🎉What’s New - BountyEngine tool Trynow!
Home
Dark web
How-to

How to Track Activities of Tor Browser

During a Dark Web forensic investigation, it is common that the use Tor Browser. As we know Tor browser provides encrypted traffic and complete anonymity to its users.  The multi-layer encryption makes the user identity anonymous

This is a common tool used by cyber-criminals for illegal activities, drug trafficking and for illegal transactions. It is important for digital forensic investigators to find traces of Tor browser during an investigation. 

Table of Contents

This is challenging task for forensic investigators because dark web is accessed through Tor browser as it keeps data safe and anonymous.

Working of Tor Browser

Tor browser is based on Mozilla’s Firefox web browser. The browser uses onion routing technique which provides access to .onion websites in the dark web. The dark web is the deepest layer of the web. Dark web is not publicly available to access in regular search engines such as Google, Bing etc. This is not indexed in these search engines as it is the deepest layer of the web.

Tor has three relays in which the user gets their traffic encrypted.
  1. Entry Relay – entry point in which IP addresses is user is visible
  2. Middle Relay – data transferred to encrypted mode
  3. Exit Relay – reached destination server and hides the original identity of the user.

There is a hidden service protocol for Tor which allows user to create websites anonymously with .BIT domains and can only be accessed in the Tor network.

What are .BIT domains?

In Tor network, these domains server similar purpose like in regular web. They are not controlled by centralized authorities, they’re managed through a decentralized system called Namecoin. This makes better privacy and it is resistant to censorship.

When we try to access .bit domains through regular search engines, we get a error, as it is a blockchain top-level domain. Some of these domains can be accessed by using plugins in our regular browser.

Tor Bridge Nodes and Its Restrictions

Bridge nodes act a proxy in the tor network. It is can easily be switched to other nodes which makes difficult for the government to identify and block them. Relays nodes are available on the internet, but bridge nodes are not published or listed in the public directory. The usage of bridge nodes makes difficult for governments, organizations, and ISPs to censor the use of Tor network.

In many countries, the use of Tor network is banned. In such cases, bridge nodes help to avoid and allow users to access the Tor network.

Now let’s dive into investigation process.

To investigate, the usage of Tor browser in a windows machine, the forensic investigators should collect RAM dumps from the suspect machine. By analysing the dumps, we can identify activities performed using Tor browser, including websites visited, emails, programs downloaded and uninstalled.

Finding Traces of Tor Browser Using Command Prompt

When Tor Browser is installed on a windows machine, it utilizes port 9150/9151 for establishing connection through nodes. Investigators can check the active network connections by using command prompt window.
 
To check for active connections, use the following command:
netstat -ano
To check on specific port, use the following command:
netstat -an | find "9150"

this will filter the results to show only those associated with port 9150.

Identifying through Windows Registry

In windows operating system, everything is recorded in registry. When tor browser is installed, it leaves some traces in the Windows Registry. It is important to note that forensic analysis of the Windows Registry requires specialised tools and expertise. Some of the common tools are
  • Registry Explorer
  • ShellBags Explorer
Registry hives opened via Registry Explorer is shown below:

 
The path where is Tor Browser executed is in the following registry key:

HKEY_USERS\<SID>\SOFTWARE\Mozilla\Firefox\Launcher

To find the last execution data and time of the Tor Browser, the investigator should analyse the ‘State’ file located in the Tor Browser folder.

File directory of Tor Browser:

\Tor Browser\Browser\TorBrowser\Data\Tor

Identifying through Prefetch Files

Prefetch files are temporary files which contain information about the applications and their logs. When an application is started, prefetch files are created. The Prefetch files also record execution time, running time, and number of times application is opened. Prefetch files are stored in .pf extension.

When Tor browser uninstalled from a machine, it is difficult for the forensic investigators to find the artifacts related to browser. So, by the help of Prefetch files, investigators can gather information regarding the browser. Some of tools for analysing prefetch files are

WinPrefetch View
PECmd
FTK Imager


These tools can collect metadata including browser created timestamps, last run timestamps, filename and number of times the browser was executed. Prefetch files are located in 

C:/WINDOWS/Prefetch in windows.

Conclusion

In summary, when it comes to investigating the Tor Browser on the Dark Web, it is a challenging task. Tor Browser hides user’s identities and activities, making it tricky for investigators. 

However, they can still uncover clues by looking at things like RAM dumps, checking network connections, exploring the Windows Registry, and examining prefetch files. With these methods and the tools, investigators can gather important information to fight cybercrime effectively.