Whether you are using a mobile or desktop device, accessing the Internet is a frequent activity. The software called a browser is the gateway to websites (e.g., Google Chrome, Edge, Internet Explorer, and Mozilla Firefox). Reviewing browser activities can spot potential insider threats, employer policy breaches, or illegal activity. Knowing this, what if the user tries to “hide” their trail with private browsing? Can we seek their activity?
The Privacy Illusion
“Privacy is an illusion if you're typing something into a computer connected to anything other than itself.” This was a comment I read a few days ago in a cybersecurity forum. The basis was that our online actions and information shared on platforms can easily be tracked and compiled. Achieving true privacy is difficult due to companies' extensive data collection and practices and the interconnected nature of the Internet. Despite your side of this argument, as investigators, we can utilize these breadcrumbs to build a tale for our case. Let’s talk about our private browsing in the next section.
Private Browsing Artifacts: Firefox
Most chromium-based browsers and Firefox have robust private browsing options. Focusing on Firefox (for the future demo sake), “your browsing information, such as history and cookies, and leaves no trace after you end the session.” This is according to Firefox Support Mozilla’s article. In practice, this means there will be little to no private browsing artifacts on disk for these browsers (aside from the hiberfil.sys and pagefile.sys files). Instead, all artifacts are kept in memory. This will be your best bet for piecing private browsing sessions together.
- Hiberfil.sys is located in the root folder of the drive where the operating system is installed: %SystemRoot% or C. When put into hibernation, this file stores a snapshot of the system’s RAM. It contains a complete copy that matches the respective RAM size.
- Pagefile.sys is located in the drive's root folder where the operating system is installed: %SystemRoot% or C. When system RAM becomes full, this file becomes virtual memory for the excess. For example, if you have 1GB RAM and want to utilize 2GB as your memory, Windows will create a 1GB virtual memory on your hard disk.
Pagefile.sys and Swapfile.sys on the C Drive
(My hiberfil.sys is not visible because this new VM has not hibernated. If you can’t view the other files, click “File,” then “Change folder and search options,” click “View,” then uncheck “Hide protected operating system files (Recommended).” If you still can’t view it, make sure to click the “View” column and check “Hidden items.”)
Investigating Private Browsing: Tor
The Tor Browser is a modified version of Firefox. All browsing activity is via “Private Browsing” and very limited disk-based remnants. Everything on this browser is accomplished in memory, leaving investigators to focus on the core artifacts: RAM dumps, pagefile, and the hibernation file.
In our demo below, we are going to prove Tor’s use on the suspect laptop and examine its memory. Let’s get started!
Extraction and Digital Triage
The computer in question is allegedly running Tor to visit illegal sites. I have captured not only the memory dump (~2GB) but also the KAPE output. Here is my previous blog on gathering those artifacts in detail: Forensics 101: Live Acquisition USB and Digital Triaging with Kape.
Triaged Artifacts from Suspect’s Computer
Now that we have the artifacts, let's analyze them.
Execution and Installation Analysis
Once we find Tor present and running on the system, we can then move to memory analysis for more artifacts. After parsing the $MFT and utilizing Timeline Explorer, I found this piece of evidence:
$MFT Output | Tor.exe
My blog, Time Travel with Timeline Explorer: Exposing Insider Threats, discusses this step in more detail. But as you see, there is proof of installation. Tor creates a self-contained folder structure that can be placed anywhere, in this case, here: .\Users\Test\Desktop\Tor Browser\Browser\TorBrowser\Tor. Let’s look at operating system artifacts like Prefetch:
$MFT Output | Tor Installation
As you can see, this artifact proves the execution of a program, often including run count and start time. The Tor installation program was run at 2025-01-08 18:51:22, and the actual program was launched two minutes later, at 2025-01-08 18:53:22. Let’s transition toward the resource stats for the Tor program.
Resource Usage Analysis
The System Resource Utilization Monitor (SRUM) is an operating system artifact that tracks the application usage, network utilization, and system energy. We already have enough information on Tor’s execution and installation, but let’s consider its resource utilization.
Tor’s Resource Utilization via SRUM
Lines 954, 956, and 957 are related to Tor. I am more focused on the latter two because the first one is an installer. You can see the two programs using a considerable amount of bytes.
Tor’s Resource Utilization via SRUM Pt. 2
I noticed something while looking around Timeline Explorer; if you look at the Network Connections output, you will find two instances with the interface type IF_TYPE_PROP_VIRTUAL. This is related to virtual private networks (VPNs).
Suspect Computer’s Network Connection via SRUM
After loading Registry Explorer and uploading the clean SYSTEM and SOFTWARE hive, I found this under the NetworkSetup2 key: the use of Windscribe, a VPN software. It also has the type of 53, which, according to Microsoft, fits the value of a VPN adapter.
NetworkSetup2 Key via Registry Explorer
VPN Adapters Value | Microsoft Documentation
The NetworkList key provides another good view of this adapter. Judging from my findings, this VPN was run before running Tor. This is often debated among professionals: Tor w/ VPN vs. Tor w/o VPN. Let’s move on to the next section.
Know Networks Key via Registry Explorer
Memory Analysis
Memory analysis examines a computer’s RAM to extract information, in this case, browser activity. Let’s run the command python3 vol.py -f /mnt/c/Cases/memdump.raw windows.pslist. This will help show the current processes on the computer at the time of acquisition.
Memory Process List via Volatility
So the user utilized the Microsoft Edge browser roughly thirty minutes before Tor. You see many instances of “firefox.exe.” Remember: Tor is just a modified version of Firefox. Although it is out-of-scope, we can quickly examine their activity on the Microsoft Edge browser using the tools Hindsight and EZ View. Running the command C:\Tools\hindsight>python hindsight.py -i "F:\Targets\Private Browser\KAPE Collect\C\Users\Test\AppData\Local\Microsoft\Edge\\User Data\Default" -o test_case against the user’s Edge data, I was present with an output file (test_case.xlsx) which I will view within EZ Viewer.
Microsoft Edge Activity via Hindsight
As you can see, the user “Test” downloaded both Tor Browser and Windscribe from Edge, with many search inquiries covering VPNs and one on searching the dark web. Let’s get back to our memory analysis.
I ran the following command python3 vol.py -f /mnt/c/Cases/memdump.raw windows.netscan. Forgive me for the cluttered output, but if you look closely at the active connections, you can spot Tor’s nodes (a router that anonymizes web traffic):
- Connected to 204[.]10[.]194[.]74:443 (ESTABLISHED)
- Connected to 46[.]226[.]111[.]65:9001 (ESTABLISHED)
Tor.exe’s Active Network Connections via Volatility
A file was downloaded during the Tor browser activity. It has a zone identifier of three, which means it was downloaded over the internet… but via what browser? We checked Microsoft Edge’s downloads and did not spot the “Transaction _Log 098.pdf” file. Given the name, did the user make a purchase? At this point, we don’t know.
$MFT Output | Transaction_Log 098.pdf
Zone Identifier 3 for Transaction_Log 098.pdf
Let’s filter for “HTTP” and/or “.onion” using the strings command against the memory dump. The reasoning for the “.onion” filter is that this is the special top-level domain used to identify websites accessible only through the Tor network. Any address that ends in “.onion” is a Tor site. With that said, I found this.
Strings on “.onion” via Linux CLI
This validates the file's origin on the dark web. We now have evidence of Tor use and access to a Tor site. Let’s examine the site to see if it's illegal. Just because it's on Tor does not mean it's bad.
Examining the Suspicious Tor Site
If you want a course that explains the dark web and how you can safely access it, check out our FREE Introduction to Dark Web Operations course. Using the onion link from the memory dump, I could access the Tor site, which appears to be a “Dark Forum” site.
Dark Forum: Home Page via Tor Browser
Dark Forum: Login Page via Tor Browser
Login into the site was rather difficult, but I managed to filter the memory for any strings related to logins and found this:
Strings Search for Logins via Linux CLI
Strings Search for Logins via Linux CLI Pt. 2
I decoded the password using CyberChef and got this:
Base64 Decoded via CyberChef
I was able to log into the site, but the contents are quite disturbing to share on this blog. That will conclude our investigation. It was a wild run from analyzing a user utilizing a browser to download the Tor browser, allowing them to access a harmful site. The evidence presented is more than enough to confirm suspicious browsing activities. With the help of memory forensics, we could dive deeper into the user’s activity on Tor. What a tale!
Introduction to Vulpine
To tackle a unique browser forensics case, look at our Blue Teams Labs Online (BTLO) platform. We have a lab called Vulpine. This is an adjective for crafty or cunning. In this scenario, you are investigating an employee at the company Pawsome Pet Supplies Inc. The user has been flagged for erratic behaviors and strange activity on Firefox, a browser the company does not use. Similar tools, shown in this blog, will be available in this lab alongside BrowserHistoryView and DB Browser (SQLite).
About SBT
Security Blue Team is a leading online defensive cybersecurity training provider with over 100,000 students worldwide, and training security teams across governments, military units, law enforcement agencies, managed security providers, and many more industries.
