Analyzing Tor Browser Artifacts for Enhanced Web Forensics, Anonymity, Cybersecurity, and Privacy in Windows-Based Systems
Abstract
:1. Introduction
- What specific artifacts are generated by the Tor Browser on Windows-based operating systems?
- How can these artifacts be effectively identified and analyzed using forensic methodologies?
- Can an automated PowerShell script be developed to detect and retrieve Tor artifacts with minimal user interaction, thereby enhancing the efficiency of forensic investigations?
- How does the correlation of these artifacts contribute to understanding the sequence of events in cases involving the use of the Tor Browser?
- This research aims to broaden the scope of Tor artifacts in Windows registries, collecting a wider range of artifacts from target PCs. It employs reverse engineering techniques in storage forensics to recover deleted artifacts, providing deeper insights into user activity.
- This study seeks to enhance the efficiency and accuracy of digital forensic investigations. It addresses the limitations of previous methodologies and contributes to the advancement of digital forensic techniques for investigating Tor Browser activity.
- This research proposes an automated PowerShell script that detects Tor usage and conducts a forensic analysis to retrieve Tor artifacts with minimal user interaction. This approach saves the investigator’s time and improves the overall efficiency of the investigation process.
- This study performed timeline analysis and artifact correlation for a contextual understanding of how events unfold across both memory and network domains. This contributes to improved incident response and enhanced online security, providing valuable insights for cybersecurity professionals and law enforcement agencies.
2. Background
- Tor Browser: This is the main application, represented as the central node in the diagram.
- Modified Firefox ESR (Extended Support Release):
- The Tor Browser is built on a customized version of Firefox ESR.
- It is specifically modified for enhanced privacy and anonymity.
- Tor Network:
- This is the core of Tor’s anonymity features.
- It encrypts and routes traffic through multiple nodes: a. Entry Node (Guard): The first node in the Tor circuit. b. Middle Node: An intermediate node in the circuit. c. Exit Node: The final node that connects to the internet.
- Privacy Extensions:
- NoScript:
- (a)
- Blocks JavaScript by default to prevent potential security vulnerabilities.
- (b)
- Users can selectively enable scripts for trusted sites.
- HTTPS Everywhere:
- (a)
- Enforces secure connections by automatically upgrading HTTP connections to HTTPS when possible.
- Tor Button:
- (a)
- Manages Tor connection settings.
- (b)
- Allows users to access Tor network settings and change their circuit.
- The Tor Browser integrates the modified Firefox ESR, connects to the Tor Network, and includes the privacy extensions.
- The Tor Network is represented as a series of nodes (Entry, Middle, Exit) that encrypt and route the user’s traffic.
- Each privacy extension (NoScript, HTTPS Everywhere, Tor Button) is connected to the main Extensions node.
- Client: The application for sending is normally indicated to the Tor Browser (in our case).
- Directory Server: In onion routing, a server that stores info about other nodes in the network is called a directory server [28]. It is responsible for providing the client with a safe passage to the server through onion routers. It decides the route that should be given to the client. All the active tor relays are listed in the directory server.
- Onion Encryption: In onion routing, data are encrypted in layers as they travel through different routers. Each layer corresponds to a specific router in the circuit. At each router, one layer is decrypted, which exposes the next destination [29]. This layered encryption ensures the anonymity of both the sender and the final destination throughout the process.
- Entry Node or Guard Node: The first relay in the chain. Also called an entry node or entry guard [30]. This node knows the sender’s identity but does not know the ultimate destination or full path.
- Relay Node or Onion Router (OR): It is a node that is neither an entrance nor an exit node; instead, it acts as a client for traffic routing [23]. All traffic going through this node remains encrypted.
- Exit Node or Egress Point: It decrypts the third and last onion encryption and sends the data to the server.
2.1. Difference between Windows Versions
2.2. Related Work
2.3. Limitations of the Literature with Respect to Windows 10
- The previous studies performed Tor forensics but did not cover all forensic techniques (network, storage, memory and registry forensics).
- The previous studies provided no automation for the gathering of artifacts from any forensic technique in a time-effective way.
2.4. Limitations in the Literature with Respect to Windows 11
- Windows 11 introduces a new file system called “WinFS”, which may have implications for digital forensics. WinFS was designed to provide a unified storage system for both local and networked data. This potentially impacts the way data are stored and accessed, requiring forensic analysts to adapt new methodologies for storage forensics. Also, Windows 11 includes enhanced security features, such as secure core and hardware-based virtualization-based security (VBS). These features impact the ability to access and analyze data related to the Tor Browser, potentially making it more challenging to acquire certain forensic artifacts from RAM and storage.
- Before the introduction of the “WinFS” file system in Windows 11, the primary file system used in Windows operating systems was the New Technology File System (NTFS). The NTFS has been the default file system for Windows since the release of Windows NT 3.1 in 1993. WinFS has stronger encryption than NTFS, which makes the deleted data extraction more complex than Windows 10.
- The Windows 11 System32\Config folder is of 1.8 GB to 2.4 GB and contains about 400k to 500k registries, whereas the Windows 10 System32\Config folder is of 1.5 GB to 2.2 GB and contains about 300k to 400k registries. This makes the registry forensic job more thorough.
- Windows 11 needs more RAM for usage; hence, the memory dump will be much bigger for this. Hence, some more high-end hardware in the system must be used for the analysis of memory artifacts.
- The forensic community must adapt to the latest technologies to remain effective. As operating systems evolve, so too must the tools and techniques used by forensic investigators evolve. By staying current with the latest platform, investigators ensure they are prepared to handle cases involving the most recent technologies, which is essential for maintaining the integrity and reliability of forensic investigations.
3. Proposed Methodology
3.1. Experimental Setup
3.2. ToolsUsed
- FTK Imager: FTK Imager was chosen for its efficiency in capturing memory dumps, a crucial aspect of forensic analysis. Its user-friendly interface and strong memory-capturing capabilities make it an excellent tool for this task.
- Regshot and Regedit: Regshot is used to compare registry snapshots before and after using the Tor Browser, with Regedit being employed to view registry artifacts. Regshot is efficient in generating and comparing registry snapshots, which makes it an ideal choice for identifying changes after using the Tor Browser. Regedit complements this by allowing the detailed inspection of registry artifacts.
- RawCap: RawCap is employed to capture network traffic. RawCap is a lightweight command-line tool designed specifically for capturing raw network traffic. It captures packets at a low level without parsing them. It preserves the entire content of each packet, including headers and payload, without any alteration, preserving its raw format. It is lightweight and is fully compatible with Windows-based systems.
- NetworkMiner: NetworkMiner is an open-source tool used to extract various data types from PCAP files. NetworkMiner’s versatility in extracting diverse data types from PCAP files, coupled with its user-friendly interface, makes it valuable for forensic analysis in Windows environments. Its open-source nature allows users to inspect and modify the tool according to their requirements. Additionally, being free makes it accessible to a broad audience.
- Volatility: Volatility is a popular open-source memory forensic framework that is widely used by digital forensic investigators and incident responders to analyze memory dumps, which are images of a computer’s memory at a specific point in time. Volatility’s primary function is to extract and analyze the running processes, modules, and other system information from a memory dump. It does this using various plugins, which are essentially small programs that perform specific tasks.
- Bulk Extractor: Bulk Extractor was selected to efficiently extract various artifacts from memory dumps. It was explicitly designed for artifact-focused extraction from memory dumps. Bulk Extractor allows for targeted keyword searches, enabling the focused extraction of specific artifacts. Bulk Extractor’s open-source nature allows for customization and collaboration, enhancing its effectiveness in forensic investigations.
- TestDisk and Autopsy: TestDisk and Autopsy were chosen for storage analysis and recovering some data artifacts. It excels in recovering lost partitions, while Autopsy provides a comprehensive platform for digital forensics. Both of them are compatible with Windows, and their open-source nature contributes to their selection.
3.3. Systematic Sequence of Activities
3.4. Data Collection Procedure
- Capture an initial snapshot of the system registry to establish a baseline.
- Install the Tor Browser on the system.
- Execute the Tor Browser to initiate its functionalities.
- Start capturing network packets to monitor communication.
- Establish a connection with the Tor network to simulate dark web usage.
- Interact with the Tor Browser to simulate user activities.
- Close the Tor Browser after usage.
- Delete both the Tor Browser installer and the application.
- Capture a memory dump of the system post-Tor Browser usage.
- Capture a second snapshot of the system registry for comparison.
- Conduct a comparative analysis of the two system registry snapshots.
- Capture a storage dump of the system for detailed analysis.
- Employ forensic techniques across domains: registry, network, memory, and storage forensics.
- Identify and extract evidence related to Tor Browser usage, including browsing history, registry entries, and application locations.
- Establish correlations between different forensic artifacts for a holistic understanding.
- Compile and document the results obtained from the forensic analysis.
4. Forensic Analysis of Tor Browser Activity on Windows
4.1. Forensic Techniques
4.1.1. Memory Forensics
4.1.2. Registry Forensics
4.1.3. Storage Forensics
4.1.4. Network Forensics
4.2. Timeline Analysis for Artifact Correlation
5. Automated Script for Tor Artifact Retrieval
- Registry Query for Firefox Launcher: The script queries the Windows Registry to check for the existence of a specific location related to the Firefox Launcher.
- Defined Registry Keys and Locations: Several registry keys and their expected locations are defined, primarily focusing on paths associated with the Tor Browser.
- Registry Key Existence Checks: A function (Check-RegistryKey) is created to check if specified registry keys exist at designated locations. The script then employs this function to verify the presence of predefined registry keys.
- Additional Registry Locations Checked: The script investigates additional registry locations associated with Mozilla, Firefox, and the Tor Project.
- Elevated Permissions Check: It verifies whether the script is running with elevated (administrator) permissions and attempts to relaunch with elevated privileges if necessary.
- Detection of Tor Usage: The script notifies the user if it detects any artifacts related to Tor, providing information on the number of Tor-related registry entries found.
- Query and Analysis of Registry Values: The script retrieves and analyzes all registry values in a specified location, specifically searching for values containing the strings ‘Tor’ or ‘tor’.
- Script Completion Message: A completion message is displayed at the end of the script execution.
Algorithm 1 PowerShell Script for Tor Artifact Retrieval |
Require: Windows system with PowerShell, elevated permissions (Administrator), access to system registry |
Ensure: Artifact collection and analysis for Tor Browser usage |
|
5.1. Pseudocode of PS Script
- Print “Executing script…”
- Define registry locations and keys to be checked:
- Registry location for Tor installer and usage data.
- Keys related to Tor and Firefox executables.
- Initialize a counter for found registry entries.
- Define a function to check if a registry key exists:
- If key exists, print confirmation and increment the counter.
- If key does not exist, print a message indicating its absence.
- Check for the presence of defined registry keys using the function.
- Run a command to query a specific registry location.
- Check if certain registry paths or entries exist:
- If found, print confirmation and increment the counter.
- If not found, print a message indicating its absence.
- Check if the script has elevated (administrator) permissions: If not, restart the script with elevated permissions.
- Check if any Tor-related registry entries were found:
- If found, print “Tor Usage Detected” and the number of findings.
- If none found, print “Nothing found about Tor usage”.
- Try to obtain all registry items from the specified location:
- If successful, check for registry values containing “Tor”.
- If found, print and increment the counter.
- If an error occurs, print an error message.
- Pause to allow the user to see output, then continue.
- Print “Script completed”.
5.2. Script Usage
6. Results and Discussion
7. Conclusions and Future Work
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Schriner, J. Monitoring the Dark Web and Securing Onion Services; City University of New York: New York, NY, USA, 2017. [Google Scholar]
- Kumar, A.; Sondarva, K.; Gohil, B.N.; Patel, S.J.; Shah, R.; Rajvansh, S.; Sanghvi, H. Forensics Analysis of TOR Browser. In Proceedings of the International Conference on Information Security, Privacy and Digital Forensics, Goa, India, 2–3 December 2022; Springer: Berlin/Heidelberg, Germany, 2022; pp. 331–341. [Google Scholar]
- Angeli, V.M.; Atamli, A.; Karafili, E. Forensic analysis of Tor in Windows environment: A case study. In Proceedings of the 17th International Conference on Availability, Reliability and Security, Vienna, Austria, 23–26 August 2022; pp. 1–10. [Google Scholar]
- Teng, S.Y.; Wen, C.Y. A forensic examination of anonymous browsing activities. Forensic Sci. J. 2018, 17, 1–8. [Google Scholar]
- Mehta, S.D.; Upadhyay, D. A review on classification of tor-nontor traffic and forensic analysis of tor browser. Int. J. Eng. Res. Technol. (IJERT) 2020, 9, 776–778. [Google Scholar]
- Huang, M.J.C.; Wan, Y.L.; Chiang, C.P.; Wang, S.J. Tor browser forensics in exploring invisible evidence. In Proceedings of the 2018 IEEE International Conference on Systems, Man, and Cybernetics (SMC), Miyazaki, Japan, 7–10 October 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 3909–3914. [Google Scholar]
- Warren, A. Tor browser Artifacts in Windows 10; SANS Information Security Reading Room: Rockville, MD, USA, 2017. [Google Scholar]
- Jadoon, A.K.; Iqbal, W.; Amjad, M.F.; Afzal, H.; Bangash, Y.A. Forensic analysis of Tor browser: A case study for privacy and anonymity on the web. Forensic Sci. Int. 2019, 299, 59–73. [Google Scholar] [CrossRef] [PubMed]
- Muir, M.; Leimich, P.; Buchanan, W.J. A forensic audit of the tor browser bundle. Digit. Investig. 2019, 29, 118–128. [Google Scholar] [CrossRef]
- Fiaz, F.; Sajjad, S.M.; Iqbal, Z.; Yousaf, M.; Muhammad, Z. MetaSSI: A Framework for Personal Data Protection, Enhanced Cybersecurity and Privacy in Metaverse Virtual Reality Platforms. Future Internet 2024, 16, 176. [Google Scholar] [CrossRef]
- Nelson, R.; Shukla, A.; Smith, C. Web browser forensics in google chrome, mozilla firefox, and the tor browser bundle. In Digital Forensic Education: An Experiential Learning Approach; Springer: Berlin/Heidelberg, Germany, 2020; pp. 219–241. [Google Scholar]
- Asif, S.; Ambreen, M.; Muhammad, Z.; ur Rahman, H. Cloud computing in healthcare-investigation of threats, vulnerabilities, future challenges and counter measure. LC Int. J. STEM 2022, 3, 63–74, ISSN: 2708-7123. [Google Scholar]
- Darcie, W.; Boggs, R.; Sammons, J.; Fenger, T. Online anonymity: Forensic analysis of the tor browser bundle. Forensic Sci. Int. 2014. Available online: https://www.marshall.edu/forensics/files/WinklerDarcie_ResearchPaper_8-6-141.pdf (accessed on 7 July 2024).
- Gunapriya, S.; Vatsavayi, V.K.; Varma, K.S. Forensic Investigation of Tor Bundled Browser. In Proceedings of the International Conference on Intelligent and Smart Computing in Data Analytics: ISCDA 2020, Guntur, India, 13 March 2021; Springer: Berlin/Heidelberg, Germany, 2021; pp. 281–289. [Google Scholar]
- Alfosail, M.; Norris, P. Tor forensics: Proposed workflow for client memory artefacts. Comput. Secur. 2021, 106, 102311. [Google Scholar] [CrossRef]
- Leng, T.; Yu, A. A framework of darknet forensics. In Proceedings of the 3rd International Conference on Advanced Information Science and System, Sanya, China, 26–28 November 2021; pp. 1–6. [Google Scholar]
- Rehman, F.; Muhammad, Z.; Asif, S.; Rahman, H. The next generation of cloud security through hypervisor-based virtual machine introspection. In Proceedings of the 2023 3rd International Conference on Artificial Intelligence (ICAI), Islamabad, Pakistan, 22–23 February 2023; IEEE: Piscataway, NJ, USA, 2023; pp. 116–121. [Google Scholar]
- Flanagan, J. Using Tor in Cybersecurity Investigations. Master’s Thesis, Utica College, Utica, NY, USA, 2015. [Google Scholar]
- Irfan, M.; Ali, S.T.; Ijlal, H.S.; Muhammad, Z.; Raza, S. Exploring The Synergistic Effects of Blockchain Integration with IOT and AI for Enhanced Transparency and Security in Global Supply Chains. Int. J. Contemp. Issues Soc. Sci 2024, 3, 1326–1338. [Google Scholar]
- Akintaro, M.; Pare, T.; Dissanayaka, A.M. Darknet and black market activities against the cybersecurity: A survey. In Proceedings of the Midwest Instruction and Computing Symposium (MICS), North Dakota State University, Fargo, ND, USA, 5–6 April 2019. [Google Scholar]
- Syverson, P. Practical vulnerabilities of the tor anonymity network. Adv. Cyber Secur. Technol. Oper. Exp. 2013, 60, 60–73. [Google Scholar]
- Reed, M.G.; Syverson, P.F.; Goldschlag, D.M. Anonymous connections and onion routing. IEEE J. Sel. Areas Commun. 1998, 16, 482–494. [Google Scholar] [CrossRef]
- Dingledine, R.; Mathewson, N.; Syverson, P.F. Tor: The second-generation onion router. In Proceedings of the USENIX Security Symposium, San Diego, CA, USA, 9–13 August 2004; Volume 4, pp. 303–320. [Google Scholar]
- Aggarwal, G.; Bursztein, E.; Jackson, C.; Boneh, D. An analysis of private browsing modes in modern browsers. In Proceedings of the 19th USENIX Security Symposium (USENIX Security 10), Washington, DC, USA, 11–13 August 2010. [Google Scholar]
- Iesar, H.; Iqbal, W.; Abbas, Y.; Umair, M.Y.; Wakeel, A.; Illahi, F.; Saleem, B.; Muhammad, Z. Revolutionizing Data Center Networks: Dynamic Load Balancing via Floodlight in SDN Environment. In Proceedings of the 2024 5th International Conference on Advancements in Computational Sciences (ICACS), Lahore, Pakistan, 19–20 February 2024; IEEE: Piscataway, NJ, USA, 2024; pp. 1–8. [Google Scholar]
- Ghafarian, A.; Seno, S.A.H. Analysis of privacy of private browsing mode through memory forensics. Int. J. Comput. Appl. 2015, 132, 27–34. [Google Scholar] [CrossRef]
- Kauser, S.; Malik, T.S.; Hasan, M.H.; Akhir, E.A.P.; Kazmi, S.M.H. Windows 10’s Browser Forensic Analysis for Tracing P2P Networks’ Anonymous Attacks. Comput. Mater. Contin. 2022, 72, 1251–1273. [Google Scholar] [CrossRef]
- Hejazi, S.M.; Talhi, C.; Debbabi, M. Extraction of forensically sensitive information from windows physical memory. Digit. Investig. 2009, 6, S121–S131. [Google Scholar] [CrossRef]
- Chetry, A.; Sharma, U. Dark web Activity on Tor—Investigation challenges and retrieval of memory artifacts. In Proceedings of the International Conference on Innovative Computing and Communications: Proceedings of ICICC, Delhi, India, 21–23 February 2020; Springer: Berlin/Heidelberg, Germany, 2021; Volume 1, pp. 953–964. [Google Scholar]
- Goldschlag, D.M.; Reed, M.G.; Syverson, P.F. Hiding routing information. In Proceedings of the International Workshop on Information Hiding, Cambridge, UK, 30 May–1 June 1996; Springer: Berlin/Heidelberg, Germany, 1996; pp. 137–150. [Google Scholar]
- Rehman, A.U.; Nadeem, A.; Malik, M.Z. Fair feature subset selection using multiobjective genetic algorithm. In Proceedings of the Genetic and Evolutionary Computation Conference Companion, Boston, MA, USA, 9–13 July 2022; pp. 360–363. [Google Scholar]
- Fatima, M.; Abbas, H.; Yaqoob, T.; Shafqat, N.; Ahmad, Z.; Zeeshan, R.; Muhammad, Z.; Rana, T.; Mussiraliyeva, S. A survey on common criteria (CC) evaluating schemes for security assessment of IT products. PeerJ Comput. Sci. 2021, 7, e701. [Google Scholar] [CrossRef] [PubMed]
- Arshad, M.R.; Hussain, M.; Tahir, H.; Qadir, S.; Memon, F.I.A.; Javed, Y. Forensic analysis of tor browser on windows 10 and android 10 operating systems. IEEE Access 2021, 9, 141273–141294. [Google Scholar] [CrossRef]
- Sajan, P.P.; Balan, C.; Priya, M.J.D.; Sreedeep, A.L. Tor browser forensics. Turk. J. Comput. Math. Educ. (TURCOMAT) 2021, 12, 5599–5608. [Google Scholar]
- Pizzolante, R.; Castiglione, A.; Carpentieri, B.; Contaldo, R.; D’Angelo, G.; Palmieri, F. A machine learning-based memory forensics methodology for TOR browser artifacts. Concurr. Comput. Pract. Exp. 2021, 33, e5935. [Google Scholar] [CrossRef]
- Kent, K.; Chevalier, S.; Grance, T.; Dang, H. Sp 800-86. Guide to Integrating Forensic Techniques into Incident Response; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2006.
- Hariyadi, D.; Kusuma, M.; Sholeh, A.; Fazlurrahman. Digital Forensics Investigation on Xiaomi Smart Router Using SNI ISO/IEC 27037: 2014 and NIST SP 800-86 Framework. In Proceedings of the International Conference on Science and Engineering (ICSE-UIN-SUKA 2021), Yogyakarta, Indonesia, 27 October 2021; Atlantis Press: Amsterdam, The Netherlands, 2021; pp. 143–147. [Google Scholar]
No | Research and Year | OS | Tools | Methodology | Contribution/ Findings | Limitations/ Assumptions |
---|---|---|---|---|---|---|
1. | [6], 2021 | Windows 10 | Regshot, RegScanner, FTK Imager | Used digital forensics methodology for Windows 10 and Android 10 devices. | Browsing history, registries, email address, downloaded timestamps. | Network forensics is not conducted in research; also, research has been based on Windows 10, while the latest OS is Windows 11. Moreover, the research has not focused on artifacts after the browser is deleted. |
2. | [7], 2017 | Windows 10 | Regshot, Regripper, XWays, Volatility | Used three forensic techniques to collect data from Windows 10 device. | Path of file, processID, ports used, registries. | Claimed that the Tor Browser leaves no or very few traces after deletion. Also, the tools used here are not defined properly for forensic techniques except registry forensic tools. |
3. | [8], 2019 | Windows 8.1 | FTK Imager, Magnet AXIOM, Bulk extractor, EnCase, Regshot, Volatility, Hex workshop | Used memory, registry and hard-disk forensic techniques. | Registries, emails from memory, public keys of Tor relays. | No artifacts from network forensics are collected. Also, the tool used for storage forensics is not open-source or free. No automation for gathering results is defined. |
4. | [11], 2021 | Windows 10 | Smsniff, Linux Reader | Analyzed prefetch file and used RAM forensics to collect artifacts. | Tor presence from prefetch, email addresses, and public keys of the user. | Tools used were not defined properly. Also, the network and registry artifacts were not examined at all. |
5. | [17], 2014 | Windows 7 | Wireshark, FTK, Network Miner | Used digital forensics techniques related to network, registry, and RAM forensics | Registries, browsing history, analysis of PCAPs. | This research was conducted in 2014 and is considered old at this point. Also, no storage artifacts were analyzed. |
6. | [18], 2022 | Windows 10 | FTK Imager, Magnet RAM Capture, Belkasoft RAM Live Capturer, Bulk Extractor, Wireshark | Used registry, memory, hard-disk and network forensics on target system. | Browsing activities, HTTP header, tor exe, tor button, registries. | Could not reveal any browsing data with the network analysis. Did not cover memory artifacts after the Tor Browser is deleted. |
7. | [20], 2022 | Windows 10 | FTK Imager, Autopsy, Bulk Extractor, Hex workshop | Gathered artifacts from memory, registry, and storage. | Browsing history, tor icon, public keys of tor relay (if browser is open), three registries. | Only three registry keys were found, and no automated methodology was presented for time-efficient findings. |
8. | [21], 2021 | Windows 10 | Autopsy, Dumpit, Bulk Extractor Viewer | Analyzed browsing sessions with autopsy and collected artifacts from memory forensic techniques. | Email addresses, artifacts about Tor’s presence. | No browsing history was recovered; also, the scope was limited to just memory and storage forensics. Network data were not examined at all. |
9. | [22], 2021 | Not defined | FTK, Belkasoft RAM capturer, Volatility | Gathered artifacts from RAM using memory forensics. | Network ports, browsing history. | Evidence acquisition process was not clearly defined. Also, it did not cover artifacts after the deletion of the browser. |
10. | [33], 2019 | Windows 10 | FTK, HxD, SQLite, | Database and memory forensics. | Browsing history, cookies. | Used just memory forensics and examined a database file from prefetch. Also, a few artifacts were found. No automation for ease of examination. |
11. | Proposed Research | Windows 11 | Regshot, FTK Imager, Autopsy, Bulk Extractor, Volatility, NetworkMiner, RawCap | Used all the four forensic techniques (memory, network, storage, registry) for extracting artifacts from the target system. | URLs, email addresses, credentials, public keys, ports used, registries, prefetch files, location of Tor, location of Tor installer, usernames, Tor’s HTTP header. | - |
Tor Browser Stage | Tool Used | Visited Sites | tor.Exe | Tor Launcher | Timestamps | Registry Values |
---|---|---|---|---|---|---|
Open | FTK Imager + Bulk Extractor | Yes | Yes | Yes | Yes | Yes |
Closed | FTK Imager + Bulk Extractor | Yes | Yes | Yes | Yes | No |
Uninstalled | FTK Imager + Bulk Extractor | Yes | Yes | Yes | Yes | No |
No | Description | Locations of Registries Belong to Tor Browser |
---|---|---|
1 | Tor Browser Installer | Computer\HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\bam\State\UserSettings\S-1-5-21-3086630268-3035775925-2501282103-1009 |
2 | Location of Tor Installer | Computer\HKEY_USERS\S-1-5-21-3086630268-3035775925-2501282103-1009\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store |
3 | Name of application | Computer\HKEY_USERS\S-1-5-21-3086630268-3035775925-2501282103-1009\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
4 | Firefox location | Computer\HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\bam\State\UserSettings\S-1-5-21-3086630268-3035775925-2501282103-1009 |
5 | Application user-friendly name | Computer\HKEY_USERS\S-1-5-21-3086630268-3035775925-2501282103-1009\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
6 | Company name of application | Computer\HKEY_USERS\S-1-5-21-3086630268-3035775925-2501282103-1009\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
7 | Some traces of Tor Browser | Computer\HKEY_USERS\S-1-5-21-3086630268-3035775925-2501282103-1009\Software\Mozilla\Firefox\Launcher |
8 | Firefox installer location | Computer\HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\bam\State\UserSettings\S-1-5-21-3086630268-3035775925-2501282103-1009 |
No. | Artefact | Yes/No |
---|---|---|
1. | All onion websites | Yes |
2. | Credentials | Yes |
3. | Website’s images (downloaded and visited images) | Yes |
4. | Timestamps | Yes |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Javed, M.S.; Sajjad, S.M.; Mehmood, D.; Mansoor, K.; Iqbal, Z.; Kazim, M.; Muhammad, Z. Analyzing Tor Browser Artifacts for Enhanced Web Forensics, Anonymity, Cybersecurity, and Privacy in Windows-Based Systems. Information 2024, 15, 495. https://doi.org/10.3390/info15080495
Javed MS, Sajjad SM, Mehmood D, Mansoor K, Iqbal Z, Kazim M, Muhammad Z. Analyzing Tor Browser Artifacts for Enhanced Web Forensics, Anonymity, Cybersecurity, and Privacy in Windows-Based Systems. Information. 2024; 15(8):495. https://doi.org/10.3390/info15080495
Chicago/Turabian StyleJaved, Muhammad Shanawar, Syed Muhammad Sajjad, Danish Mehmood, Khawaja Mansoor, Zafar Iqbal, Muhammad Kazim, and Zia Muhammad. 2024. "Analyzing Tor Browser Artifacts for Enhanced Web Forensics, Anonymity, Cybersecurity, and Privacy in Windows-Based Systems" Information 15, no. 8: 495. https://doi.org/10.3390/info15080495
APA StyleJaved, M. S., Sajjad, S. M., Mehmood, D., Mansoor, K., Iqbal, Z., Kazim, M., & Muhammad, Z. (2024). Analyzing Tor Browser Artifacts for Enhanced Web Forensics, Anonymity, Cybersecurity, and Privacy in Windows-Based Systems. Information, 15(8), 495. https://doi.org/10.3390/info15080495