Tor Browser footprinting and Forensic Analysis

Introduction

Tor browser is a free and open-source browser used for anonymous communication, web browsing, and accessing the dark web. Tor browser uses the Tor network to keep the user’s identity and location private. It is often used for whistleblowing, online activism, and accessing censored content. Due to the nature of its usage, forensic analysis of Tor browser is essential in identifying and investigating criminal activities conducted through the browser.

In this paper, we will provide a step-by-step guide to Tor browser forensics, outlining the tools and techniques used to analyze Tor traffic and identify users.

Step 1: Acquire the Evidence

The first step in Tor browser forensics is to acquire the evidence. This involves obtaining the computer or device used by the user to access the Tor network. Investigators can use forensic tools to create a forensic image of the device, which is a bit-by-bit copy of the device’s hard drive. This ensures that the original evidence is not modified or altered in any way.

Step 2: Identify the Tor Browser

Once the forensic image is created, investigators need to identify the Tor browser. The Tor browser is typically installed in a specific directory, and forensic tools can search for this directory to identify the browser. Investigators can also look for browser artifacts, such as browser history, cookies, and cache files, to determine if the Tor browser was used to access the Tor network.

Step 3: Decrypt the Tor Traffic

Tor traffic is encrypted, which makes it difficult for investigators to analyze the traffic. To decrypt the traffic, investigators need to use specialized tools that can decrypt the traffic at each node in the Tor network. This involves obtaining the private keys used by each node to decrypt the traffic.

Step 4: Analyze the Tor Traffic

Once the traffic is decrypted, investigators can analyze the Tor traffic to identify the activities of the user on the Tor network. Traffic correlation analysis is a useful technique in this regard, as it involves analyzing the timing and volume of the traffic flowing in and out of the Tor network. Investigators can correlate the traffic with a particular user or group of users to identify their activities.

Step 5: Decrypt the Tor Logs

The Tor browser creates log files that record various activities, such as the Tor circuits used, the IP addresses of the nodes, and the websites visited. To analyze these logs, investigators need to decrypt them using specialized tools. The logs are encrypted to ensure that the user’s activities on the Tor network are kept private and anonymous.

Step 6: Analyze the Tor Logs

Once the logs are decrypted, investigators can analyze them to identify the activities of the user on the Tor network. The logs contain information about the websites visited, the dates and times of the visits, and other relevant information. Investigators can use this information to build a timeline of the user’s activities on the Tor network.

Step 7: Analyze Browser Artifacts

Browser artifacts are digital footprints left by the user on the computer, such as browsing history, cookies, and cached files. To analyze these artifacts, investigators can use specialized tools to recover deleted files and other digital footprints. The Tor browser is designed to erase browsing history and other digital footprints after each session, but forensic tools can recover deleted files and other artifacts.

Step 8: Interpret the Results

The final step in Tor browser forensics is to interpret the results. Investigators need to analyze the data collected during the forensic analysis to identify the activities of the user on the Tor network. The data can be used to build a timeline of the user’s activities, identify the websites visited, and gather other relevant information. The data can also be used as evidence in court to prosecute cyber criminals who use the Tor network for illegal activities.

Tor browser forensics is a complex process that involves multiple steps and specialized tools. Investigators need to be familiar with the latest tools and techniques in Tor forensics to stay ahead of cyber criminals who use the Tor network for illegal activities.

Technical Overview

An all-inclusive technical overview of the process is as follows:

File Structure

The Tor browser consists of multiple folders and files that store user data, configurations, and installed add-ons. The Tor browser is based on the Firefox browser, and as such, it contains Firefox-like folder structures. The main folder structure consists of the following folders:

  • Browser – Contains configuration and user data such as bookmarks, history, and user preferences.
  • Tor Browser – Contains Tor specific configurations such as Tor circuits and network settings.
  • Tor Browser Data – Contains cached files and other temporary files.

Forensic analysis of the Tor browser can be divided into three main areas: network analysis, file analysis, and memory analysis.

Network Analysis

Network analysis is a crucial aspect of forensic investigation of the Tor Browser. The Tor network is designed to provide anonymity to its users by routing their traffic through multiple nodes. This makes it challenging to analyze network traffic generated by the Tor Browser. However, with the right tools and techniques, it is possible to analyze the network traffic and identify criminal activities conducted through the browser.

Tools for Network Analysis

Network analysis involves capturing and analyzing the traffic generated by the Tor Browser. Wireshark is a popular tool used for network analysis. However, Wireshark is unable to decrypt the encrypted Tor traffic. Therefore, forensic investigators use specialized tools like Torghost, OnionCat, and Onion Sniffer to capture and analyze Tor network traffic.

Torghost is a Linux-based tool that captures Tor network traffic and reroutes it through a proxy. It allows forensic investigators to capture and analyze Tor network traffic using Wireshark. OnionCat is another tool that allows forensic investigators to connect to the Tor network and capture Tor network traffic. Onion Sniffer is a Python-based tool that allows forensic investigators to capture and analyze Tor network traffic.

Techniques for Network Analysis

The following techniques can be used to analyze network traffic generated by the Tor Browser:

Analysis of Packet Sizes:

Traffic generated by the Tor network is encrypted and encapsulated in multiple layers of data. The size of the encrypted packets generated by the Tor Browser is different from the size of the packets generated by regular browsing. Forensic investigators can use the packet size as an indicator of Tor traffic.

Analysis of Packet Timing:

The time taken to generate and transmit packets is different for Tor traffic and regular browsing. Tor traffic takes longer to transmit because of the multiple layers of encryption and routing. Forensic investigators can use packet timing as an indicator of Tor traffic.

Analysis of Packet Content:

The content of the packets generated by the Tor Browser is different from the content of the packets generated by regular browsing. Tor traffic is encrypted and routed through multiple nodes. Forensic investigators can use the content of the packets as an indicator of Tor traffic.

Network analysis is a crucial aspect of forensic investigation of the Tor Browser. The Tor network is designed to provide anonymity to its users by routing their traffic through multiple nodes. However, with the right tools and techniques, it is possible to analyze the network traffic and identify criminal activities conducted through the browser. Forensic investigators can use specialized tools like Torghost, OnionCat, and Onion Sniffer to capture and analyze Tor network traffic. Additionally, forensic investigators can use packet size, packet timing, and packet content as indicators of Tor traffic.

File Analysis

File analysis is a crucial aspect of forensic investigation of the Tor Browser. The Tor Browser stores user data and configurations in multiple locations, including the Browser folder, Tor Browser folder, and Tor Browser Data folder. Forensic analysts can recover user data such as bookmarks, browsing history, and download history from these folders. Additionally, the Tor Browser folder contains configuration files that can reveal the Tor circuit used by the user.

File Locations

The following are the main file locations that forensic analysts should focus on during file analysis of the Tor Browser:

Browser Folder

The Browser folder contains user data such as bookmarks, browsing history, and download history. The folder is located in the Tor Browser installation directory.

Tor Browser Folder

The Tor Browser folder contains Tor-specific configurations such as Tor circuits and network settings. The folder is located in the Tor Browser installation directory.

Tor Browser Data Folder

The Tor Browser Data folder contains cached files and other temporary files generated by the Tor Browser. The folder is located in the user’s home directory.

File Types

The following are the main file types that forensic analysts should focus on during file analysis of the Tor Browser:

SQLite Databases

The Tor Browser stores user data such as bookmarks, browsing history, and download history in SQLite databases. Forensic analysts can use tools like SQLite Browser to analyze the SQLite databases.

Configuration Files

The Tor Browser stores its configuration in multiple files located in the Tor Browser folder. These files contain information about the Tor circuits used by the user, network settings, and other Tor-specific configurations.

Cached Files

The Tor Browser stores cached files in the Tor Browser Data folder. These files can provide information about the websites visited by the user and the files downloaded by the user.

Forensic Analysis Techniques

The following forensic analysis techniques can be used to analyze files generated by the Tor Browser:

Recovery of Deleted Files

Forensic analysts can use tools like Recuva or Photorec to recover deleted files from the Browser folder, Tor Browser folder, and Tor Browser Data folder.

Analysis of SQLite Databases

Forensic analysts can use tools like SQLite Browser to analyze SQLite databases generated by the Tor Browser. These databases contain user data such as bookmarks, browsing history, and download history.

Analysis of Configuration Files

Forensic analysts can analyze configuration files stored in the Tor Browser folder to identify the Tor circuits used by the user, network settings, and other Tor-specific configurations.

File analysis is a crucial aspect of forensic investigation of the Tor Browser. The Tor Browser stores user data and configurations in multiple locations, including the Browser folder, Tor Browser folder, and Tor Browser Data folder. Forensic analysts can recover user data such as bookmarks, browsing history, and download history from these folders. Additionally, forensic analysts can use configuration files stored in the Tor Browser folder to identify the Tor circuits used by the user and other Tor-specific configurations. Techniques such as recovery of deleted files, analysis of SQLite databases, and analysis of configuration files can be used during file analysis of the Tor Browser.

Memory Analysis:

Memory analysis is an important aspect of forensic investigation of the Tor Browser. The Tor Browser uses various processes and threads to provide anonymity to its users. The processes and threads generate data that can be analyzed to identify criminal activities conducted through the browser. Memory analysis can reveal information about the websites visited by the user, the files downloaded by the user, and the Tor circuits used by the user.

Tools for Memory Analysis

Memory analysis involves analyzing the data generated by the processes and threads of the Tor Browser. The following tools can be used for memory analysis of the Tor Browser:

Volatility

Volatility is a popular tool used for memory analysis of the Tor Browser. The tool can extract data from the memory dumps of the Tor Browser processes and threads. Volatility can extract data such as network connections, processes, threads, and registry keys from the memory dumps.

Rekall

Rekall is another tool used for memory analysis of the Tor Browser. The tool can extract data from the memory dumps of the Tor Browser processes and threads. Rekall can extract data such as network connections, processes, threads, and registry keys from the memory dumps.

Techniques for Memory Analysis

The following techniques can be used to analyze memory dumps generated by the Tor Browser:

Analysis of Network Connections

Memory analysis can reveal information about the network connections established by the Tor Browser. Forensic analysts can use this information to identify the websites visited by the user, the files downloaded by the user, and the Tor circuits used by the user.

Analysis of Processes and Threads

Memory analysis can reveal information about the processes and threads generated by the Tor Browser. Forensic analysts can use this information to identify the Tor circuits used by the user and the system resources utilized by the Tor Browser.

Analysis of Registry Keys

Memory analysis can reveal information about the registry keys generated by the Tor Browser. Forensic analysts can use this information to identify the Tor circuits used by the user and the configurations of the Tor Browser.

Memory analysis is an important aspect of forensic investigation of the Tor Browser. The Tor Browser uses various processes and threads to provide anonymity to its users. Memory analysis can reveal information about the websites visited by the user, the files downloaded by the user, and the Tor circuits used by the user. Volatility and Rekall are popular tools used for memory analysis of the Tor Browser. Forensic analysts can use memory analysis techniques such as analysis of network connections, analysis of processes and threads, and analysis of registry keys to identify criminal activities conducted through the browser.

Forensic Analysis

One of the first steps in forensic analysis of Tor Browser is to identify the location of the browser installation on the system. The default installation directory for Tor Browser is the user’s home directory, under the “tor-browser_en-US” folder. However, the user may have chosen to install Tor Browser in a different location, so it is important to search the entire file system for the browser installation folder.

Once the Tor Browser installation folder is identified, the next step is to examine the browser’s configuration files. Tor Browser uses a modified version of Firefox, and therefore stores its configuration files in a similar manner. The “prefs.js” file, located in the “Tor Browser/Browser/TorBrowser/Data/Browser/profile.default” folder, contains various settings related to the browser’s behavior, including the proxy settings used to connect to the Tor network.

Another important file to examine is the “key4.db” file, located in the “Tor Browser/Browser/TorBrowser/Data/Browser/profile.default” folder. This file contains the user’s saved passwords and other sensitive information, and can be decrypted using tools such as Mozilla’s “key3.db” viewer.

In addition to examining the files stored on the user’s computer, it is also important to capture network traffic generated by Tor Browser usage. This can be done using packet capture tools such as Wireshark or tcpdump. By analyzing the captured network traffic, it is possible to determine which websites the user visited, as well as any communications sent and received.

One of the main challenges in analyzing Tor network traffic is the fact that it is encrypted, making it difficult to determine the content of the communications. However, it is still possible to extract some information from the encrypted traffic, such as the destination IP addresses and the type of communication protocol used.

In addition to analyzing network traffic, it is also important to examine the user’s Tor Browser bookmarks and downloads. These can be found in the “places.sqlite” file, located in the “Tor Browser/Browser/TorBrowser/Data/Browser/profile.default” folder. By examining this file, it is possible to determine which websites the user visited, as well as any files downloaded.

Forensic analysis of Tor Browser can be a challenging task, due to the browser’s design to leave as little trace as possible on the user’s computer system. However, by examining configuration files, network traffic, bookmarks, and downloads, it is possible to uncover valuable information about the user’s online activities.

Conclusion

Forensic analysis of the Tor browser is essential in identifying and investigating criminal activities conducted through the browser. The Tor browser uses the Tor network to keep the user’s identity and location private, making forensic analysis of the browser difficult. Forensic analysis of the Tor browser can be divided into three main areas: network analysis, file analysis, and memory analysis. Network analysis involves analyzing the network traffic generated by the Tor browser, file analysis involves analyzing the files stored on the user’s computer, and memory analysis involves analyzing the memory of the Tor browser while it is running. Forensic analysts must use a combination of these techniques to recover user data and identify criminal activities conducted through the Tor browser.