SlideShare a Scribd company logo
1 of 21
TOR BROWSER FORENSICS ON WINDOWS OS
MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA
DFRWS 2015
DUBLIN, 24 MARCH 2015
REAL CASE
 Management salaries of a private company were published on a Blog
 Through an analysis of the internal network, we found a possible suspect
because he accessed the Excel file containing the salaries the day before
the publication
 Company asked us to analyze the employee laptop
 We found evidences that confirm that the Excel file was opened [LNK,
Jumplist, ShellBags]
 But no traces were found in browsing history about the publishing
activity on the blog…
PREVIOUS RESEARCH
 An interesting research by Runa Sandvik is available at
Forensic Analysis of theTor Browser Bundle on OS X, Linux,
and Windows
https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf
 We started from her work to find other interesting artifacts
TOR BROWSER – MICROSOFT WINDOWS
Version
4.0.2
TOR BROWSER FOLDER
 The most interesting folders are located in Tor BrowserBrowserTor Browser:
DataTor DataBrowserprofile.default
FOLDER DATATOR
 State: it contains the last execution date
 Torrc: it contains the path from where the Tor Browser was launched with the
drive letter
FOLDER DATABROWSERPROFILE.DEFAULT
 The traditional Firefox folder containing the user profile without usage traces
 The most interesting files:
 Compatibility.ini
 Extension.ini
• Browser execution path
• Date Created  First execution
• Date Modified  Last execution
OS ARTIFACTS ANALYSIS
 Evidence of TOR usage can be found (mainly) in:
 Prefetch file TORBROWSERINSTALL-<VERSION>-<PATH-HASH>.pf
 Prefetch file TOR.EXE-<PATH-HASH>.pf
 Prefetch file FIREFOX.EXE-<PATH-HASH>.pf
 Prefetch file START TOR BROWSER.EXE-<PATH-HASH>.pf (old version < 4.0.2)
 NTUSER.DAT registry hive  User Assist key
 Windows Search Database
 Thumbnail cache
PREFETCH FILES
 We can recover:
 First execution date
 Last execution date
 In Windows 8/8.1  Last 8 executions
 Number of executions
 Execution Path
 Install date (from Tor Browser Install prefetch file)
 Tor Browser version (from Tor Browser Install prefetch file)
USER ASSIST
 We can recover:
 Last execution date
 Number of executions
 Execution path
 By analyzing various NTUSER.DAT
from VSS we can identify the
number and time of execution in
a period of interest
OTHER ARTIFACTS ON THE HARD DRIVE
Other files noted:
Thumbnail Cache
It contains the TOR Browser icon
Windows Search Database
Tor Browser files and folders path
BROWSING ACTIVITIES
Evidence of browsing activities can be found in:
 Bookmarks (places.sqlite database)
 Pagefile.sys
 Memory Dump / Hiberfil.sys
BOOKMARKS
User saved bookmarks:
PAGEFILE.SYS
Information about visited websites
Search for the keyword
HTTP-memory-only-PB
HTTP-MEMORY-ONLY-PB
 A function used by Mozilla Firefox for Private Browsing (not saving cache
data on the hard drive)
 Tor Browser uses the Private Browsing feature of Mozilla Firefox
 But Tor Browser typically uses an old Firefox version, based on Firefox
ESR
 To distinguish if the browsing activity was made with Mozilla Firefox or
with Tor Browser:
 Check if Firefox is installed
 If it is installed, verify the actual version
PAGEFILE.SYS - EXAMPLE
ANALYSIS METHODOLOGY
• Install date
• First execution date
• Last execution date(s)
• Number of executions
• Tor Browser version
Prefetch files
• Execution path
• Last execution date
• Total number of executions
• Verify the history of execution through theVolume Shadow
Copies
NTUSERUserAssist key
• Thumbnail Cache
• Windows Search Database
Other possible artifacts
•State
•Torrc
•Compatibility.ini
•Extension.ini
•Places.sqlite [Bookmarks]
Tor Browser Files
•HTTP-memory-only-PB
•Torproject
•Tor
•Torrc
•Geoip
•Torbutton
•Tor-launcher
Pagefile.sys
(keywords search)
• Convert to a memory dump
• Analyze through
• Volatility
• Keywords search
Hiberfil.sys
REAL CASE
 We indexed the hard drive and searched for the blog URL
 We found some interesting URLs in the pagefile, indicating the
access to the Blog Admin page
(http://www. blognameblabla.com/wp-admin/)
REAL CASE
 All the URLs were preceded by the string HTTP-MEMORY-
ONLY-PB and Firefox is not installed on the laptop
 We found that the TOR Browser was downloaded with Google
Chrome the night in which the file was published on the blog
 By analyzing the OS artifacts we found that it was installed and
only executed once, 3 minutes before the publish date and
time on the blog
ACTIVE RESEARCHES
 Memory Dump with Volatility and Rekall
 Can we find any temporal reference for browsing
activities?
 Can we correlate Tor Browser cache entries to carved
files from pagefile/hiberfil/memory dump?
 Tor Browser on Mac OS X
 Tor Browser on Linux
 Orbot on Android
Q&A?
Mattia Epifani
 Digital Forensics Analyst
 CEO @ REALITY NET – System Solutions
 GCFA, GMOB, GNFA, GREM
 CEH, CHFI, CCE, CIFI, ECCE,AME,ACE, MPSC
Mail mattia.epifani@realitynet.it
Twitter @mattiaep
Linkedin http://www.linkedin.com/in/mattiaepifani
Web http://www.realitynet.it
Blog http://blog.digital-forensics.it
http://mattiaep.blogspot.it

More Related Content

What's hot

What's hot (20)

Wi-Fi Security Presentation.pptx
Wi-Fi Security Presentation.pptxWi-Fi Security Presentation.pptx
Wi-Fi Security Presentation.pptx
 
Dark Web Forensics
Dark Web Forensics Dark Web Forensics
Dark Web Forensics
 
Tor Presentation
Tor PresentationTor Presentation
Tor Presentation
 
Gmail Security
Gmail SecurityGmail Security
Gmail Security
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems  and Intrusion Prevention Systems Intrusion Detection Systems  and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
OSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringOSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gathering
 
TOR NETWORK
TOR NETWORKTOR NETWORK
TOR NETWORK
 
What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Firewall
FirewallFirewall
Firewall
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and Analysis
 
E mail forensics
E mail forensicsE mail forensics
E mail forensics
 
Network security
Network securityNetwork security
Network security
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Password Attack
Password Attack Password Attack
Password Attack
 
Network Security
Network SecurityNetwork Security
Network Security
 

Similar to Tor Browser Forensics on Windows OS

deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...
deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...
deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...Deft Association
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfekobelasting
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? panagenda
 
Kealy OWASP interactive_artifacts
Kealy OWASP interactive_artifactsKealy OWASP interactive_artifacts
Kealy OWASP interactive_artifactsFrank Victory
 
Introduction To Unix
Introduction To UnixIntroduction To Unix
Introduction To UnixCTIN
 
Computer forensics libin
Computer forensics   libinComputer forensics   libin
Computer forensics libinlibinp
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
What Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docxWhat Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docxalanfhall8953
 

Similar to Tor Browser Forensics on Windows OS (20)

deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...
deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...
deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdf
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
 
4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh
 
Kealy OWASP interactive_artifacts
Kealy OWASP interactive_artifactsKealy OWASP interactive_artifacts
Kealy OWASP interactive_artifacts
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Introduction To Unix
Introduction To UnixIntroduction To Unix
Introduction To Unix
 
Linux
LinuxLinux
Linux
 
Computer forensics libin
Computer forensics   libinComputer forensics   libin
Computer forensics libin
 
14(1) 005
14(1) 00514(1) 005
14(1) 005
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
What Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docxWhat Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docx
 

More from Reality Net System Solutions (13)

BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)
 
Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400
 
iOS Forensics a costo zero
iOS Forensics a costo zeroiOS Forensics a costo zero
iOS Forensics a costo zero
 
The state of the art in iOS Forensics
The state of the art in iOS ForensicsThe state of the art in iOS Forensics
The state of the art in iOS Forensics
 
(in)Secure Secret Zone
(in)Secure Secret Zone(in)Secure Secret Zone
(in)Secure Secret Zone
 
Forensicating the Apple TV
Forensicating the Apple TVForensicating the Apple TV
Forensicating the Apple TV
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
 
Acquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOSAcquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOS
 
Life on Clouds: a forensics overview
Life on Clouds: a forensics overviewLife on Clouds: a forensics overview
Life on Clouds: a forensics overview
 
Study and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesStudy and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android Devices
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets
 
ReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunitiesReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunities
 
Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)
 

Recently uploaded

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 

Tor Browser Forensics on Windows OS

  • 1. TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA DFRWS 2015 DUBLIN, 24 MARCH 2015
  • 2. REAL CASE  Management salaries of a private company were published on a Blog  Through an analysis of the internal network, we found a possible suspect because he accessed the Excel file containing the salaries the day before the publication  Company asked us to analyze the employee laptop  We found evidences that confirm that the Excel file was opened [LNK, Jumplist, ShellBags]  But no traces were found in browsing history about the publishing activity on the blog…
  • 3. PREVIOUS RESEARCH  An interesting research by Runa Sandvik is available at Forensic Analysis of theTor Browser Bundle on OS X, Linux, and Windows https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf  We started from her work to find other interesting artifacts
  • 4. TOR BROWSER – MICROSOFT WINDOWS Version 4.0.2
  • 5. TOR BROWSER FOLDER  The most interesting folders are located in Tor BrowserBrowserTor Browser: DataTor DataBrowserprofile.default
  • 6. FOLDER DATATOR  State: it contains the last execution date  Torrc: it contains the path from where the Tor Browser was launched with the drive letter
  • 7. FOLDER DATABROWSERPROFILE.DEFAULT  The traditional Firefox folder containing the user profile without usage traces  The most interesting files:  Compatibility.ini  Extension.ini • Browser execution path • Date Created  First execution • Date Modified  Last execution
  • 8. OS ARTIFACTS ANALYSIS  Evidence of TOR usage can be found (mainly) in:  Prefetch file TORBROWSERINSTALL-<VERSION>-<PATH-HASH>.pf  Prefetch file TOR.EXE-<PATH-HASH>.pf  Prefetch file FIREFOX.EXE-<PATH-HASH>.pf  Prefetch file START TOR BROWSER.EXE-<PATH-HASH>.pf (old version < 4.0.2)  NTUSER.DAT registry hive  User Assist key  Windows Search Database  Thumbnail cache
  • 9. PREFETCH FILES  We can recover:  First execution date  Last execution date  In Windows 8/8.1  Last 8 executions  Number of executions  Execution Path  Install date (from Tor Browser Install prefetch file)  Tor Browser version (from Tor Browser Install prefetch file)
  • 10. USER ASSIST  We can recover:  Last execution date  Number of executions  Execution path  By analyzing various NTUSER.DAT from VSS we can identify the number and time of execution in a period of interest
  • 11. OTHER ARTIFACTS ON THE HARD DRIVE Other files noted: Thumbnail Cache It contains the TOR Browser icon Windows Search Database Tor Browser files and folders path
  • 12. BROWSING ACTIVITIES Evidence of browsing activities can be found in:  Bookmarks (places.sqlite database)  Pagefile.sys  Memory Dump / Hiberfil.sys
  • 14. PAGEFILE.SYS Information about visited websites Search for the keyword HTTP-memory-only-PB
  • 15. HTTP-MEMORY-ONLY-PB  A function used by Mozilla Firefox for Private Browsing (not saving cache data on the hard drive)  Tor Browser uses the Private Browsing feature of Mozilla Firefox  But Tor Browser typically uses an old Firefox version, based on Firefox ESR  To distinguish if the browsing activity was made with Mozilla Firefox or with Tor Browser:  Check if Firefox is installed  If it is installed, verify the actual version
  • 17. ANALYSIS METHODOLOGY • Install date • First execution date • Last execution date(s) • Number of executions • Tor Browser version Prefetch files • Execution path • Last execution date • Total number of executions • Verify the history of execution through theVolume Shadow Copies NTUSERUserAssist key • Thumbnail Cache • Windows Search Database Other possible artifacts •State •Torrc •Compatibility.ini •Extension.ini •Places.sqlite [Bookmarks] Tor Browser Files •HTTP-memory-only-PB •Torproject •Tor •Torrc •Geoip •Torbutton •Tor-launcher Pagefile.sys (keywords search) • Convert to a memory dump • Analyze through • Volatility • Keywords search Hiberfil.sys
  • 18. REAL CASE  We indexed the hard drive and searched for the blog URL  We found some interesting URLs in the pagefile, indicating the access to the Blog Admin page (http://www. blognameblabla.com/wp-admin/)
  • 19. REAL CASE  All the URLs were preceded by the string HTTP-MEMORY- ONLY-PB and Firefox is not installed on the laptop  We found that the TOR Browser was downloaded with Google Chrome the night in which the file was published on the blog  By analyzing the OS artifacts we found that it was installed and only executed once, 3 minutes before the publish date and time on the blog
  • 20. ACTIVE RESEARCHES  Memory Dump with Volatility and Rekall  Can we find any temporal reference for browsing activities?  Can we correlate Tor Browser cache entries to carved files from pagefile/hiberfil/memory dump?  Tor Browser on Mac OS X  Tor Browser on Linux  Orbot on Android
  • 21. Q&A? Mattia Epifani  Digital Forensics Analyst  CEO @ REALITY NET – System Solutions  GCFA, GMOB, GNFA, GREM  CEH, CHFI, CCE, CIFI, ECCE,AME,ACE, MPSC Mail mattia.epifani@realitynet.it Twitter @mattiaep Linkedin http://www.linkedin.com/in/mattiaepifani Web http://www.realitynet.it Blog http://blog.digital-forensics.it http://mattiaep.blogspot.it