A machine learning‐based memory forensics methodology for TOR browser artifacts

Abstract

SummaryAt present, 96% of the resources available into the World‐Wide‐Web belongs to the Deep Web, which is composed of contents that are not indexed by search engines. The Dark Web is a subset of the Deep Web, which is currently the favorite place for hiding illegal markets and contents. The most important tool that can be used to access the Dark Web is the Tor Browser. In this article, we propose a bottom‐up formal investigation methodology for the Tor Browser's memory forensics. Based on a bottom‐up logical approach, our methodology enables us to obtain information according to a level of abstraction that is gradually higher, to characterize semantically relevant actions carried out by the Tor browser. Again, we show how the proposed three‐layer methodology can be realized through open‐source tools. Also, we show how the extracted information can be used as input to a novel Artificial Intelligence‐based architecture for mining effective signatures capable of representing malicious activities in the Tor network. Finally, to assess the effectiveness of the proposed methodology, we defined three test cases that simulate widespread real‐life scenarios and discuss the obtained results. To the best of our knowledge, this is the first work that deals with the forensic analysis of the Tor Browser in a live system, in a formal and structured way.