Digital Investigation of Tor browser on Windows 10 and Android 10

Abstract

Internet, Computers and Mobile phones especially smartphones roll out as a lifeline of our society since last decade with plenty of applications in business, education, gaming, and research. However, one of the major issues faced using Internet is itslack of privacy and security since it is still possible for an eavesdroppers/attackers to intercept communication between users. As a result, the number of cyber crime incidents i.e. exploiting confidentiality has increased over time. Therefore, users have become more anxious about the security of their communication. In this regard, some users have preferred to use private browsers for safeguarding their communication privacy. Tor privacy browser is one of the most famous and extensively used privacy browser that is based on The Onion Router (Tor) network to sustain anonymity over the Internet. However, Tor browser at all times remains a major obstacle in the network centric cybercrime investigations due to sophisticated level of anonymity provided over specialized overlay network. In this study, we have investigated the Tor privacy browser artifacts on Windows 10 and Android 10 devices and identify the potential areas in an operating system where evidence can be found that will help the investigators in e-discovery. In this research, we investigated the artifacts left by theTor privacy browser on the Registry, Storage, and Memory of Windows 10 device; and similarly we investigated the Memory, Storage, ADB logs and Zram for Android 10 device to find out how it left the evidence on these areas in operating before, during, and after usage. Analysis of our results confirmed against claims of user’s privacy and anonymity made by the Tor Project. Because our investigation on both operating systems uncover significant number of evidence about user browsing activities while Tor browser was left open, in use and even after closing the browser. This study proposed an investigative methodology to acquire and analyze the Tor browser artifacts from different areas of targeted operating system which will serve as a foundation for expanding this research to conduct forensic analysis of additional privacy browsers and enhances the investigator’s competency to achieve easier application’s forensic investigation process.