SlideShare a Scribd company logo

Tor Browser Forensics on Windows OS

Reality Net System Solutions
Reality Net System Solutions

DFRWS 2015 EU (Dublin) Presentation by Mattia Epifani

Technology
1 of 21
TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA DFRWS 2015 DUBLIN, 24 MARCH 2015
REAL CASE  Management salaries of a private company were published on a Blog  Through an analysis of the internal network, we found a possible suspect because he accessed the Excel file containing the salaries the day before the publication  Company asked us to analyze the employee laptop  We found evidences that confirm that the Excel file was opened [LNK, Jumplist, ShellBags]  But no traces were found in browsing history about the publishing activity on the blog…
PREVIOUS RESEARCH  An interesting research by Runa Sandvik is available at Forensic Analysis of theTor Browser Bundle on OS X, Linux, and Windows https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf  We started from her work to find other interesting artifacts
TOR BROWSER – MICROSOFT WINDOWS Version 4.0.2
TOR BROWSER FOLDER  The most interesting folders are located in Tor BrowserBrowserTor Browser: DataTor DataBrowserprofile.default
FOLDER DATATOR  State: it contains the last execution date  Torrc: it contains the path from where the Tor Browser was launched with the drive letter
FOLDER DATABROWSERPROFILE.DEFAULT  The traditional Firefox folder containing the user profile without usage traces  The most interesting files:  Compatibility.ini  Extension.ini • Browser execution path • Date Created  First execution • Date Modified  Last execution
OS ARTIFACTS ANALYSIS  Evidence of TOR usage can be found (mainly) in:  Prefetch file TORBROWSERINSTALL-<VERSION>-<PATH-HASH>.pf  Prefetch file TOR.EXE-<PATH-HASH>.pf  Prefetch file FIREFOX.EXE-<PATH-HASH>.pf  Prefetch file START TOR BROWSER.EXE-<PATH-HASH>.pf (old version < 4.0.2)  NTUSER.DAT registry hive  User Assist key  Windows Search Database  Thumbnail cache
PREFETCH FILES  We can recover:  First execution date  Last execution date  In Windows 8/8.1  Last 8 executions  Number of executions  Execution Path  Install date (from Tor Browser Install prefetch file)  Tor Browser version (from Tor Browser Install prefetch file)
USER ASSIST  We can recover:  Last execution date  Number of executions  Execution path  By analyzing various NTUSER.DAT from VSS we can identify the number and time of execution in a period of interest
OTHER ARTIFACTS ON THE HARD DRIVE Other files noted: Thumbnail Cache It contains the TOR Browser icon Windows Search Database Tor Browser files and folders path
BROWSING ACTIVITIES Evidence of browsing activities can be found in:  Bookmarks (places.sqlite database)  Pagefile.sys  Memory Dump / Hiberfil.sys
BOOKMARKS User saved bookmarks:
PAGEFILE.SYS Information about visited websites Search for the keyword HTTP-memory-only-PB
HTTP-MEMORY-ONLY-PB  A function used by Mozilla Firefox for Private Browsing (not saving cache data on the hard drive)  Tor Browser uses the Private Browsing feature of Mozilla Firefox  But Tor Browser typically uses an old Firefox version, based on Firefox ESR  To distinguish if the browsing activity was made with Mozilla Firefox or with Tor Browser:  Check if Firefox is installed  If it is installed, verify the actual version
PAGEFILE.SYS - EXAMPLE
ANALYSIS METHODOLOGY • Install date • First execution date • Last execution date(s) • Number of executions • Tor Browser version Prefetch files • Execution path • Last execution date • Total number of executions • Verify the history of execution through theVolume Shadow Copies NTUSERUserAssist key • Thumbnail Cache • Windows Search Database Other possible artifacts •State •Torrc •Compatibility.ini •Extension.ini •Places.sqlite [Bookmarks] Tor Browser Files •HTTP-memory-only-PB •Torproject •Tor •Torrc •Geoip •Torbutton •Tor-launcher Pagefile.sys (keywords search) • Convert to a memory dump • Analyze through • Volatility • Keywords search Hiberfil.sys
REAL CASE  We indexed the hard drive and searched for the blog URL  We found some interesting URLs in the pagefile, indicating the access to the Blog Admin page (http://www. blognameblabla.com/wp-admin/)
REAL CASE  All the URLs were preceded by the string HTTP-MEMORY- ONLY-PB and Firefox is not installed on the laptop  We found that the TOR Browser was downloaded with Google Chrome the night in which the file was published on the blog  By analyzing the OS artifacts we found that it was installed and only executed once, 3 minutes before the publish date and time on the blog
ACTIVE RESEARCHES  Memory Dump with Volatility and Rekall  Can we find any temporal reference for browsing activities?  Can we correlate Tor Browser cache entries to carved files from pagefile/hiberfil/memory dump?  Tor Browser on Mac OS X  Tor Browser on Linux  Orbot on Android
Q&A? Mattia Epifani  Digital Forensics Analyst  CEO @ REALITY NET – System Solutions  GCFA, GMOB, GNFA, GREM  CEH, CHFI, CCE, CIFI, ECCE,AME,ACE, MPSC Mail mattia.epifani@realitynet.it Twitter @mattiaep Linkedin http://www.linkedin.com/in/mattiaepifani Web http://www.realitynet.it Blog http://blog.digital-forensics.it http://mattiaep.blogspot.it

Recommended

Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Dark Web Forensics
Dark Web Forensics Dark Web Forensics
Dark Web Forensics Deepak Kumar (D3)
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicTawhidur Rahman
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInformation Technology
 
Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Amrit Chhetri
 
Investigating Using the Dark Web
Investigating Using the Dark WebInvestigating Using the Dark Web
Investigating Using the Dark WebCase IQ
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Andrea Hauser
 

Recommended

Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Dark Web Forensics
Dark Web Forensics Dark Web Forensics
Dark Web Forensics Deepak Kumar (D3)
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicTawhidur Rahman
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInformation Technology
 
Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Amrit Chhetri
 
Investigating Using the Dark Web
Investigating Using the Dark WebInvestigating Using the Dark Web
Investigating Using the Dark WebCase IQ
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Andrea Hauser
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
Web Browser Artifacts
Web Browser ArtifactsWeb Browser Artifacts
Web Browser Artifactsprimeteacher32
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanningVi Tính Hoàng Nam
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Supply chain-attack
Supply chain-attackSupply chain-attack
Supply chain-attackvikram vashisth
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for InvestigatorsCase IQ
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search EngineInMobi Technology
 
Dark Web
Dark WebDark Web
Dark WebKunalDas889957
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Umesh Mahawar
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensicsPrince Boonlia
 
deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...
deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...
deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...Deft Association
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 

More Related Content

What's hot

Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for InvestigatorsCase IQ
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search EngineInMobi Technology
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Umesh Mahawar
 

What's hot (20)

Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
Web Browser Artifacts
Web Browser ArtifactsWeb Browser Artifacts
Web Browser Artifacts
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
 
Supply chain-attack
Supply chain-attackSupply chain-attack
Supply chain-attack
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search Engine
 
Dark Web
Dark WebDark Web
Dark Web
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensics
 

Similar to Tor Browser Forensics on Windows OS

deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...
deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...
deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...Deft Association
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfekobelasting
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? panagenda
 
Kealy OWASP interactive_artifacts
Kealy OWASP interactive_artifactsKealy OWASP interactive_artifacts
Kealy OWASP interactive_artifactsFrank Victory
 
Introduction To Unix
Introduction To UnixIntroduction To Unix
Introduction To UnixCTIN
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libinlibinp
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
What Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docxWhat Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docxalanfhall8953
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017J Hartig
 

Similar to Tor Browser Forensics on Windows OS (20)

deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...
deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...
deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Win...
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdf
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
 
4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh
 
Kealy OWASP interactive_artifacts
Kealy OWASP interactive_artifactsKealy OWASP interactive_artifacts
Kealy OWASP interactive_artifacts
 
Introduction To Unix
Introduction To UnixIntroduction To Unix
Introduction To Unix
 
Linux
LinuxLinux
Linux
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libin
 
14(1) 005
14(1) 00514(1) 005
14(1) 005
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
What Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docxWhat Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docx
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
 

More from Reality Net System Solutions

BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)Reality Net System Solutions
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?Reality Net System Solutions
 
Study and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesStudy and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesReality Net System Solutions
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Reality Net System Solutions
 

More from Reality Net System Solutions (13)

BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)BYOM Build Your Own Methodology (in Mobile Forensics)
BYOM Build Your Own Methodology (in Mobile Forensics)
 
Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400
 
iOS Forensics a costo zero
iOS Forensics a costo zeroiOS Forensics a costo zero
iOS Forensics a costo zero
 
The state of the art in iOS Forensics
The state of the art in iOS ForensicsThe state of the art in iOS Forensics
The state of the art in iOS Forensics
 
(in)Secure Secret Zone
(in)Secure Secret Zone(in)Secure Secret Zone
(in)Secure Secret Zone
 
Forensicating the Apple TV
Forensicating the Apple TVForensicating the Apple TV
Forensicating the Apple TV
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
 
Acquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOSAcquisizione forense di dispositivi iOS
Acquisizione forense di dispositivi iOS
 
Life on Clouds: a forensics overview
Life on Clouds: a forensics overviewLife on Clouds: a forensics overview
Life on Clouds: a forensics overview
 
Study and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android DevicesStudy and analysis of Orweb anonymizer on Android Devices
Study and analysis of Orweb anonymizer on Android Devices
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets
 
ReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunitiesReVaulting! Decryption and opportunities
ReVaulting! Decryption and opportunities
 
Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)Dammi il tuo iPhone e ti dirò chi sei (Forse)
Dammi il tuo iPhone e ti dirò chi sei (Forse)
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Tor Browser Forensics on Windows OS

  • 1. TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA DFRWS 2015 DUBLIN, 24 MARCH 2015
  • 2. REAL CASE  Management salaries of a private company were published on a Blog  Through an analysis of the internal network, we found a possible suspect because he accessed the Excel file containing the salaries the day before the publication  Company asked us to analyze the employee laptop  We found evidences that confirm that the Excel file was opened [LNK, Jumplist, ShellBags]  But no traces were found in browsing history about the publishing activity on the blog…
  • 3. PREVIOUS RESEARCH  An interesting research by Runa Sandvik is available at Forensic Analysis of theTor Browser Bundle on OS X, Linux, and Windows https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf  We started from her work to find other interesting artifacts
  • 4. TOR BROWSER – MICROSOFT WINDOWS Version 4.0.2
  • 5. TOR BROWSER FOLDER  The most interesting folders are located in Tor BrowserBrowserTor Browser: DataTor DataBrowserprofile.default
  • 6. FOLDER DATATOR  State: it contains the last execution date  Torrc: it contains the path from where the Tor Browser was launched with the drive letter
  • 7. FOLDER DATABROWSERPROFILE.DEFAULT  The traditional Firefox folder containing the user profile without usage traces  The most interesting files:  Compatibility.ini  Extension.ini • Browser execution path • Date Created  First execution • Date Modified  Last execution
  • 8. OS ARTIFACTS ANALYSIS  Evidence of TOR usage can be found (mainly) in:  Prefetch file TORBROWSERINSTALL-<VERSION>-<PATH-HASH>.pf  Prefetch file TOR.EXE-<PATH-HASH>.pf  Prefetch file FIREFOX.EXE-<PATH-HASH>.pf  Prefetch file START TOR BROWSER.EXE-<PATH-HASH>.pf (old version < 4.0.2)  NTUSER.DAT registry hive  User Assist key  Windows Search Database  Thumbnail cache
  • 9. PREFETCH FILES  We can recover:  First execution date  Last execution date  In Windows 8/8.1  Last 8 executions  Number of executions  Execution Path  Install date (from Tor Browser Install prefetch file)  Tor Browser version (from Tor Browser Install prefetch file)
  • 10. USER ASSIST  We can recover:  Last execution date  Number of executions  Execution path  By analyzing various NTUSER.DAT from VSS we can identify the number and time of execution in a period of interest
  • 11. OTHER ARTIFACTS ON THE HARD DRIVE Other files noted: Thumbnail Cache It contains the TOR Browser icon Windows Search Database Tor Browser files and folders path
  • 12. BROWSING ACTIVITIES Evidence of browsing activities can be found in:  Bookmarks (places.sqlite database)  Pagefile.sys  Memory Dump / Hiberfil.sys
  • 14. PAGEFILE.SYS Information about visited websites Search for the keyword HTTP-memory-only-PB
  • 15. HTTP-MEMORY-ONLY-PB  A function used by Mozilla Firefox for Private Browsing (not saving cache data on the hard drive)  Tor Browser uses the Private Browsing feature of Mozilla Firefox  But Tor Browser typically uses an old Firefox version, based on Firefox ESR  To distinguish if the browsing activity was made with Mozilla Firefox or with Tor Browser:  Check if Firefox is installed  If it is installed, verify the actual version
  • 17. ANALYSIS METHODOLOGY • Install date • First execution date • Last execution date(s) • Number of executions • Tor Browser version Prefetch files • Execution path • Last execution date • Total number of executions • Verify the history of execution through theVolume Shadow Copies NTUSERUserAssist key • Thumbnail Cache • Windows Search Database Other possible artifacts •State •Torrc •Compatibility.ini •Extension.ini •Places.sqlite [Bookmarks] Tor Browser Files •HTTP-memory-only-PB •Torproject •Tor •Torrc •Geoip •Torbutton •Tor-launcher Pagefile.sys (keywords search) • Convert to a memory dump • Analyze through • Volatility • Keywords search Hiberfil.sys
  • 18. REAL CASE  We indexed the hard drive and searched for the blog URL  We found some interesting URLs in the pagefile, indicating the access to the Blog Admin page (http://www. blognameblabla.com/wp-admin/)
  • 19. REAL CASE  All the URLs were preceded by the string HTTP-MEMORY- ONLY-PB and Firefox is not installed on the laptop  We found that the TOR Browser was downloaded with Google Chrome the night in which the file was published on the blog  By analyzing the OS artifacts we found that it was installed and only executed once, 3 minutes before the publish date and time on the blog
  • 20. ACTIVE RESEARCHES  Memory Dump with Volatility and Rekall  Can we find any temporal reference for browsing activities?  Can we correlate Tor Browser cache entries to carved files from pagefile/hiberfil/memory dump?  Tor Browser on Mac OS X  Tor Browser on Linux  Orbot on Android
  • 21. Q&A? Mattia Epifani  Digital Forensics Analyst  CEO @ REALITY NET – System Solutions  GCFA, GMOB, GNFA, GREM  CEH, CHFI, CCE, CIFI, ECCE,AME,ACE, MPSC Mail mattia.epifani@realitynet.it Twitter @mattiaep Linkedin http://www.linkedin.com/in/mattiaepifani Web http://www.realitynet.it Blog http://blog.digital-forensics.it http://mattiaep.blogspot.it