Tor Browser Forensics on Windows OS
3 likes1,662 views
This document summarizes research into analyzing artifacts from the Tor browser on Windows systems. It describes how the Tor browser leaves various artifacts that can be analyzed, including prefetch files, the UserAssist registry key, thumbnail cache, Windows search database, bookmarks, pagefile.sys, and memory dumps. A real case example is provided where analysis of these artifacts from a laptop revealed that the Tor browser was used to access a blog and publish confidential company information. The researchers were able to determine the Tor browser version, installation date, and timing of the activities related to the information leak. Ongoing research areas are also outlined.
![REAL CASE
Management salaries of a private company were published on a Blog
Through an analysis of the internal network, we found a possible suspect
because he accessed the Excel file containing the salaries the day before
the publication
Company asked us to analyze the employee laptop
We found evidences that confirm that the Excel file was opened [LNK,
Jumplist, ShellBags]
But no traces were found in browsing history about the publishing
activity on the blog…](https://image.slidesharecdn.com/dfrws-eu-2015-short-presentation-1-151229230834/85/Tor-Browser-Forensics-on-Windows-OS-2-320.jpg)
![ANALYSIS METHODOLOGY
• Install date
• First execution date
• Last execution date(s)
• Number of executions
• Tor Browser version
Prefetch files
• Execution path
• Last execution date
• Total number of executions
• Verify the history of execution through theVolume Shadow
Copies
NTUSERUserAssist key
• Thumbnail Cache
• Windows Search Database
Other possible artifacts
•State
•Torrc
•Compatibility.ini
•Extension.ini
•Places.sqlite [Bookmarks]
Tor Browser Files
•HTTP-memory-only-PB
•Torproject
•Tor
•Torrc
•Geoip
•Torbutton
•Tor-launcher
Pagefile.sys
(keywords search)
• Convert to a memory dump
• Analyze through
• Volatility
• Keywords search
Hiberfil.sys](https://image.slidesharecdn.com/dfrws-eu-2015-short-presentation-1-151229230834/85/Tor-Browser-Forensics-on-Windows-OS-17-320.jpg)
Tor Browser Forensics on Windows OS
- 1. TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA DFRWS 2015 DUBLIN, 24 MARCH 2015
- 2. REAL CASE Management salaries of a private company were published on a Blog Through an analysis of the internal network, we found a possible suspect because he accessed the Excel file containing the salaries the day before the publication Company asked us to analyze the employee laptop We found evidences that confirm that the Excel file was opened [LNK, Jumplist, ShellBags] But no traces were found in browsing history about the publishing activity on the blog…
- 3. PREVIOUS RESEARCH An interesting research by Runa Sandvik is available at Forensic Analysis of theTor Browser Bundle on OS X, Linux, and Windows https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf We started from her work to find other interesting artifacts
- 4. TOR BROWSER – MICROSOFT WINDOWS Version 4.0.2
- 5. TOR BROWSER FOLDER The most interesting folders are located in Tor BrowserBrowserTor Browser: DataTor DataBrowserprofile.default
- 6. FOLDER DATATOR State: it contains the last execution date Torrc: it contains the path from where the Tor Browser was launched with the drive letter
- 7. FOLDER DATABROWSERPROFILE.DEFAULT The traditional Firefox folder containing the user profile without usage traces The most interesting files: Compatibility.ini Extension.ini • Browser execution path • Date Created First execution • Date Modified Last execution
- 8. OS ARTIFACTS ANALYSIS Evidence of TOR usage can be found (mainly) in: Prefetch file TORBROWSERINSTALL-<VERSION>-<PATH-HASH>.pf Prefetch file TOR.EXE-<PATH-HASH>.pf Prefetch file FIREFOX.EXE-<PATH-HASH>.pf Prefetch file START TOR BROWSER.EXE-<PATH-HASH>.pf (old version < 4.0.2) NTUSER.DAT registry hive User Assist key Windows Search Database Thumbnail cache
- 9. PREFETCH FILES We can recover: First execution date Last execution date In Windows 8/8.1 Last 8 executions Number of executions Execution Path Install date (from Tor Browser Install prefetch file) Tor Browser version (from Tor Browser Install prefetch file)
- 10. USER ASSIST We can recover: Last execution date Number of executions Execution path By analyzing various NTUSER.DAT from VSS we can identify the number and time of execution in a period of interest
- 11. OTHER ARTIFACTS ON THE HARD DRIVE Other files noted: Thumbnail Cache It contains the TOR Browser icon Windows Search Database Tor Browser files and folders path
- 12. BROWSING ACTIVITIES Evidence of browsing activities can be found in: Bookmarks (places.sqlite database) Pagefile.sys Memory Dump / Hiberfil.sys
- 14. PAGEFILE.SYS Information about visited websites Search for the keyword HTTP-memory-only-PB
- 15. HTTP-MEMORY-ONLY-PB A function used by Mozilla Firefox for Private Browsing (not saving cache data on the hard drive) Tor Browser uses the Private Browsing feature of Mozilla Firefox But Tor Browser typically uses an old Firefox version, based on Firefox ESR To distinguish if the browsing activity was made with Mozilla Firefox or with Tor Browser: Check if Firefox is installed If it is installed, verify the actual version
- 17. ANALYSIS METHODOLOGY • Install date • First execution date • Last execution date(s) • Number of executions • Tor Browser version Prefetch files • Execution path • Last execution date • Total number of executions • Verify the history of execution through theVolume Shadow Copies NTUSERUserAssist key • Thumbnail Cache • Windows Search Database Other possible artifacts •State •Torrc •Compatibility.ini •Extension.ini •Places.sqlite [Bookmarks] Tor Browser Files •HTTP-memory-only-PB •Torproject •Tor •Torrc •Geoip •Torbutton •Tor-launcher Pagefile.sys (keywords search) • Convert to a memory dump • Analyze through • Volatility • Keywords search Hiberfil.sys
- 18. REAL CASE We indexed the hard drive and searched for the blog URL We found some interesting URLs in the pagefile, indicating the access to the Blog Admin page (http://www. blognameblabla.com/wp-admin/)
- 19. REAL CASE All the URLs were preceded by the string HTTP-MEMORY- ONLY-PB and Firefox is not installed on the laptop We found that the TOR Browser was downloaded with Google Chrome the night in which the file was published on the blog By analyzing the OS artifacts we found that it was installed and only executed once, 3 minutes before the publish date and time on the blog
- 20. ACTIVE RESEARCHES Memory Dump with Volatility and Rekall Can we find any temporal reference for browsing activities? Can we correlate Tor Browser cache entries to carved files from pagefile/hiberfil/memory dump? Tor Browser on Mac OS X Tor Browser on Linux Orbot on Android
- 21. Q&A? Mattia Epifani Digital Forensics Analyst CEO @ REALITY NET – System Solutions GCFA, GMOB, GNFA, GREM CEH, CHFI, CCE, CIFI, ECCE,AME,ACE, MPSC Mail [email protected] Twitter @mattiaep Linkedin http://www.linkedin.com/in/mattiaepifani Web http://www.realitynet.it Blog http://blog.digital-forensics.it http://mattiaep.blogspot.it