This document summarizes research into analyzing artifacts from the Tor browser on Windows systems. It describes how the Tor browser leaves various artifacts that can be analyzed, including prefetch files, the UserAssist registry key, thumbnail cache, Windows search database, bookmarks, pagefile.sys, and memory dumps. These artifacts can reveal information like installation date, execution dates and paths, and evidence of websites visited. The document provides an example of how analysis of these artifacts was used in a case to identify the suspect who accessed a private company's salaries before they were published online.