Tor Forensics: Client Memory Artefacts

Abstract

The Internet is recently inherited in everyday life, such as communication, online shopping, online banking, etc. However, the Internet does not provide promising security since an eavesdropper can intercept transferred data. As a result, the number of incidents has increased, posing a real threat to the user while people become more conscious about how applications treat their personal data. Therefore, some users have shifted to using The Onion Router (Tor) as it claims that it preserves the user's anonymity and privacy. However, while using or investigating Tor's use, the question of how the memory residue of the client leaks anonymity during Tor interaction arises. This question is addressed in this paper since it will investigate how the client's memory residue leaks anonymity before, during, and after Tor's interaction. While there has been significant research on Tor, there is a gap in the literature concerning Tor forensics area. One of the leading concepts to identify artefacts in digital crime is digital forensics. Thus, this paper will address the question by an experimental method that uses memory forensics tactics on Tor clients in order to find artefacts that will aid in criminal convictions. Subsequently, an analysis of the findings can stand against Tor claims about the user's privacy and anonymity since the Tor browser keeps a plethora of details about client activities, which could be gained during or even after closing the client session. This dissertation provides a workflow and a python shell script for analyzing the Tor client's memory residue, which will serve not only as a workflow but also act as a starting point for broadening studies in a similar area. This will introduce a positive impact on the investigators. It will make the process easier and contribute to society as users will be aware of how Tor treats their data.