TOR Browser Forensics – Introduction to Darknet

John Doe | Last Modified: June 30th, 2017 | Updates

A Deep Web/Darknet is a private network that is invisible or inaccessible to normal browsers and search engines. They are overlay network and need specially configured software or configuration for getting into it. Their main purpose is to defend against network analysis, network surveillance and to provide anonymity and privacy in the network.

TOR (The Onion Router) is a free software and a group of volunteer operated network containing more than six thousand relays which provides features of Deep Web. TOR select relays randomly to create virtual circuit. The similar services like TOR are I2P, HORNET, Freenet etc.

Working of TOR in Brief – TOR Browser Forensics

The TOR anonymous browsing network consists of thousands of relays. Each time when the connection is established, randomly three relays are selected from directory server where the list of TOR relays exist. These three relays are called Entry guard, Middle relay and Exit relay and these are then used for TOR traffic. TOR encryption is provided by application layer including destination address. Each relay during transmission decrypts only the outermost layer which reveals only the next relay address about the data to be transmitted. The exit node decrypts the innermost layer of the encryption and send it to the final destination. This fails the modus operandi of the network surveillance programs that depends on source and destination address.

tor browser deep web dark net


TOR Artifacts Forensic Analysis

We can access to TOR browser deep web dark net network by installing TOR Browser. TOR browser is a modified form of Firefox for implementing TOR service. Few experiments are conducted to analyze artifacts created by TOR.


  1. Opened website and closed the tab
  2. Signed into Gmail using valid username and password and closed the tab
  3. Opened an image from web site and closed the tab

After all these, exported application specific memory dump of TOR browser.


  • Analysis in registry and state file: State file (located at \Tor Browser\Browser \TorBrowser\Data\Tor) contains last TOR browser execution date and same thing found in registry also.

tor forensics



tor forensic artifacts


  • Opened places.sqlite (located at \Tor Browser\Browser\TorBrowser\Data\Browser \profile.default) using SQLite Database Recovery to view data contained in it. But no artifacts such as visited websites, keywords etc. did not find.

tor browser deep web dark net




  • Opened memory dump using hex editor and found information such as
    a. Visited website
    b. Gmail sign in username
    c. Gmail mail messages
    d. Images opened


tor browser forensics


tor forensics artifacts


gmail message content


 tor browser deep web dark net forensics



Places.sqlite is SQLite database file used by Firefox as well as TOR browser for storing search history, host names, bookmarks etc. There is no any artifacts that can be find in TOR browser when compared with Firefox. The bookmarks we created can be find in both browser’s database files.







TOR is one of the Deep Web service who mainly focuses on user privacy over network. It is the one of the fast and secure network which defeats network surveillance programs to identify data and user. As said in TOR features, it is found that TOR clears the tracks of Artifacts. Only TOR last executed time and location could find in registry and TOR browser file forensics analysis. The websites, usernames etc. were able to find in application specific memory dump. But it cleared the password from memory and it was not able to find from memory. Similar to TOR, we can also use deep web services from I2P, HORNET, Freenet etc.

The complete R & D work of TOR Browser forensics has been carried out by the expert team of forensic researchers headed by Mr. Akhil and Mr. Gem George. The two brilliant minds have been the most active contributors to the Data Forensics platform.