blog

Tor Browser footprinting and Forensic Analysis

Comments Off Cybersecurity Learning

Introduction

Tor browser is a free and open-source browser used for anonymous communication, web browsing, and accessing the dark web. Tor browser uses the Tor network to keep the user’s identity and location private. It is often used for whistleblowing, online activism, and accessing censored content. Due to the nature of its usage, forensic analysis of Tor browser is essential in identifying and investigating criminal activities conducted through the browser.

In this paper, we will provide a step-by-step guide to Tor browser forensics, outlining the tools and techniques used to analyze Tor traffic and identify users.

Step 1: Acquire the Evidence

The first step in Tor browser forensics is to acquire the evidence. This involves obtaining the computer or device used by the user to access the Tor network. Investigators can use forensic tools to create a forensic image of the device, which is a bit-by-bit copy of the device’s hard drive. This ensures that the original evidence is not modified or altered in any way.

Step 2: Identify the Tor Browser

Once the forensic image is created, investigators need to identify the Tor browser. The Tor browser is typically installed in a specific directory, and forensic tools can search for this directory to identify the browser. Investigators can also look for browser artifacts, such as browser history, cookies, and cache files, to determine if the Tor browser was used to access the Tor network.

Step 3: Decrypt the Tor Traffic

Tor traffic is encrypted, which makes it difficult for investigators to analyze the traffic. To decrypt the traffic, investigators need to use specialized tools that can decrypt the traffic at each node in the Tor network. This involves obtaining the private keys used by each node to decrypt the traffic.

Step 4: Analyze the Tor Traffic

Once the traffic is decrypted, investigators can analyze the Tor traffic to identify the activities of the user on the Tor network. Traffic correlation analysis is a useful technique in this regard, as it involves analyzing the timing and volume of the traffic flowing in and out of the Tor network. Investigators can correlate the traffic with a particular user or group of users to identify their activities.

Step 5: Decrypt the Tor Logs

The Tor browser creates log files that record various activities, such as the Tor circuits used, the IP addresses of the nodes, and the websites visited. To analyze these logs, investigators need to decrypt them using specialized tools. The logs are encrypted to ensure that the user’s activities on the Tor network are kept private and anonymous.

Step 6: Analyze the Tor Logs

Once the logs are decrypted, investigators can analyze them to identify the activities of the user on the Tor network. The logs contain information about the websites visited, the dates and times of the visits, and other relevant information. Investigators can use this information to build a timeline of the user’s activities on the Tor network.

Step 7: Analyze Browser Artifacts

Browser artifacts are digital footprints left by the user on the computer, such as browsing history, cookies, and cached files. To analyze these artifacts, investigators can use specialized tools to recover deleted files and other digital footprints. The Tor browser is designed to erase browsing history and other digital footprints after each session, but forensic tools can recover deleted files and other artifacts.

Step 8: Interpret the Results

The final step in Tor browser forensics is to interpret the results. Investigators need to analyze the data collected during the forensic analysis to identify the activities of the user on the Tor network. The data can be used to build a timeline of the user’s activities, identify the websites visited, and gather other relevant information. The data can also be used as evidence in court to prosecute cyber criminals who use the Tor network for illegal activities.

Tor browser forensics is a complex process that involves multiple steps and specialized tools. Investigators need to be familiar with the latest tools and techniques in Tor forensics to stay ahead of cyber criminals who use the Tor network for illegal activities.

Technical Overview

An all-inclusive technical overview of the process is as follows:

File Structure

The Tor browser consists of multiple folders and files that store user data, configurations, and installed add-ons. The Tor browser is based on the Firefox browser, and as such, it contains Firefox-like folder structures. The main folder structure consists of the following folders:

  • Browser – Contains configuration and user data such as bookmarks, history, and user preferences.
  • Tor Browser – Contains Tor specific configurations such as Tor circuits and network settings.
  • Tor Browser Data – Contains cached files and other temporary files.

Forensic analysis of the Tor browser can be divided into three main areas: network analysis, file analysis, and memory analysis.

Network Analysis

Network analysis is a crucial aspect of forensic investigation of the Tor Browser. The Tor network is designed to provide anonymity to its users by routing their traffic through multiple nodes. This makes it challenging to analyze network traffic generated by the Tor Browser. However, with the right tools and techniques, it is possible to analyze the network traffic and identify criminal activities conducted through the browser.

Tools for Network Analysis

Network analysis involves capturing and analyzing the traffic generated by the Tor Browser. Wireshark is a popular tool used for network analysis. However, Wireshark is unable to decrypt the encrypted Tor traffic. Therefore, forensic investigators use specialized tools like Torghost, OnionCat, and Onion Sniffer to capture and analyze Tor network traffic.

Torghost is a Linux-based tool that captures Tor network traffic and reroutes it through a proxy. It allows forensic investigators to capture and analyze Tor network traffic using Wireshark. OnionCat is another tool that allows forensic investigators to connect to the Tor network and capture Tor network traffic. Onion Sniffer is a Python-based tool that allows forensic investigators to capture and analyze Tor network traffic.

Techniques for Network Analysis

The following techniques can be used to analyze network traffic generated by the Tor Browser:

Analysis of Packet Sizes:

Traffic generated by the Tor network is encrypted and encapsulated in multiple layers of data. The size of the encrypted packets generated by the Tor Browser is different from the size of the packets generated by regular browsing. Forensic investigators can use the packet size as an indicator of Tor traffic.

Analysis of Packet Timing:

The time taken to generate and transmit packets is different for Tor traffic and regular browsing. Tor traffic takes longer to transmit because of the multiple layers of encryption and routing. Forensic investigators can use packet timing as an indicator of Tor traffic.

Analysis of Packet Content:

The content of the packets generated by the Tor Browser is different from the content of the packets generated by regular browsing. Tor traffic is encrypted and routed through multiple nodes. Forensic investigators can use the content of the packets as an indicator of Tor traffic.

Network analysis is a crucial aspect of forensic investigation of the Tor Browser. The Tor network is designed to provide anonymity to its users by routing their traffic through multiple nodes. However, with the right tools and techniques, it is possible to analyze the network traffic and identify criminal activities conducted through the browser. Forensic investigators can use specialized tools like Torghost, OnionCat, and Onion Sniffer to capture and analyze Tor network traffic. Additionally, forensic investigators can use packet size, packet timing, and packet content as indicators of Tor traffic.

File Analysis

File analysis is a crucial aspect of forensic investigation of the Tor Browser. The Tor Browser stores user data and configurations in multiple locations, including the Browser folder, Tor Browser folder, and Tor Browser Data folder. Forensic analysts can recover user data such as bookmarks, browsing history, and download history from these folders. Additionally, the Tor Browser folder contains configuration files that can reveal the Tor circuit used by the user.

File Locations

The following are the main file locations that forensic analysts should focus on during file analysis of the Tor Browser:

Browser Folder

The Browser folder contains user data such as bookmarks, browsing history, and download history. The folder is located in the Tor Browser installation directory.

Tor Browser Folder

The Tor Browser folder contains Tor-specific configurations such as Tor circuits and network settings. The folder is located in the Tor Browser installation directory.

Tor Browser Data Folder

The Tor Browser Data folder contains cached files and other temporary files generated by the Tor Browser. The folder is located in the user’s home directory.

File Types

The following are the main file types that forensic analysts should focus on during file analysis of the Tor Browser:

SQLite Databases

The Tor Browser stores user data such as bookmarks, browsing history, and download history in SQLite databases. Forensic analysts can use tools like SQLite Browser to analyze the SQLite databases.

Configuration Files

The Tor Browser stores its configuration in multiple files located in the Tor Browser folder. These files contain information about the Tor circuits used by the user, network settings, and other Tor-specific configurations.

Cached Files

The Tor Browser stores cached files in the Tor Browser Data folder. These files can provide information about the websites visited by the user and the files downloaded by the user.

Forensic Analysis Techniques

The following forensic analysis techniques can be used to analyze files generated by the Tor Browser:

Recovery of Deleted Files

Forensic analysts can use tools like Recuva or Photorec to recover deleted files from the Browser folder, Tor Browser folder, and Tor Browser Data folder.

Analysis of SQLite Databases

Forensic analysts can use tools like SQLite Browser to analyze SQLite databases generated by the Tor Browser. These databases contain user data such as bookmarks, browsing history, and download history.

Analysis of Configuration Files

Forensic analysts can analyze configuration files stored in the Tor Browser folder to identify the Tor circuits used by the user, network settings, and other Tor-specific configurations.

File analysis is a crucial aspect of forensic investigation of the Tor Browser. The Tor Browser stores user data and configurations in multiple locations, including the Browser folder, Tor Browser folder, and Tor Browser Data folder. Forensic analysts can recover user data such as bookmarks, browsing history, and download history from these folders. Additionally, forensic analysts can use configuration files stored in the Tor Browser folder to identify the Tor circuits used by the user and other Tor-specific configurations. Techniques such as recovery of deleted files, analysis of SQLite databases, and analysis of configuration files can be used during file analysis of the Tor Browser.

Memory Analysis:

Memory analysis is an important aspect of forensic investigation of the Tor Browser. The Tor Browser uses various processes and threads to provide anonymity to its users. The processes and threads generate data that can be analyzed to identify criminal activities conducted through the browser. Memory analysis can reveal information about the websites visited by the user, the files downloaded by the user, and the Tor circuits used by the user.

Tools for Memory Analysis

Memory analysis involves analyzing the data generated by the processes and threads of the Tor Browser. The following tools can be used for memory analysis of the Tor Browser:

Volatility

Volatility is a popular tool used for memory analysis of the Tor Browser. The tool can extract data from the memory dumps of the Tor Browser processes and threads. Volatility can extract data such as network connections, processes, threads, and registry keys from the memory dumps.

Rekall

Rekall is another tool used for memory analysis of the Tor Browser. The tool can extract data from the memory dumps of the Tor Browser processes and threads. Rekall can extract data such as network connections, processes, threads, and registry keys from the memory dumps.

Techniques for Memory Analysis

The following techniques can be used to analyze memory dumps generated by the Tor Browser:

Analysis of Network Connections

Memory analysis can reveal information about the network connections established by the Tor Browser. Forensic analysts can use this information to identify the websites visited by the user, the files downloaded by the user, and the Tor circuits used by the user.

Analysis of Processes and Threads

Memory analysis can reveal information about the processes and threads generated by the Tor Browser. Forensic analysts can use this information to identify the Tor circuits used by the user and the system resources utilized by the Tor Browser.

Analysis of Registry Keys

Memory analysis can reveal information about the registry keys generated by the Tor Browser. Forensic analysts can use this information to identify the Tor circuits used by the user and the configurations of the Tor Browser.

Memory analysis is an important aspect of forensic investigation of the Tor Browser. The Tor Browser uses various processes and threads to provide anonymity to its users. Memory analysis can reveal information about the websites visited by the user, the files downloaded by the user, and the Tor circuits used by the user. Volatility and Rekall are popular tools used for memory analysis of the Tor Browser. Forensic analysts can use memory analysis techniques such as analysis of network connections, analysis of processes and threads, and analysis of registry keys to identify criminal activities conducted through the browser.

Forensic Analysis

One of the first steps in forensic analysis of Tor Browser is to identify the location of the browser installation on the system. The default installation directory for Tor Browser is the user’s home directory, under the “tor-browser_en-US” folder. However, the user may have chosen to install Tor Browser in a different location, so it is important to search the entire file system for the browser installation folder.

Once the Tor Browser installation folder is identified, the next step is to examine the browser’s configuration files. Tor Browser uses a modified version of Firefox, and therefore stores its configuration files in a similar manner. The “prefs.js” file, located in the “Tor Browser/Browser/TorBrowser/Data/Browser/profile.default” folder, contains various settings related to the browser’s behavior, including the proxy settings used to connect to the Tor network.

Another important file to examine is the “key4.db” file, located in the “Tor Browser/Browser/TorBrowser/Data/Browser/profile.default” folder. This file contains the user’s saved passwords and other sensitive information, and can be decrypted using tools such as Mozilla’s “key3.db” viewer.

In addition to examining the files stored on the user’s computer, it is also important to capture network traffic generated by Tor Browser usage. This can be done using packet capture tools such as Wireshark or tcpdump. By analyzing the captured network traffic, it is possible to determine which websites the user visited, as well as any communications sent and received.

One of the main challenges in analyzing Tor network traffic is the fact that it is encrypted, making it difficult to determine the content of the communications. However, it is still possible to extract some information from the encrypted traffic, such as the destination IP addresses and the type of communication protocol used.

In addition to analyzing network traffic, it is also important to examine the user’s Tor Browser bookmarks and downloads. These can be found in the “places.sqlite” file, located in the “Tor Browser/Browser/TorBrowser/Data/Browser/profile.default” folder. By examining this file, it is possible to determine which websites the user visited, as well as any files downloaded.

Forensic analysis of Tor Browser can be a challenging task, due to the browser’s design to leave as little trace as possible on the user’s computer system. However, by examining configuration files, network traffic, bookmarks, and downloads, it is possible to uncover valuable information about the user’s online activities.

Conclusion

Forensic analysis of the Tor browser is essential in identifying and investigating criminal activities conducted through the browser. The Tor browser uses the Tor network to keep the user’s identity and location private, making forensic analysis of the browser difficult. Forensic analysis of the Tor browser can be divided into three main areas: network analysis, file analysis, and memory analysis. Network analysis involves analyzing the network traffic generated by the Tor browser, file analysis involves analyzing the files stored on the user’s computer, and memory analysis involves analyzing the memory of the Tor browser while it is running. Forensic analysts must use a combination of these techniques to recover user data and identify criminal activities conducted through the Tor browser.

Year-long Internet Governance internship only the beginning

Comments Off Uncategorized

I had my first formal experience with Internet Governance (IG) in Islamabad, October 2015 when I attended the first Pakistan School on Internet Governance (PKSIG).

During the four-day workshop, I was amazed by the knowledge and interest of participants in this subject that I had very little idea of – I am a cybersecurity professional working for the Pakistan Information Security Association; we help develop cybersecurity legislation as well as raising public awareness about cybersecurity and related issues, including privacy, surveillance and freedom of speech.

From the presentations by the guest speakers and fantastic discussions among participants, I saw the term IG was an umbrella that encompassed a range of topics I had been working on, as well as several other new and interesting topics such as zero-ratingnet neutrality and Free Basics.

I wanted to learn more.

From Pakistan to Brazil and Taipei

A month after PKSIG, I was lucky enough to receive a fellowship from APNIC to attend the 10th annual Internet Governance Forum (IGF 2015) held in Brazil.

It was an amazing opportunity even though it was quite overwhelming:  there were so many tracks and new topics to follow. What helped most was being able to interact with renowned experts including Vint Cerf and Wolfgang Kleinwächter who helped simplify and make sense of it all.

Fellows excited to be a part of IGF community

While attending IGF 2015, I came to know about the Asia Pacific Regional Internet Governance Forum (APrIGF). I started following its discussions and after some time I applied, and was accepted, to join its Multistakeholder Steering Group. In 2016, I attended and spoke at the APrIGF meeting in Taipei, again as a fellow.

In 2016 I was also fortunate to receive fellowships to attend both ICANN 55 in Morocco and ICANN 57 in India. I previously followed ICANN meetings through remote hubs but ICANN 55 was the first time I had physically attended a meeting. Like the IGF, it was a very hectic and overwhelming five days, but it started to clarify a lot of the concepts I had learned over the past five months, and increased my interest and involvement in IG discussions.

Find out what it’s like to attend an ICANN meeting as a fellow

Joining regional Schools on Internet Governance

Early on in my IG journey, I became interested in an initiative called the Asia Pacific School on Internet Governance (APSIG). I joined its discussion groups and started volunteering for it, and very soon I got the opportunity to manage its Interim Secretariat, which has been a great opportunity for me to further enrich my knowledge.

We held the first edition of APSIG in September 2016 in Bangkok, where community leaders ran tutorials, interactive discussions and role-playing sessions to help develop the next generation of leaders.

I was fortunate enough to be invited to speak at Asia Pacific School on Internet Governance (left) as well as the Middle East and Adjoining Countries School on Internet Governance (right).

I have also been involved in the Middle East and Adjoining Countries School on Internet Governance (MEAC-SIG). Through MEAC-SIG and discussions with the activists, community leaders and domain experts in the Middle East region, I came to know about their perspective and approach to deal with many serious IG issues.

Before attending ICANN 57, I also took the opportunity to attend the inaugural Indian School on Internet Governance (inSIG) 2016 held in Hyderabad. Participants from more than six economies brought with them their own cultural instances to the discussions, which proved to be eye-opening for everyone involved.

Something which I’m most proud of was meeting with Pakistan government representatives at the IGF 2015 where we discussed the possibilities of kick-starting IG events in Pakistan. After approaching some like-minded industry leaders in Pakistan, the second edition of PKSIG was held at the end of 2016. I would like to mention the cooperation and support of the Chairman of the Pakistan Telecommunication Authority, Dr Ismail Shah, and the Executive Director of the Higher Education Commission, Prof Dr Arshad Ali, who were instrumental in making this possible.

Read the Pakistan School on Internet Governance Secretariat report on PKSIG 2016 [PDF 16.1 MB]

Initiatives like Internet Governance schools are invaluable. The younger generation will lead us in the years to come and yet they are generally not aware of IG issues and their importance. At almost all the forums and events I have attended to date I’ve found the enthusiasm of younger participants inspiring and impressive.

Following this and my year-long IG journey, I intend to work more with university students in Pakistan to raise awareness of IG and encourage them to form their views and attitudes towards these serious issues.

My four takeaway lessons so far

  1. There should be more focus on capacity building of young people from developing and unrepresented economies, as they will eventually lead IG initiatives.
  2. The multistakeholder model and its bottom-up approach to deal with resolving challenges and developing strategies is much more effective than any top-down approach.
  3. In the coming digital age, there will be a serious need for cross-border cooperation, regional harmony and preventive diplomacy, which will be helpful to counter cyber terrorism.
  4. It’s important to remember that IG is not just the responsibility of techies or policy makers; it’s about everyone connected to or about to connect to the Internet. Therefore, I intend to work more on community engagement and capacity building of people from every walk of life.

Original Post: https://blog.apnic.net/2017/01/20/year-long-internet-governance-internship-beginning/