Forensic analysis of Tor in Windows environment: A case study

Abstract

The Tor browser is a popular tool that is used by many users around the world. The browser is common among cyber criminals who use the tool to hide their activities. Until now, little research has been conducted by forensics researchers on the Tor browser, its application, and the data that can be obtained from the artefacts generated from its execution. In this work, we present a forensics analysis of the footprint left by the Tor application in the Windows environment. Our analysis focuses on three critical areas that are examined: network, memory, and hard disk. We provide a methodology that allows a structured forensic investigation. In this work, we examine multiple tools’ abilities in obtaining artefacts. The artefacts were identified not only when the Tor browser was running, but also when it was closed and uninstalled. We provide a methodology to analyse Tor applications with a focused case study of the Tor browser, allowing investigators to analyse Tor browsers and reproduce our results.