous Communications Institute website: https://www.sans.org/reading-room/whitepapers/foren-
Networks, Air Force Institute of Technology, 2009. sics/tor-browser-artifacts-windows-10-37642.

View publication stats