TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA DFRWS 2015 DUBLIN, 24 MARCH 2015

Similar documents
Belkasoft Evidence Center 2018 ESSENTIALS TRAINING PROGRAM

ios Forensics: where are we now and what are we missing?

Windows Artifacts as a part of Digital Investigation

FORENSICATING THE APPLE TV MATTIA EPIFANI CLAUDIA MEDA SANS DIGITAL FORENSICS INCIDENT RESPONSE SUMMIT PRAGUE, 8 OCTOBER 2017

Blackboard Collaborate Launcher for Mac OS X

CRM Connector for Salesforce

Contact Details and Technical Information

Clearing Cache for NAVBLUE Web App

The Rockefeller University I NFORMATION T ECHNOLOGY E DUCATION & T RAINING. VPN Web Portal Usage Guide

CatPlan End User Guide

INSTITUTO SUPERIOR TÉCNICO

LIFE ON CLOUDS, A FORENSICS OVERVIEW MARCO SCARITO MATTIA EPIFANI FRANCESCO PICASSO DFRWS 2016 EU LAUSANNE 31/03/2016

Browser-Related Issues Clearing Cookies and Cache

BROWSER TIPS FOR PEOPLESOFT

Step 6 How to download a YouTube Video that is not on your account. You have to have another program on your computer to that called ClipGrab.

Connecting to the Virtual Desktop Infrastructure (VDI)

Clear Cache Guide Click here for Windows guide Click here for Mac OS guide

If you do not have administrator privileges on your computer and are unable to install Java, please reach out to the ITC Help Desk at

An Introduction to Google Chrome

Plug Me In Renzik, Autopsy Plugins Now And In The Future. Mark McKinnon

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018

Jersey City Free Public Library WIFI Hotspot

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

BROWSER TIPS FOR PEOPLESOFT USER GUIDE

AccessData Forensic Toolkit 6.2 Release Notes

Step 4 Part F - How to Download a Video on YouTube and Delete a Video

LA-Z-BOY CENTER FOR EXCELLENCE

AccessData Forensic Toolkit 5.5 Release Notes

AccessData Forensic Toolkit Release Notes

BROWSERS OPTIMIZATION

Testing your TLS version

KAIST SSL VPN USER MANUAL

AccessData AD Lab Release Notes

Setting up to download Grants Group Application Forms

Talking to the Tech Asking the Right Questions

Creating a Bookmark/Link for the Portal(my.cuw.edu)

Neehr Perfect Guide: Installing the Citrix Plugin

User Guide NRC Research Press Journals Published by

How to export and import bookmarks (or favorites) for common web browsers:

LAN Manager. Instruction Manual.

System Requirements for EnlightKS Online Certification Management Services ET2.13 February 2012 (et ).

via Citrix Remote Access (formally

2015 Beta 2 Tutorials

Getting Started With Windows 10

Internet Browsers with CYBER

Join an OmniJoin Meeting as an Attendee (Mac and PC)

Contact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday

Google chrome incognito window

HOW TO SUBMIT AN ASSIGNMENT

User Guide. ThinkFree Office Server Edition June 13, Copyright(c) 2011 Hancom Inc. All rights reserved

Steps to View Online Lectures

User Experience Enhancements...2 New Mobile and Social...3. Click to Cloud Connectors...3 Media Gallery...4 Mobile...5

Installing and Running the Google App Engine On a Macintosh System

Compliance Deputy Version 5.1 User Guide

Manual Internet Explorer 10 For Xp 32 Bits >>>CLICK HERE<<<

Step 7 How to convert a YouTube Video to Music As I mentioned in the YouTube Introduction, you can convert a Video to a MP3 file using Free Video To

CNIT 121: Computer Forensics. 14 Investigating Applications

NATIONAL COUNCIL OF CORVETTE CLUBS DIGITAL SOFT COPY MEMBERSHIP CARD ARCHIVE & PRINTING GUIDE

OfficeSuite UC Connector for Salesforce

VDI Users Guide. Mac OS X

Setting Up Resources in VMware Identity Manager 3.1 (On Premises) Modified JUL 2018 VMware Identity Manager 3.1

Web Browser Problems and Solutions

Using VMware Identity Manager Apps Portal

1. Open any browser (e.g. Internet Explorer, Firefox, Chrome or Safari) and go to

MBNL UAD CITRIX FTP Solution

Does mozilla firefox support windows 10

SharePoint Guide for Reviewers

SpaceShuttle User guide v3

Deposit Wizard TellerScan Installation Guide

Help with F5 Networks Virtual Classroom. Troubleshooting your client connection to the remote Windows PC

Contact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday

Realize Reader Windows App. Early Learner User Guide

JN0-355 Q&As. Junos Pulse Secure Access, Specialist (JNCIS-SA) Pass Juniper JN0-355 Exam with 100% Guarantee

Strengths of Knox Manage Kiosk

HMH Download Center. Release 2.1. User Guide for Administrators and Teachers

Realize Reader ios Mobile App Version User Guide

Network Forensics. CSF: Forensics Cyber-Security. Section II. Basic Forensic Techniques and Tools. MSIDC, Spring 2017 Nuno Santos

Step 5 How to download free Music from YouTube You need a YouTube account to download free Music from YouTube. If you don t have a YouTube account,

2. Perform the following steps to reset password using Password Reset Link Method:

Quick Reference Guide WEBSITE MESSAGING TOOLS ACCESSIBILITY

Sun Sentinel News in Education Digital Edition. User Guide

AccessData Forensic Toolkit 5.6 Release Notes

OfficeSuite UC Connector for Salesforce

Browser Checklist. Objective. Content. 1) Zurich recommended browser

Help with F5 Networks Virtual Classroom. Troubleshooting your client connection to the remote Windows PC

Workspace 2.0 Android Content Locker. UBC Workspace 2.0: VMware Content Locker 3.5 for Android. User Guide

Version of 22 OCBC Bank. All Rights Reserved

AccessData Forensic Toolkit Release Notes

Adobe Flash Player Bit Windows 7 Google Chrome

Realize Reader Windows App. User Guide

GETTING STARTED WITH SINGAPORE STUDENT LEARNING SPACE Instructions for Students

Connecting to the Online E-Catalog

WEB CLIENT DEPARTMENT CHECK REQUEST USER GUIDE

Mac OS X version 10.6 and Below for Students

ibackup Extractor - User Guide

How do I access the wireless network using a laptop?

Open Mic Webcast. IBM Verse Offline Yingle Jia, Mark Wallace April 20, 2016

1. Create References by Adding PDF Documents to Your Library

User Guide. Social Password Recovery Pro. Contents

Using SQL Reporting Services with isupport

Transcription:

TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA DFRWS 2015 DUBLIN, 24 MARCH 2015

REAL CASE Management salaries of a private company were published on a Blog Through an analysis of the internal network, we found a possible suspect because he accessed the Excel file containing the salaries the day before the publication Company asked us to analyze the employee laptop We found evidences that confirm that the Excel file was opened [LNK, Jumplist, ShellBags] But no traces were found in browsing history about the publishing activity on the blog

PREVIOUS RESEARCH An interesting research by Runa Sandvik is available at Forensic Analysis of the Tor Browser Bundle on OS X, Linux, and Windows https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf We started from her work to find other interesting artifacts

TOR BROWSER MICROSOFT WINDOWS Version 4.0.2

TOR BROWSER FOLDER The most interesting folders are located in \Tor Browser\Browser\Tor Browser: \Data\Tor \Data\Browser\profile.default

FOLDER DATA\TOR State: it contains the last execution date Torrc: it contains the path from where the Tor Browser was launched with the drive letter

FOLDER \DATA\BROWSER\PROFILE.DEFAULT The traditional Firefox folder containing the user profile without usage traces The most interesting files: Compatibility.ini Extension.ini Browser execution path Date Created First execution Date Modified Last execution

OS ARTIFACTS ANALYSIS Evidence of TOR usage can be found (mainly) in: Prefetch file TORBROWSERINSTALL-<VERSION>-<PATH-HASH>.pf Prefetch file TOR.EXE-<PATH-HASH>.pf Prefetch file FIREFOX.EXE-<PATH-HASH>.pf Prefetch file START TOR BROWSER.EXE-<PATH-HASH>.pf (old version < 4.0.2) NTUSER.DAT registry hive User Assist key Windows Search Database Thumbnail cache

PREFETCH FILES We can recover: First execution date Last execution date In Windows 8/8.1 Last 8 executions Number of executions Execution Path Install date (from Tor Browser Install prefetch file) Tor Browser version (from Tor Browser Install prefetch file)

USER ASSIST We can recover: Last execution date Number of executions Execution path By analyzing various NTUSER.DAT from VSS we can identify the number and time of execution in a period of interest

OTHER ARTIFACTS ON THE HARD DRIVE Other files noted: Thumbnail Cache It contains the TOR Browser icon Windows Search Database Tor Browser files and folders path

BROWSING ACTIVITIES Evidence of browsing activities can be found in: Bookmarks (places.sqlite database) Pagefile.sys Memory Dump / Hiberfil.sys

BOOKMARKS User saved bookmarks:

PAGEFILE.SYS Information about visited websites Search for the keyword HTTP-memory-only-PB

HTTP-MEMORY-ONLY-PB A function used by Mozilla Firefox for Private Browsing (not saving cache data on the hard drive) Tor Browser uses the Private Browsing feature of Mozilla Firefox But Tor Browser typically uses an old Firefox version, based on Firefox ESR To distinguish if the browsing activity was made with Mozilla Firefox or with Tor Browser: Check if Firefox is installed If it is installed, verify the actual version

PAGEFILE.SYS - EXAMPLE

ANALYSIS METHODOLOGY Prefetch files Install date First execution date Last execution date(s) Number of executions Tor Browser version NTUSER\UserAssist key Execution path Last execution date Total number of executions Verify the history of execution through the Volume Shadow Copies Tor Browser Files State Torrc Compatibility.ini Extension.ini Places.sqlite [Bookmarks] Pagefile.sys (keywords search) HTTP-memory-only-PB Torproject Tor Torrc Geoip Torbutton Tor-launcher Other possible artifacts Thumbnail Cache Windows Search Database Hiberfil.sys Convert to a memory dump Analyze through Volatility Keywords search

REAL CASE We indexed the hard drive and searched for the blog URL We found some interesting URLs in the pagefile, indicating the access to the Blog Admin page (http://www. blognameblabla.com/wp-admin/)

REAL CASE All the URLs were preceded by the string HTTP-MEMORY- ONLY-PB and Firefox is not installed on the laptop We found that the TOR Browser was downloaded with Google Chrome the night in which the file was published on the blog By analyzing the OS artifacts we found that it was installed and only executed once, 3 minutes before the publish date and time on the blog

ACTIVE RESEARCHES Memory Dump with Volatility and Rekall Can we find any temporal reference for browsing activities? Can we correlate Tor Browser cache entries to carved files from pagefile/hiberfil/memory dump? Tor Browser on Mac OS X Tor Browser on Linux Orbot on Android

Q&A? Mattia Epifani Digital Forensics Analyst CEO @ REALITY NET System Solutions GCFA, GMOB, GNFA, GREM CEH, CHFI, CCE, CIFI, ECCE, AME, ACE, MPSC Mail Twitter Linkedin Web Blog mattia.epifani@realitynet.it @mattiaep http://www.linkedin.com/in/mattiaepifani http://www.realitynet.it http://blog.digital-forensics.it http://mattiaep.blogspot.it

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback