TOR Browser Forensics – Introduction to Darknet
A Deep Web/Darknet is a private network that is invisible or inaccessible to normal browsers and search engines. They are overlay networks and need specially configured software or configuration for getting into them. Their main purpose is to defend against network analysis, and network surveillance and to provide anonymity and privacy in the network.
TOR (The Onion Router) is a free software and a group of volunteer operated network containing more than six thousand relays which provides features of Deep Web. TOR select relays randomly to create virtual circuit. The similar services like TOR are I2P, HORNET, Freenet etc.
Working of TOR in Brief – TOR Browser Forensics
The TOR anonymous browsing network consists of thousands of relays. Each time when the connection is established, randomly three relays are selected from the directory server where the list of TOR relays exists. These three relays are called Entry guard, Middle relay and Exit relay and these are then used for TOR traffic. TOR encryption is provided by the application layer including the destination address. Each relay during transmission decrypts only the outermost layer which reveals only the next relay address about the data to be transmitted. The exit node decrypts the innermost layer of the encryption and sends it to the final destination. This fails the modus operandi of the network surveillance programs that depend on the source and destination address.
TOR Artifacts Forensic Analysis
We can access to TOR browser deep web darknet network by installing TOR Browser. Moreover, TOR browser is a modified form of Firefox for implementing the TOR service. Few experiments are conducted to analyze artefacts created by TOR.
TEST CASES PERFORMED:
- Opened the website http://www.dropbox.com and closed the tab
- Signed into Gmail using a valid username and password and closed the tab
- Opened an image from a website and closed the tab
After all, these, exported application-specific memory dump of TOR browser.
- Analysis in registry and state file: State file (located at \Tor Browser\Browser \TorBrowser\Data\Tor) contains the last TOR browser execution date and the same thing found in the registry also.
- Opened places.sqlite (located at \Tor Browser\Browser\TorBrowser\Data\Browser \profile.default) using SQLite Database Recovery to view data contained in it. But no artefacts such as visited websites, keywords etc. did not find.
- Opened memory dump using a hex editor and found information such as
a. Visited website
b. Gmail sign in username
c. Gmail mail messages
d. Images opened
TOR BROWSER VS FIREFOX (PLACES.SQLITE)
Both Firefox, as well as the TOR browser, uses the places.sqlite is an SQLite database file for storing search history, hostnames, bookmarks etc. There are no artefacts that can be found in the TOR browser when compared with Firefox. The bookmarks we created can be found in both browsers’ database files.
In conclusion, TOR is one of the Deep Web services that mainly focuses on user privacy over the network. It is one of the fast and most secure networks which defeats network surveillance programs to identify data and users. As said in TOR features, it is found that TOR clears the tracks of Artifacts. Only TOR last executed time and location could find in the registry and TOR browser file forensics analysis. The websites, usernames etc. were able to find in the application-specific memory dump. But it cleared the password from memory and it was not able to find its memory. Similar to TOR, we can also use deep web services from I2P, HORNET, Freenet etc.
The complete R & D work of TOR Browser forensics has been carried out by the expert team of forensic researchers headed by Mr. Akhil and Mr. Gem George. The two brilliant minds have been the most active contributors to the Data Forensics platform.