Tor forensics: Proposed workflow for client memory artefacts

Abstract

The Internet is now part of everyday life, and plays a significant role in communication, online shopping, online banking, etc. However, one of the current issues with using the Internet is lack of security since it is still possible for an eavesdropper to be able to intercept transferred data. As a result, the number of incidents has increased, posing a real threat to the user while people have become more conscious about how applications treat their personal data. Therefore, some users have shifted to using The Onion Router (Tor) as it claims to preserve user's anonymity and privacy. However, while using or investigating the use of Tor, the question of how the memory residue of the client leaks anonymity during Tor's interaction arises. This question is addressed in this paper as it investigates how the client's memory residue leaks anonymity before, during, and after Tor's interaction. While there has been significant research on the topic of Tor, there is a gap in the literature concerning Tor forensics. One of the leading concepts to identify artefacts in digital investigation is digital forensics. Thus, this paper will address the question by an experimental method that uses memory forensics tactics on Tor clients to find artefacts related to Tor usage. Subsequently, an analysis of the findings can stand against Tor's claims about the user's privacy and anonymity since the Tor browser keeps a plethora of details about client activities, which could be gained during or even after closing the client session. This paper provides a workflow and a python shell script for analyzing the Tor client's memory residue, which will serve as a workflow and act as a starting point for broadening studies in a similar area. It also introduces a positive impact on the investigators. It aims to make the process easier and contributes to society as users will be aware of how Tor treats their data.