TOR BROWSER FORENSICS ON WINDOWS OS

The Onion Router (TOR) is a platform developed by the United States Naval Research Laboratory in the mid-1990s to protect US intelligence communications online. After many years and several development stages, the TOR network has become a popular free encrypted anonymizing virtual network used worldwide by many different user groups including privacy advocates, journalists, governments, and unfortunately criminals.

TOR is basically composed of two parts.

• The software that runs the tor client on the PC of the user
• A network of volunteer computers that directs traffic anonymously through the internet.
  

 The main aim of this post is to provide a forensic analysis of the software that runs the tor client on the PC (the TOR browser)

How TOR works

Figure I: How Tor works

  

Tor directs the route of a user’s internet traffic through random relays on the Internet. The data and destination IP address are first layered with elliptic curve cryptography, which is currently unbreakable with brute-force. It then sends them through a virtual circuit consisting of many nodes (three or more).  As the encrypted data enters the first node, one layer of encryption is stripped and sent to the next node. The next node performs the same function until the message reaches the final node, which is also named exit relay.  The exit relay now connects to the desired target of the user with an unencrypted connection.

When using TOR, the IP address of the user will become hidden and the user's connection will seem to originate from the TOR exit relay. The exit relay does not know anything of the traffic route other than the single previous relay.  Making Tor traffic even more difficult, if not impossible, to track is that this random route chooses a different entry, middle, and exit relay every 10 minutes or so.

The term node generally refers to a computer or a server that operates as part of the TOR network. It is also called relay or router; all three names are interchangeable.

The TOR Browser

The TOR browser is a hardened, security-focused version of Firefox that pushes all of your Web traffic through TOR’s anonymizing network. It supports all major operating systems (Windows, Linux, and Mac), can be used without installation, and can run from within a USB stick.  The browser modifications hide the user’s originating Internet Protocol (IP) address when surfing websites or sending e-mail. By hiding the true IP address of the user, attempts to trace or identify the user are nearly impossible without the use of extraordinary methods. 

TOR Browser Forensic Artifacts

On the system where the TOR browser is installed, the following location are of high importance.

• \Data\Tor - At this location, there are two files that contain very important information: 
• State - This contains the last execution date of the application.
• Torrc - It contains the path from where the Tor Browser was launched with the drive letter.

• \Data\Browser -  It is the folder containing the user profile but does not have any usage traces. This consist of two files that contains the browser execution path:
• compatibility.ini
• extension.json
• Prefetch - From here, we can obtain important information such as first and last execution dates, last eight execution dates (Windows 8 and higher versions), number of executions, execution path, install date, tor browser version.
• Pagefile - Pagefile.sys contains information about HTTP while the user is in private browsing. Tor uses the private browsing feature of Mozilla Firefox.
  

 Forensic Analysis of the TOR Browser

 Once the Tor browser is successfully installed on a system, it will create a tor browser folder. We can collect some valuable evidence from the Tor Browser folder on a suspect’s machine. To do this, we navigate to <%SYSTEMROOT%>\Users\username\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor and open the two files named state and torrc in notepad.

 

 As stated before, the state file provides us information about the last local execution date and time of the  Tor Browser as can be seen below

 

The torrc file gives the drive location from where the tor was launched. So, if there are multiple Tor Browser folders on the suspect’s system, we can find paths including the drive letter from which the Tor browser was run.

The TOR browser folder containing the user without usage traces is located at <%SYSTEMROOT%>\Users\username\Desktop\Tor Browser\Browser\TorBrowser\ Data\Browser\profile.default. The most interesting files are compatibility.ini and extension.json.

Windows prefetch is another source of information about the TOR usage on the suspect system. You can view prefetch files at location <%SYSTEMROOT%>\Windows\Prefetch. Note that you will need administrator privileges to view the prefetch files.

 

If you have found some suspicious prefetch files and want to perform in-depth analysis, free and fast command-line tool capable of parsing Windows Prefetch files, both in old and new formats. This tool is PECmd by Eric Zimmerman.

Using the command prompt, navigate to the directory where you have unpacked the archive and run the command PECmd.exe -f "C:\Windows\Prefetch\TOR.EXE-8C9229D9.pf". I am assuming here that the system root of the mounted hard disk image is C:\.

Evidence of browsing activities can be found at <%SYSTEMROOT%>\Users\Username\Desktop\Tor Browser\Browser\ TorBrowser\Data\Browser\profile.default. 

Open the file places.sqlite in DB Browser for SQLite.

After a successful installation of the TOR browser, we visited a hacker-for-hire forum and Facebook's dark web address.In the table moz_origin, we can see the lists of website hosts visited by the suspect.

 

In the table moz_places, we can see the list of website URLs visited.

In the table moz_bookmarks, we can see the sites bookmarked by the suspect.

In this post, we have discussed how to locate tor browser artifacts on the hard disk of a suspect. In a later post, we will discuss memory forensics and tor.