More Web Proxy on the site http://driver.im/

research-article

Tor forensics: : Proposed workflow for client memory artefacts

Authors:

Malak Alfosail,

Peter NorrisAuthors Info & Claims

Volume 106, Issue C

https://doi.org/10.1016/j.cose.2021.102311

Published: 01 July 2021 Publication History

Abstract

The Internet is now part of everyday life, and plays a significant role in communication, online shopping, online banking, etc. However, one of the current issues with using the Internet is lack of security since it is still possible for an eavesdropper to be able to intercept transferred data. As a result, the number of incidents has increased, posing a real threat to the user while people have become more conscious about how applications treat their personal data. Therefore, some users have shifted to using The Onion Router (Tor) as it claims to preserve user's anonymity and privacy. However, while using or investigating the use of Tor, the question of how the memory residue of the client leaks anonymity during Tor's interaction arises. This question is addressed in this paper as it investigates how the client's memory residue leaks anonymity before, during, and after Tor's interaction. While there has been significant research on the topic of Tor, there is a gap in the literature concerning Tor forensics. One of the leading concepts to identify artefacts in digital investigation is digital forensics. Thus, this paper will address the question by an experimental method that uses memory forensics tactics on Tor clients to find artefacts related to Tor usage. Subsequently, an analysis of the findings can stand against Tor's claims about the user's privacy and anonymity since the Tor browser keeps a plethora of details about client activities, which could be gained during or even after closing the client session. This paper provides a workflow and a python shell script for analyzing the Tor client's memory residue, which will serve as a workflow and act as a starting point for broadening studies in a similar area. It also introduces a positive impact on the investigators. It aims to make the process easier and contributes to society as users will be aware of how Tor treats their data.

References

[1]

C. Reid, H. Gilbert, Using the Parkerian Hexad to introduce security in an information literacy class., in: Proceedings of the Information Security Curriculum Development Conference, 2010, pp. 45–47.

[2]

Jacopy, C. Chow, M. (2016). The onion router and the Darkweb. [Online]. Retrieved from https://www.cs.tufts.edu/comp/116/archive/fall2016/cjacoby.pdf (Accessed 12. Dec)

[3]

Ceysun, S., Murdoch, S, and Muffett, A. (2015). “Tor: hidden service scaling”. [Online] Retrieved from: https://www.benthamsgaze.org/wp-content/uploads/2015/11/sucu-torscaling.pdf (Accessed 12. Dec)

[4]

H. Ramzi, B. Zantout, The TOR data communication system: a survey, in: Proceedings of the IEEE Symposium on Computers and Communications (ISCC), IEEE, 2014, pp. 1–6.

[5]

P. Winter, A. Edmundson, L.M. Roberts, A. Dutkowska-Żuk, M. Chetty, N. Feamster, How do Tor users interact with onion services?, in: Proceedings of the 27th Security Symposium, 2018, pp. 411–428.

[6]

K. Kevin, The Tor browser: A forensic investigation study, Utica College, 2016, PhD thesis.

[7]

A. Alharbi, M. Faizan, W. Alosaimi, H. Alyami, A. Agrawal, R. Kumar, R.A. Khan, Exploring the Topological Properties of the Tor Dark Web, IEEE Access, 2021.

[8]

Sandvik, R. (2013). Forensics analysis of the tor browser bundle on OS X, Linux, and Windows. Retrieved from: https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf (Accessed 3. Feb)

[9]

D. Rathod, Darknet forensics, Int. J. Emerg. Trends Technol. Comput. Sci. (IJETTCS) 6 (4) (2017) 77–79.

[10]

D. Dayalamurthy, Forensic memory dump analysis and recovery of the artefacts of using tor bundle browser – the need”., in: Proceeding of the Australian Digital Forensics Conference. ECU, 2013.

[11]

A. Al-Khaleel, D. Bani-Salameh, M Al-Saleh, On the memory artifacts of the tor browser bundle, in: Proceedings of the International Conference on Computing Technology and Information Management (ICCTIM), Society of Digital Information and Wireless Communication, 2014, p. 41.

[12]

B. Nelson, A. Phillips, C. Steuart, Guide to Computer Forensics and Investigations, Cengage Learning, 2014.

[13]

M.H. Ligh, A. Case, J. Levy, A. Walters, The art of memory forensics: detecting malware and threats in Windows, Linux, and Mac memory, John Wiley & Sons, 2014.

Digital Library

[14]

Develobba. (2019). Failed to launch tor browser. [Online]. Retrieved from: https://stackoverflow.com/questions/49987197/failed-to-launch-tor-browser (Accessed 15. April)

[15]

Vitosinschi, A. (2016). Protecting privacy using tor. [Online]. Retrieved from: https://www.theseus.fi/bitstream/handle/10024/114610/Alexandr_Vitosinschi.pdf?sequence=1 (Accessed 15. July)

[16]

Zhang, X. (2019). Dissecting tor bridges and pluggable transport - part i: finding the built-in tor bridges and how tor browser works. [online] Fortinet Blog. Retrieved from: https://www.fortinet.com/blog/threat-research/dissecting-tor-bridges-pluggable-transport (Accessed 30. July).

[17]

Mozilla docs. (2020). Proxy. RequestDetails. [Online]. Retrieved from: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/proxy/RequestDetails (Accessed 16. July)

[18]

MDN docs. (2020). Manifest.json. [Online]. Retrieved from: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json (Accessed 15. July)

[19]

MagnetForensics. (2014). Forensics Analysis of Prefetch Files in Windows. [Online]. Retrieved from: https://www.magnetforensics.com/blog/forensic-analysis-of-prefetch-files-in-windows /#:~:text=Prefetch%20files%20are%20great%20artifacts,up%20the%20loading%20of%20applications. (Accessed 15. July)

[20]

Warren, A. (2017). Tor Browser Artifacts in Windows 10. [Online]. Retrieved from: https://www.sans.org/reading-room/whitepapers/forensics/tor-browser-artifacts-windows-10-37642. (Accessed 15. July)

[21]

A.K. Jadoon, W. Iqbal, M.F. Amjad, H. Afzal, Y.A. Bangash, Forensic analysis of Tor browser: a case study for privacy and anonymity on the web, Forensic sci. int. 299 (2019) 59–73.

Index Terms

Tor forensics: Proposed workflow for client memory artefacts
1. Security and privacy
  1. Human and societal aspects of security and privacy
2. Social and professional topics
  1. Computing / technology policy

Index terms have been assigned to the content through auto-classification.

Recommendations

Safely Measuring Tor
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Tor is a popular network for anonymous communication. The usage and operation of Tor is not well-understood, however, because its privacy goals make common measurement approaches ineffective or risky. We present PrivCount, a system for measuring the Tor ...
An Improved Tor Circuit-Building Protocol
JCAI '09: Proceedings of the 2009 International Joint Conference on Artificial Intelligence

Tor is the second generation Onion Router, supporting the anonymous transport of TCP streams over the Internet. Its low latency makes it very suitable for common Internet communication applications. So Tor has become the most successful public anonymity ...
Improving the Privacy of Tor Onion Services
Applied Cryptography and Network Security
Abstract
Onion services enable bidirectional anonymity for parties that communicate over the Tor network, thus providing improved privacy properties compared to standard TLS connections. Since these services are designed to support server-side anonymity, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 106, Issue C

Jul 2021

499 pages

ISSN:0167-4048

Issue’s Table of Contents

Elsevier Ltd.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 July 2021

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents