DEV Community

Prasan Singh
Prasan Singh

Posted on

how to identify the traces of the tor browser during the investigation?

Tor browser is one of the topics that excite every cybersecurity enthusiast. Tor was made for only one purpose, i.e., to make the user anonymous on the internet. It is used to access the Dark web, the deepest entity of the known Internet. Let's understand the working of Tor before investigating it. Tor browsers is based on Mozilla Firefox and work on relays. These are routers or nodes through which the traffic passes. These relays are divided into three levels:

  1. Entry Relay: When establishing a Tor network, the user connects to the entry node, from which the user's IP address can be seen.

  2. Middle Relay: Here, the data is transferred in an encrypted mode.

  3. Exit Relay: data is sent to the destination servers through this node. Thus, the exit node is seen as the origin of the traffic, hiding the original identity of the user.

The working and routing technique is known as onion routing. Tor browser provides access to .onion websites available on the dark web. Tor’s hidden service protocol allows users to host websites anonymously with. Users on the Tor network can only access BIT domains and these websites.

Although the Tor browser provides anonymity to its users, artifacts pertaining to the activities performed on it reside on the system RAM as long as the system is not powered off. Investigators can acquire a RAM dump of the live suspect machine to identify and analyze the artifacts pertaining to malicious use of the Tor browser. To investigate cybercrimes perpetrated using the Tor browser, forensic investigators should collect RAM dumps from the suspect machine and study them to determine the malicious activities performed using the Tor browser, including websites visited, emails accessed, and programs downloaded.

When the Tor browser is installed on a Windows machine, it uses port 9150/9151 for establishing connections via Tor nodes. Forensic investigators can obtain the path from where the TOR browser is executed in the following Registry key: HKEY_USERS<SID>\SOFTWARE\Mozilla\Firefox\Launcher. The investigator analyzes the ‘State’ file located in the path where the Tor browser was executed on a suspect machine.

When the Tor browser is uninstalled from a machine, or if it is installed in a location other than the desktop (in Windows), it is difficult for investigators to know whether it was used or the location where it is installed, examining the prefetch files helps the investigators in obtaining this information. The prefetch files are located in the directory, C:\WINDOWS\Prefetch on a Windows machine. Using tools such as WinPrefetchView, investigators can obtain metadata related to the browser, which includes:

  1. Browser created timestamps
  2. Browser last run timestamps
  3. Number of times the browser was executed
  4. Tor browser execution directory
  5. Filename


Discussion (0)