SlideShare ist ein Scribd-Unternehmen logo

deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Windows OS

Deft Association
Deft Association

Mattia Epifani, Francesco Picasso, Marco Scarito, Claudia Meda - Tor Browser forensics on Windows OS

Technologie
1 von 21
Downloaden Sie, um offline zu lesen
TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA DEFTCON 2015 ROMA, 17 APRILE
REAL CASE  Management salaries of a private company were published on a Blog  Through an analysis of the internal network, we found a possible suspect because he accessed the Excel file containing the salaries the day before the publication  Company asked us to analyze the employee laptop  We found evidences that confirm that the Excel file was opened [LNK, Jumplist, ShellBags]  But no traces were found in browsing history about the publishing activity on the blog…
PREVIOUS RESEARCH  An interesting research by Runa Sandvik is available at Forensic Analysis of theTor Browser Bundle on OS X, Linux, and Windows https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf  We started from her work to find other interesting artifacts
TOR BROWSER – MICROSOFT WINDOWS Version 4.0.2
TOR BROWSER FOLDER  The most interesting folders are located in Tor BrowserBrowserTor Browser: DataTor DataBrowserprofile.default
FOLDER DATATOR  State: it contains the last execution date  Torrc: it contains the path from where the Tor Browser was launched with the drive letter
FOLDER DATABROWSERPROFILE.DEFAULT  The traditional Firefox folder containing the user profile without usage traces  The most interesting files:  Compatibility.ini  Extension.ini • Browser execution path • Date Created  First execution • Date Modified  Last execution
OS ARTIFACTS ANALYSIS  Evidence of TOR usage can be found (mainly) in:  Prefetch file TORBROWSERINSTALL-<VERSION>-<PATH-HASH>.pf  Prefetch file TOR.EXE-<PATH-HASH>.pf  Prefetch file FIREFOX.EXE-<PATH-HASH>.pf  Prefetch file START TOR BROWSER.EXE-<PATH-HASH>.pf (old version < 4.0.2)  NTUSER.DAT registry hive  User Assist key  Windows Search Database  Thumbnail cache
PREFETCH FILES  We can recover:  First execution date  Last execution date  In Windows 8/8.1  Last 8 executions  Number of executions  Execution Path  Install date (from Tor Browser Install prefetch file)  Tor Browser version (from Tor Browser Install prefetch file)
USER ASSIST  We can recover:  Last execution date  Number of executions  Execution path  By analyzing various NTUSER.DAT from VSS we can identify the number and time of execution in a period of interest
OTHER ARTIFACTS ON THE HARD DRIVE Other files noted: Thumbnail Cache It contains the TOR Browser icon Windows Search Database Tor Browser files and folders path
BROWSING ACTIVITIES Evidence of browsing activities can be found in:  Bookmarks (places.sqlite database)  Pagefile.sys  Memory Dump / Hiberfil.sys
BOOKMARKS User saved bookmarks:
PAGEFILE.SYS Information about visited websites Search for the keyword HTTP-memory-only-PB
HTTP-MEMORY-ONLY-PB  A function used by Mozilla Firefox for Private Browsing (not saving cache data on the hard drive)  Tor Browser uses the Private Browsing feature of Mozilla Firefox  But Tor Browser typically uses an old Firefox version, based on Firefox ESR  To distinguish if the browsing activity was made with Mozilla Firefox or with Tor Browser:  Check if Firefox is installed  If it is installed, verify the actual version
PAGEFILE.SYS - EXAMPLE
ANALYSIS METHODOLOGY • Install date • First execution date • Last execution date(s) • Number of executions • Tor Browser version Prefetch files • Execution path • Last execution date • Total number of executions • Verify the history of execution through theVolume Shadow Copies NTUSERUserAssist key • Thumbnail Cache • Windows Search Database Other possible artifacts •State •Torrc •Compatibility.ini •Extension.ini •Places.sqlite [Bookmarks] Tor Browser Files •HTTP-memory-only-PB •Torproject •Tor •Torrc •Geoip •Torbutton •Tor-launcher Pagefile.sys (keywords search) • Convert to a memory dump • Analyze through • Volatility • Keywords search Hiberfil.sys
REAL CASE  We indexed the hard drive and searched for the blog URL  We found some interesting URLs in the pagefile, indicating the access to the Blog Admin page (http://www. blognameblabla.com/wp-admin/)
REAL CASE  All the URLs were preceded by the string HTTP-MEMORY- ONLY-PB and Firefox is not installed on the laptop  We found that the TOR Browser was downloaded with Google Chrome the night in which the file was published on the blog  By analyzing the OS artifacts we found that it was installed and only executed once, 3 minutes before the publish date and time on the blog
ACTIVE RESEARCHES  Memory Dump with Volatility and Rekall  Can we find any temporal reference for browsing activities?  Can we correlate Tor Browser cache entries to carved files from pagefile/hiberfil/memory dump?  Tor Browser on Mac OS X  Tor Browser on Linux  Orbot on Android
Q&A? Mattia Epifani  Digital Forensics Analyst  CEO @ REALITY NET – System Solutions  GCFA, GMOB, GNFA, GREM  CEH, CHFI, CCE, CIFI, ECCE,AME,ACE, MPSC Mail mattia.epifani@realitynet.it Twitter @mattiaep Linkedin http://www.linkedin.com/in/mattiaepifani Web http://www.realitynet.it Blog http://blog.digital-forensics.it http://mattiaep.blogspot.it

Empfohlen

Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSReality Net System Solutions
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadAzad Mzuri
 
Pcpt1
Pcpt1Pcpt1
Pcpt1architchaturvedi99
 
Contigious
ContigiousContigious
ContigiousRamasubbu .P
 
Find
Find Find
Find GopinadhBhupathi
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Essential UNIX skills for biologists
Essential UNIX skills for biologistsEssential UNIX skills for biologists
Essential UNIX skills for biologistsYannick Pouliot
 
Taking your ball and going home
Taking your ball and going homeTaking your ball and going home
Taking your ball and going homePhil Cryer
 

Empfohlen

Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSReality Net System Solutions
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadAzad Mzuri
 
Pcpt1
Pcpt1Pcpt1
Pcpt1architchaturvedi99
 
Contigious
ContigiousContigious
ContigiousRamasubbu .P
 
Find
Find Find
Find GopinadhBhupathi
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Essential UNIX skills for biologists
Essential UNIX skills for biologistsEssential UNIX skills for biologists
Essential UNIX skills for biologistsYannick Pouliot
 
Taking your ball and going home
Taking your ball and going homeTaking your ball and going home
Taking your ball and going homePhil Cryer
 
Linux Fundamental
Linux FundamentalLinux Fundamental
Linux FundamentalGong Haibing
 
Android Presentation
Android Presentation Android Presentation
Android Presentation Nik Sharma
 
Pentesting drivenbyfoca slides
Pentesting drivenbyfoca slidesPentesting drivenbyfoca slides
Pentesting drivenbyfoca slidesBIT Technologies
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
Free Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFSFree Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFSUnited International University
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registrysomutripathi
 
Schizophrenic files
Schizophrenic filesSchizophrenic files
Schizophrenic filesAnge Albertini
 
Basics of-linux
Basics of-linuxBasics of-linux
Basics of-linuxSingsys Pte Ltd
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfekobelasting
 
4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadhShailendra Sadh - CISSP
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.pptAliAshraf68199
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? panagenda
 
Linux
LinuxLinux
LinuxSINGH PROJECTS
 
Kealy OWASP interactive_artifacts
Kealy OWASP interactive_artifactsKealy OWASP interactive_artifacts
Kealy OWASP interactive_artifactsFrank Victory
 
14(1) 005
14(1) 00514(1) 005
14(1) 005phanleson
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 

Weitere ähnliche Inhalte

Was ist angesagt?

Android Presentation
Android Presentation Android Presentation
Android Presentation Nik Sharma
 
Pentesting drivenbyfoca slides
Pentesting drivenbyfoca slidesPentesting drivenbyfoca slides
Pentesting drivenbyfoca slidesBIT Technologies
 
Free Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFSFree Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFSUnited International University
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registrysomutripathi
 

Was ist angesagt? (8)

Linux Fundamental
Linux FundamentalLinux Fundamental
Linux Fundamental
 
Android Presentation
Android Presentation Android Presentation
Android Presentation
 
Pentesting drivenbyfoca slides
Pentesting drivenbyfoca slidesPentesting drivenbyfoca slides
Pentesting drivenbyfoca slides
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Free Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFSFree Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFS
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
 
Schizophrenic files
Schizophrenic filesSchizophrenic files
Schizophrenic files
 
Basics of-linux
Basics of-linuxBasics of-linux
Basics of-linux
 

Ähnlich wie deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Windows OS

SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfekobelasting
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? panagenda
 
Kealy OWASP interactive_artifacts
Kealy OWASP interactive_artifactsKealy OWASP interactive_artifacts
Kealy OWASP interactive_artifactsFrank Victory
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Introduction To Unix
Introduction To UnixIntroduction To Unix
Introduction To UnixCTIN
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libinlibinp
 
What Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docxWhat Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docxalanfhall8953
 

Ähnlich wie deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Windows OS (20)

SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdf
 
4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year? BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
BP301: Q: What’s Your Second Most Valuable Asset and Nearly Doubles Every Year?
 
Linux
LinuxLinux
Linux
 
Kealy OWASP interactive_artifacts
Kealy OWASP interactive_artifactsKealy OWASP interactive_artifacts
Kealy OWASP interactive_artifacts
 
14(1) 005
14(1) 00514(1) 005
14(1) 005
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Introduction To Unix
Introduction To UnixIntroduction To Unix
Introduction To Unix
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libin
 
Browsers
BrowsersBrowsers
Browsers
 
Browsers
BrowsersBrowsers
Browsers
 
Web Browsers
Web Browsers Web Browsers
Web Browsers
 
What Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docxWhat Are You Looking ForThe variety of operating systems, appli.docx
What Are You Looking ForThe variety of operating systems, appli.docx
 

Mehr von Deft Association

deftcon 2015 - Giuseppe Serafini - PCI - DSS Forensics - Soggetti, strumenti ...
deftcon 2015 - Giuseppe Serafini - PCI - DSS Forensics - Soggetti, strumenti ...deftcon 2015 - Giuseppe Serafini - PCI - DSS Forensics - Soggetti, strumenti ...
deftcon 2015 - Giuseppe Serafini - PCI - DSS Forensics - Soggetti, strumenti ...Deft Association
 
deftcon 2015 - Stefano Mele - La cyber-security nel 2020
deftcon 2015 - Stefano Mele - La cyber-security nel 2020deftcon 2015 - Stefano Mele - La cyber-security nel 2020
deftcon 2015 - Stefano Mele - La cyber-security nel 2020Deft Association
 
deftcon 2015 - Paolo Dal Checco - Riciclaggio e Anti riciclaggio nell’era del...
deftcon 2015 - Paolo Dal Checco - Riciclaggio e Anti riciclaggio nell’era del...deftcon 2015 - Paolo Dal Checco - Riciclaggio e Anti riciclaggio nell’era del...
deftcon 2015 - Paolo Dal Checco - Riciclaggio e Anti riciclaggio nell’era del...Deft Association
 
deftcon 2015 - Dave Piscitello - DNS Traffic Monitoring
deftcon 2015 - Dave Piscitello - DNS Traffic Monitoringdeftcon 2015 - Dave Piscitello - DNS Traffic Monitoring
deftcon 2015 - Dave Piscitello - DNS Traffic MonitoringDeft Association
 
deftcon 2015 - Nino Vincenzo Verde - European Antitrust Forensic IT Tools
deftcon 2015 - Nino Vincenzo Verde - European Antitrust Forensic IT Toolsdeftcon 2015 - Nino Vincenzo Verde - European Antitrust Forensic IT Tools
deftcon 2015 - Nino Vincenzo Verde - European Antitrust Forensic IT ToolsDeft Association
 
deftcon 2015 - Stefano Capaccioli - Riciclaggio e Antiriciclaggio nell’era de...
deftcon 2015 - Stefano Capaccioli - Riciclaggio e Antiriciclaggio nell’era de...deftcon 2015 - Stefano Capaccioli - Riciclaggio e Antiriciclaggio nell’era de...
deftcon 2015 - Stefano Capaccioli - Riciclaggio e Antiriciclaggio nell’era de...Deft Association
 
deftcon 2014 - Pasquale Stirparo e Marco Carlo Spada - Electronic Evidence Gu...
deftcon 2014 - Pasquale Stirparo e Marco Carlo Spada - Electronic Evidence Gu...deftcon 2014 - Pasquale Stirparo e Marco Carlo Spada - Electronic Evidence Gu...
deftcon 2014 - Pasquale Stirparo e Marco Carlo Spada - Electronic Evidence Gu...Deft Association
 
Deftcon 2014 - Stefano Fratepietro - Stato del Progetto Deft
Deftcon 2014 - Stefano Fratepietro - Stato del Progetto DeftDeftcon 2014 - Stefano Fratepietro - Stato del Progetto Deft
Deftcon 2014 - Stefano Fratepietro - Stato del Progetto DeftDeft Association
 
Deftcon 2013 - Nicodemo Gawronski - iPBA 2.0 - Plugin Skype
Deftcon 2013 - Nicodemo Gawronski - iPBA 2.0 - Plugin SkypeDeftcon 2013 - Nicodemo Gawronski - iPBA 2.0 - Plugin Skype
Deftcon 2013 - Nicodemo Gawronski - iPBA 2.0 - Plugin SkypeDeft Association
 
Deftcon 2013 - Giuseppe Vaciago - Osint e prevenzione dei Crimini
Deftcon 2013 - Giuseppe Vaciago - Osint e prevenzione dei CriminiDeftcon 2013 - Giuseppe Vaciago - Osint e prevenzione dei Crimini
Deftcon 2013 - Giuseppe Vaciago - Osint e prevenzione dei CriminiDeft Association
 
Deftcon 2013 - Mario Piccinelli - iPBA 2 - iPhone Backup Analyzer 2
Deftcon 2013 - Mario Piccinelli - iPBA 2 - iPhone Backup Analyzer 2Deftcon 2013 - Mario Piccinelli - iPBA 2 - iPhone Backup Analyzer 2
Deftcon 2013 - Mario Piccinelli - iPBA 2 - iPhone Backup Analyzer 2Deft Association
 
Deftcon 2012 - Meo Bogliolo - SQLite Forensics
Deftcon 2012 - Meo Bogliolo - SQLite ForensicsDeftcon 2012 - Meo Bogliolo - SQLite Forensics
Deftcon 2012 - Meo Bogliolo - SQLite ForensicsDeft Association
 
Deftcon 2012 - Marco Giorgi - Acquisizione di memorie di massa con DEFT Linux
Deftcon 2012 - Marco Giorgi - Acquisizione di memorie di massa con DEFT LinuxDeftcon 2012 - Marco Giorgi - Acquisizione di memorie di massa con DEFT Linux
Deftcon 2012 - Marco Giorgi - Acquisizione di memorie di massa con DEFT LinuxDeft Association
 
Deftcon 2014 - Marco Giorgi - Metodologie di Acquisizione di Dispositivi Android
Deftcon 2014 - Marco Giorgi - Metodologie di Acquisizione di Dispositivi AndroidDeftcon 2014 - Marco Giorgi - Metodologie di Acquisizione di Dispositivi Android
Deftcon 2014 - Marco Giorgi - Metodologie di Acquisizione di Dispositivi AndroidDeft Association
 
Paolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - DEFT 7 Manual
Paolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - DEFT 7 ManualPaolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - DEFT 7 Manual
Paolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - DEFT 7 ManualDeft Association
 
Paolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - Manuale DEFT 7
Paolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - Manuale DEFT 7Paolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - Manuale DEFT 7
Paolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - Manuale DEFT 7Deft Association
 
Deftcon 2014 - Marco Albanese - Andlink: Un’applicazione a supporto per le at...
Deftcon 2014 - Marco Albanese - Andlink: Un’applicazione a supporto per le at...Deftcon 2014 - Marco Albanese - Andlink: Un’applicazione a supporto per le at...
Deftcon 2014 - Marco Albanese - Andlink: Un’applicazione a supporto per le at...Deft Association
 
deftcon 2014 - Federico Grattirio - TIMESHARK: Uno strumento per la visualizz...
deftcon 2014 - Federico Grattirio - TIMESHARK: Uno strumento per la visualizz...deftcon 2014 - Federico Grattirio - TIMESHARK: Uno strumento per la visualizz...
deftcon 2014 - Federico Grattirio - TIMESHARK: Uno strumento per la visualizz...Deft Association
 
Deftcon 2014 - Stefano Zanero - Comprehensive Black-box Methodology for Testi...
Deftcon 2014 - Stefano Zanero - Comprehensive Black-box Methodology for Testi...Deftcon 2014 - Stefano Zanero - Comprehensive Black-box Methodology for Testi...
Deftcon 2014 - Stefano Zanero - Comprehensive Black-box Methodology for Testi...Deft Association
 

Mehr von Deft Association (20)

Deft - Botconf 2017
Deft - Botconf 2017Deft - Botconf 2017
Deft - Botconf 2017
 
deftcon 2015 - Giuseppe Serafini - PCI - DSS Forensics - Soggetti, strumenti ...
deftcon 2015 - Giuseppe Serafini - PCI - DSS Forensics - Soggetti, strumenti ...deftcon 2015 - Giuseppe Serafini - PCI - DSS Forensics - Soggetti, strumenti ...
deftcon 2015 - Giuseppe Serafini - PCI - DSS Forensics - Soggetti, strumenti ...
 
deftcon 2015 - Stefano Mele - La cyber-security nel 2020
deftcon 2015 - Stefano Mele - La cyber-security nel 2020deftcon 2015 - Stefano Mele - La cyber-security nel 2020
deftcon 2015 - Stefano Mele - La cyber-security nel 2020
 
deftcon 2015 - Paolo Dal Checco - Riciclaggio e Anti riciclaggio nell’era del...
deftcon 2015 - Paolo Dal Checco - Riciclaggio e Anti riciclaggio nell’era del...deftcon 2015 - Paolo Dal Checco - Riciclaggio e Anti riciclaggio nell’era del...
deftcon 2015 - Paolo Dal Checco - Riciclaggio e Anti riciclaggio nell’era del...
 
deftcon 2015 - Dave Piscitello - DNS Traffic Monitoring
deftcon 2015 - Dave Piscitello - DNS Traffic Monitoringdeftcon 2015 - Dave Piscitello - DNS Traffic Monitoring
deftcon 2015 - Dave Piscitello - DNS Traffic Monitoring
 
deftcon 2015 - Nino Vincenzo Verde - European Antitrust Forensic IT Tools
deftcon 2015 - Nino Vincenzo Verde - European Antitrust Forensic IT Toolsdeftcon 2015 - Nino Vincenzo Verde - European Antitrust Forensic IT Tools
deftcon 2015 - Nino Vincenzo Verde - European Antitrust Forensic IT Tools
 
deftcon 2015 - Stefano Capaccioli - Riciclaggio e Antiriciclaggio nell’era de...
deftcon 2015 - Stefano Capaccioli - Riciclaggio e Antiriciclaggio nell’era de...deftcon 2015 - Stefano Capaccioli - Riciclaggio e Antiriciclaggio nell’era de...
deftcon 2015 - Stefano Capaccioli - Riciclaggio e Antiriciclaggio nell’era de...
 
deftcon 2014 - Pasquale Stirparo e Marco Carlo Spada - Electronic Evidence Gu...
deftcon 2014 - Pasquale Stirparo e Marco Carlo Spada - Electronic Evidence Gu...deftcon 2014 - Pasquale Stirparo e Marco Carlo Spada - Electronic Evidence Gu...
deftcon 2014 - Pasquale Stirparo e Marco Carlo Spada - Electronic Evidence Gu...
 
Deftcon 2014 - Stefano Fratepietro - Stato del Progetto Deft
Deftcon 2014 - Stefano Fratepietro - Stato del Progetto DeftDeftcon 2014 - Stefano Fratepietro - Stato del Progetto Deft
Deftcon 2014 - Stefano Fratepietro - Stato del Progetto Deft
 
Deftcon 2013 - Nicodemo Gawronski - iPBA 2.0 - Plugin Skype
Deftcon 2013 - Nicodemo Gawronski - iPBA 2.0 - Plugin SkypeDeftcon 2013 - Nicodemo Gawronski - iPBA 2.0 - Plugin Skype
Deftcon 2013 - Nicodemo Gawronski - iPBA 2.0 - Plugin Skype
 
Deftcon 2013 - Giuseppe Vaciago - Osint e prevenzione dei Crimini
Deftcon 2013 - Giuseppe Vaciago - Osint e prevenzione dei CriminiDeftcon 2013 - Giuseppe Vaciago - Osint e prevenzione dei Crimini
Deftcon 2013 - Giuseppe Vaciago - Osint e prevenzione dei Crimini
 
Deftcon 2013 - Mario Piccinelli - iPBA 2 - iPhone Backup Analyzer 2
Deftcon 2013 - Mario Piccinelli - iPBA 2 - iPhone Backup Analyzer 2Deftcon 2013 - Mario Piccinelli - iPBA 2 - iPhone Backup Analyzer 2
Deftcon 2013 - Mario Piccinelli - iPBA 2 - iPhone Backup Analyzer 2
 
Deftcon 2012 - Meo Bogliolo - SQLite Forensics
Deftcon 2012 - Meo Bogliolo - SQLite ForensicsDeftcon 2012 - Meo Bogliolo - SQLite Forensics
Deftcon 2012 - Meo Bogliolo - SQLite Forensics
 
Deftcon 2012 - Marco Giorgi - Acquisizione di memorie di massa con DEFT Linux
Deftcon 2012 - Marco Giorgi - Acquisizione di memorie di massa con DEFT LinuxDeftcon 2012 - Marco Giorgi - Acquisizione di memorie di massa con DEFT Linux
Deftcon 2012 - Marco Giorgi - Acquisizione di memorie di massa con DEFT Linux
 
Deftcon 2014 - Marco Giorgi - Metodologie di Acquisizione di Dispositivi Android
Deftcon 2014 - Marco Giorgi - Metodologie di Acquisizione di Dispositivi AndroidDeftcon 2014 - Marco Giorgi - Metodologie di Acquisizione di Dispositivi Android
Deftcon 2014 - Marco Giorgi - Metodologie di Acquisizione di Dispositivi Android
 
Paolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - DEFT 7 Manual
Paolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - DEFT 7 ManualPaolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - DEFT 7 Manual
Paolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - DEFT 7 Manual
 
Paolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - Manuale DEFT 7
Paolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - Manuale DEFT 7Paolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - Manuale DEFT 7
Paolo Dal Checco, Alessandro Rossetti, Stefano Fratepietro - Manuale DEFT 7
 
Deftcon 2014 - Marco Albanese - Andlink: Un’applicazione a supporto per le at...
Deftcon 2014 - Marco Albanese - Andlink: Un’applicazione a supporto per le at...Deftcon 2014 - Marco Albanese - Andlink: Un’applicazione a supporto per le at...
Deftcon 2014 - Marco Albanese - Andlink: Un’applicazione a supporto per le at...
 
deftcon 2014 - Federico Grattirio - TIMESHARK: Uno strumento per la visualizz...
deftcon 2014 - Federico Grattirio - TIMESHARK: Uno strumento per la visualizz...deftcon 2014 - Federico Grattirio - TIMESHARK: Uno strumento per la visualizz...
deftcon 2014 - Federico Grattirio - TIMESHARK: Uno strumento per la visualizz...
 
Deftcon 2014 - Stefano Zanero - Comprehensive Black-box Methodology for Testi...
Deftcon 2014 - Stefano Zanero - Comprehensive Black-box Methodology for Testi...Deftcon 2014 - Stefano Zanero - Comprehensive Black-box Methodology for Testi...
Deftcon 2014 - Stefano Zanero - Comprehensive Black-box Methodology for Testi...
 

Kürzlich hochgeladen

(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Kürzlich hochgeladen (20)

(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

deftcon 2015 - Epifani, Picasso, Scarito, Meda - Tor Browser forensics on Windows OS

  • 1. TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA DEFTCON 2015 ROMA, 17 APRILE
  • 2. REAL CASE  Management salaries of a private company were published on a Blog  Through an analysis of the internal network, we found a possible suspect because he accessed the Excel file containing the salaries the day before the publication  Company asked us to analyze the employee laptop  We found evidences that confirm that the Excel file was opened [LNK, Jumplist, ShellBags]  But no traces were found in browsing history about the publishing activity on the blog…
  • 3. PREVIOUS RESEARCH  An interesting research by Runa Sandvik is available at Forensic Analysis of theTor Browser Bundle on OS X, Linux, and Windows https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf  We started from her work to find other interesting artifacts
  • 4. TOR BROWSER – MICROSOFT WINDOWS Version 4.0.2
  • 5. TOR BROWSER FOLDER  The most interesting folders are located in Tor BrowserBrowserTor Browser: DataTor DataBrowserprofile.default
  • 6. FOLDER DATATOR  State: it contains the last execution date  Torrc: it contains the path from where the Tor Browser was launched with the drive letter
  • 7. FOLDER DATABROWSERPROFILE.DEFAULT  The traditional Firefox folder containing the user profile without usage traces  The most interesting files:  Compatibility.ini  Extension.ini • Browser execution path • Date Created  First execution • Date Modified  Last execution
  • 8. OS ARTIFACTS ANALYSIS  Evidence of TOR usage can be found (mainly) in:  Prefetch file TORBROWSERINSTALL-<VERSION>-<PATH-HASH>.pf  Prefetch file TOR.EXE-<PATH-HASH>.pf  Prefetch file FIREFOX.EXE-<PATH-HASH>.pf  Prefetch file START TOR BROWSER.EXE-<PATH-HASH>.pf (old version < 4.0.2)  NTUSER.DAT registry hive  User Assist key  Windows Search Database  Thumbnail cache
  • 9. PREFETCH FILES  We can recover:  First execution date  Last execution date  In Windows 8/8.1  Last 8 executions  Number of executions  Execution Path  Install date (from Tor Browser Install prefetch file)  Tor Browser version (from Tor Browser Install prefetch file)
  • 10. USER ASSIST  We can recover:  Last execution date  Number of executions  Execution path  By analyzing various NTUSER.DAT from VSS we can identify the number and time of execution in a period of interest
  • 11. OTHER ARTIFACTS ON THE HARD DRIVE Other files noted: Thumbnail Cache It contains the TOR Browser icon Windows Search Database Tor Browser files and folders path
  • 12. BROWSING ACTIVITIES Evidence of browsing activities can be found in:  Bookmarks (places.sqlite database)  Pagefile.sys  Memory Dump / Hiberfil.sys
  • 14. PAGEFILE.SYS Information about visited websites Search for the keyword HTTP-memory-only-PB
  • 15. HTTP-MEMORY-ONLY-PB  A function used by Mozilla Firefox for Private Browsing (not saving cache data on the hard drive)  Tor Browser uses the Private Browsing feature of Mozilla Firefox  But Tor Browser typically uses an old Firefox version, based on Firefox ESR  To distinguish if the browsing activity was made with Mozilla Firefox or with Tor Browser:  Check if Firefox is installed  If it is installed, verify the actual version
  • 17. ANALYSIS METHODOLOGY • Install date • First execution date • Last execution date(s) • Number of executions • Tor Browser version Prefetch files • Execution path • Last execution date • Total number of executions • Verify the history of execution through theVolume Shadow Copies NTUSERUserAssist key • Thumbnail Cache • Windows Search Database Other possible artifacts •State •Torrc •Compatibility.ini •Extension.ini •Places.sqlite [Bookmarks] Tor Browser Files •HTTP-memory-only-PB •Torproject •Tor •Torrc •Geoip •Torbutton •Tor-launcher Pagefile.sys (keywords search) • Convert to a memory dump • Analyze through • Volatility • Keywords search Hiberfil.sys
  • 18. REAL CASE  We indexed the hard drive and searched for the blog URL  We found some interesting URLs in the pagefile, indicating the access to the Blog Admin page (http://www. blognameblabla.com/wp-admin/)
  • 19. REAL CASE  All the URLs were preceded by the string HTTP-MEMORY- ONLY-PB and Firefox is not installed on the laptop  We found that the TOR Browser was downloaded with Google Chrome the night in which the file was published on the blog  By analyzing the OS artifacts we found that it was installed and only executed once, 3 minutes before the publish date and time on the blog
  • 20. ACTIVE RESEARCHES  Memory Dump with Volatility and Rekall  Can we find any temporal reference for browsing activities?  Can we correlate Tor Browser cache entries to carved files from pagefile/hiberfil/memory dump?  Tor Browser on Mac OS X  Tor Browser on Linux  Orbot on Android
  • 21. Q&A? Mattia Epifani  Digital Forensics Analyst  CEO @ REALITY NET – System Solutions  GCFA, GMOB, GNFA, GREM  CEH, CHFI, CCE, CIFI, ECCE,AME,ACE, MPSC Mail mattia.epifani@realitynet.it Twitter @mattiaep Linkedin http://www.linkedin.com/in/mattiaepifani Web http://www.realitynet.it Blog http://blog.digital-forensics.it http://mattiaep.blogspot.it