Aveneu Park, Starling, Australia

The an investigation that may rely on

The research paper topic
I am pursuing is focused on the Tor browser. I will be conducting literary research
and analyze forensic techniques used to gather information from the browser. My
literary research will start with some real-world cases and events concerning
the Tor browser, one of which is the recent “Playpen” case. This will help shed
some light on current privacy issues as well as real world situations of how
Tor is being used. I will then switch over to vulnerabilities in the network,
and forensic artifacts that can be uncovered on the local machine. The main
goal for this paper is to shine some light on Tor’s real-world applications and
provide a pathway for others to follow when conducting an investigation that
may rely on the information that could be recovered from this program.


We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

            What is Tor? This is a question that many non-technical
users may ask when they first learn about the browser’s existence. The simple
answer is that Tor is a tool used to browse the internet without worry of being
tracked. A more technical answer is that Tor is an anonymizing browser that
sends your internet traffic through thousands of different relays from
volunteers around the world on an overlay network. This essentially makes it
impossible for anyone to track your location or internet usage, hiding things
such as your website visits, posts, or even communications.                                                                                                                                  Tor uses a
technique called Onion routing. This service originally began in the 1990s as a
military project funded by DARPA (Defense Advanced Research Projects Agency) at
the U.S. Naval Research Labs. The employees that developed the project included
David Goldschlag, Michael Reed, and Paul Syverson. Their goal was to create a
technique that could protect the United States’ intelligence communications.
The technique was patented in 1998, and in 2002, The most well-known
implementation of the technique, Tor, was created. It wasn’t until 2006 that
Tor became a non-profit organization. Onion routing is explained very well by
Wikipedia in the following quote,

            “Onion routing is implemented by encryption in the
application layer of a communication             protocol
stack, nested like the layers of an onion. Tor encrypts the data, including the
       next node destination IP address,
multiple times and sends it through a virtual circuit             comprising successive, random-selection Tor relays. Each
relay decrypts a layer of encryption to
reveal the next relay in the circuit to pass the remaining encrypted data on             to it. The final relay decrypts the
innermost layer of encryption and sends the original             data to its destination without revealing or knowing the
source IP address. Because the     routing
of the communication is partly concealed at every hop in the Tor circuit, this             method eliminates any single point
at which the communicating peers can be determined through network surveillance that relies upon knowing its source and

Figure 1

            Figure 1 above shows this process. We see how the Source
of the message sends the data to router A, which decrypts a layer with only
enough information to know where to send the message next, and where it came
from. The process continues with router B, and again with Router C, where the
last of the decryption is removed and sent to the actual destination. What
makes it so difficult to track, is the fact that you never know which chain in
the sequence of nodes a message is at. Router B knows that the message came
from the location of router A, and is going to the location of router C. Router
B does not, however, know whether the location at router C is the actual end
location, or if it is just another node in the sequence. The same can be said
for knowing whether router A is the origin of a message source in respect to
router B, or just another node. There are a few flaws and exploits to this
process that will be explainable further in the paper.

1 – Case Analysis

            After seeing how the Tor browser works, it is easy to see
why many criminals resort to it for their illegal actions. Using Tor does not make
it impossible for these criminals to be caught though, as was seen in a recent
case and investigation conducted by the FBI.                                  In
August of 2014, Steven Chase of Florida created ‘Playpen’, one of the largest
child pornography websites in the world. He created his website on the Tor
network, where thousands of members could post and view pictures and videos of
young children. The FBI could not do much at the time due to the nature of the
Tor network and how it worked. That was until December of 2014 when Steven
Chase accidentally revealed the IP address for Playpen. The FBI was made aware
of this slip-up and seized a copy of the website, used search warrants for
email accounts and eventually found out that Chase was the creator of the
website. Steven was sentenced to 30 years in prison, and two of the
administrators for the website were each given 20-year sentences. This only
marked the beginning of the FBI’s investigation into the website.

            After Chase was arrested, the FBI gained approval from a
federal court to use an NIT, otherwise known as a Network Investigative
Technique. The FBI essentially seized the server running Playpen in February of
2015 and allowed it to run from the period of February 20th to March
4th. While the website ran on the Tor network, The FBI was able to use
its NIT to infect computers accessing the site with Malware, which led to them
being able to gather 1300 IP addresses. The FBI then used these IP addresses to
identify members of the website, and subsequently charge them with various
crimes concerning child pornography. The chart below from the FBI’s website
shows just how broad the investigation was and how many people were affected.

Image source: https://www.fbi.gov/news/stories/playpen-creator-sentenced-to-30-years

            Not everyone was happy with the way the FBI handled this
case though. Many saw it as an extreme overreach by the government using
illegal surveillance practices. Jay Michaud was one of the many members who was
charged for accessing the website. He was arrested in July of 2015. His Lawyer
asked the judge in the case to have the DOJ release the exploit that was used
to identify his client as one of the perpetrators. The defendant is allowed
this right through the discovery process of a case. Mozilla also appeared in a
brief requesting the exploit as well, as it was their browser that Tor
optimizes for its services. The FBI claimed to have used a vulnerability in
Mozilla’s source code, so Mozilla believed they should have the right to know
what that vulnerability is and patch it. 

            The FBI and DOJ claimed there was a need to keep the
details of the tool secret, as the knowledge of it could jeopardize other cases
they may have been working on. The judge ultimately ruled that the government
had a right to keep the details of the tool secret, but in doing so, could not
use the evidence gathered with it to convict the defendant in trial. Without
the details of the tool, the defendant could not be shown to without a
reasonable doubt have committed the crime. The DOJ is now looking to have a
dismissal without prejudice, which would allow them to bring new charges against
Michaud if in they are in a position in the future to release the details of
the tool.

            This ruling not only jeopardizes the further use of this
tool to implicate other criminals for illegal actions, but also risks the
release of others charged in this case. The judge is creating a precedent for
other courts to look at when deciding what is required to convict an individual
that was caught using this exploit in the Tor browser. It is now a catch 22 in
which many criminals may walk free until the DOJ and FBI decides to release the
information requested of them. If the details of the NIT are as important to
current cases being investigated as they are made out to be, then it may be
many years before they are finally released.

            There are also many privacy concerns for law-abiding
citizens who volunteer nodes for Tor. On March 30th, 2016, the
Seattle police came to David Robinson’s home early in the morning. He allowed
them to come into his house and provided them with all the passwords to his
computers as they requested.

            David had been running a Tor exit relay out of his apartment
closet, which was the primary reason the police showed up in the first place.
Although this is not illegal, police had a good reason which allowed them to
procure a warrant to search his home and computers. Police had tracked a child
pornography image to David’s IP address, most likely unbeknownst to David
himself. In an article by Martin Kaste on NPR, David Explains that “Traffic
passes through my computers and I don’t know what it is, It’s much like the
post office or the telephone company. Anybody can use it. Bad guys can also use

            The warrant the police had would have allowed them to
seize all of David’s computers, but they instead offered to perform the
investigation at his home and allow him to keep all his devices if he provided
the passwords. After the police completed their search, they made good on their
word and left the computers there.

            Robinson felt as if the police had gone too far though,
as one of the detectives at the scene asked if he wanted to see the image, and
did not seem to understand how Tor worked. He explained that volunteers for the
Tor network can’t actually see the contents of what passes through their node.
Once the data leaves the exit node, no trace or piece is left behind. He felt
as if the police believed he was just as responsible for the image coming through
his node as the person who sent it.

            The spokesman for the Seattle police, Sean Whitcomb,
stated that the department understands how Tor works, and they understood that
David was hosting a node in his apartment. He states in the National Public
Radio article, “Knowing that, moving in, it doesn’t automatically preclude
the idea that the people running Tor are not also involved in child porn, it
does offer a plausible alibi, but it’s still something that we need to check

            One fact that goes against David is hosting the exit node
from his own house. Though there is no way for him to know what traffic is
running through his node, he still invites skepticism for simply having it so
close in proximity and maintaining immediate control of the relay. This leaves
a large gray area in deciding what the privacy expectations are and how the
police should handle investigations involving the Tor network.

             In this case, only
David’s node was investigated by the police. What happens if that one photo of
child pornography traveled through tens of hundreds of nodes? Many other
parcels of information do travel through as many. Do the police obtain warrants
for every single location that houses one of the many relays? Wouldn’t the
police need this information in building an actual path from the source of the
image to the destination? If even one link of the chain is missing, this could
lead to doubt in the courtroom and even losing a case due to reasonable doubt.

            The police give no information on how the image was
tracked to David’s address, or even if they knew for sure that David’s node was
the last in the chain. Many see this as an extreme overreach by the police, as
there was no real evidence to indicate that David had any part in the crime or
even that the image would still have data left on his node. Many may be afraid
to challenge this authority though, as fighting law enforcement on the
boundaries of legality often ends up being very costly and difficult to do.  

            In looking for better privacy protection and easier
methods for hosting a relay, some consider renting space from an internet
service company to avoid having personal traffic on their computers mixing with
that of Tor. This would serve as a form of protection against unwanted police
searches into Tor nodes that may not end anytime soon. David does not believe
he should have to conform to this costly method and does not agree with the
methods the police use in their investigations.

            The Seattle police department claim that they have no
issues with individuals that host the nodes for Tor. The network can certainly
create many barriers for investigators that run into it though. As frustrating
as it can be to try and work around those barriers, there is also something to
be said for the criminals that use it. Many trust the network so much, that
they can unknowingly fall into many sting operations conducted by law
enforcement and government organizations. This closely relates to the previous
case with the FBI utilizing exploits and vulnerabilities in the network to
locate hundreds of criminals that certainly thought they were safe on the
anonymizing browser.

2– Tor Forensics: Network

            There are two different forms of evidence that can be
gathered through the Tor network. While some artifacts can be located on the
network, others can be located locally on the machine that a user accesses the
Tor browser from. In this section, I will be discussing some of the
vulnerabilities and artifacts that can be located through the network. Two main
weaknesses that we will be looking at include timing analysis and exit node

            Tor is touted for its ability to completely anonymize
traffic and connections to other computers through its series of nodes. In
contrast, the system of ordinary connections to the internet that a user
without Tor would utilize is very easily trackable. Regular ISPs (Internet
Service Providers) are known to keep track of connections between computers and
keep them in a log. When a user first logs on to their computer and uses a
browser to open a website, they may notice the letters HTTPS preceding the
internet address they are accessing. The letters stand for Hyper Text Transfer
Protocol Secure. This is considered the “secure” version of HTTP, the protocol
in which data is transferred between the website you are accessing and your
internet browser. HTTPS secures this data by encrypting it, and ensuring that
personal data such as your usernames, passwords, or instant messages are unable
to be tracked or seen by individuals that may attempt to track your network
traffic. There is one tidbit of information that is kept in a record though,
and that is the connection to the website, the time that you were connected,
and the size of the data that was transferred between the website and browser.

            While Tor can obfuscate these records, and eliminate a
clear and direct connection between a single person and a website through their
use of nodes, they cannot hide the records of the connections between the nodes
themselves. This is where timeline analysis, sometimes known as traffic
analysis, comes into play. Vitaly Shmatikov and Ming-Hsiu Wang describe this
technique in their book, Timing Analysis
in Low-Latency Mix Networks: Attacks and Defenses, as the following.

            “Traffic analysis searches those records of connections
made by a potential originator and            tries
to match timing and data transfers to connections made to a potential
recipient. For           example, a person
may be seen to have transferred exactly 51 kilobytes of data to an   unknown computer just three seconds before a
different unknown computer transferred      exactly
51 kilobytes of data to a particular website.”

            Following this method of analysis, investigators could piece
together the individual node connections that the Tor browser uses in any
specific data transfer and create a timeline of events. This would provide a
map from the destination website where data was transferred, directly back to
the source. While this method may seem very straightforward, there are some
instances in which it would not be fruitful. A new form of onion routing called
garlic routing is beginning to take some of the spotlight. In this new
networking structure, garlic routing will encrypt multiple messages from
different senders together from node to node. This will make it almost
impossible to track a single file transfer back to a specific source.  

            A more promising method for cracking the Tor network’s
anonymity is through exit node vulnerability. This involves compromising an
exit node and using it to seize raw data that is being transferred through it.
The reason this works is because an exit node is the last link of the chain in
a message or piece of data’s path to its recipient. As stated earlier in this
paper, the exit nodes job is to decrypt the last layer of security from a
message before it delivers it to its destination. In doing this, the exit node
has direct control of a completely unencrypted message before it is delivered.
If the node is compromised, a skilled individual could seize the raw data that
was being transferred.

            Dan Egerstad, a Swedish security consultant, used this
method successfully and obtained at least 100 passwords and email addresses for
different foreign embassies. He claims to have come across this information
accidentally, which seems to make sense considering an exit node for any
individual transfer is chosen randomly by the Tor network. This would make it
very difficult to attempt to target a specific connection or source to steal
data from. If law enforcement agencies ran their own nodes and collected mass
amounts of data, it would be next to impossible to properly document every
transfer to locate criminals. It is certainly a method that should be considered
further though, as there may be different workarounds to creating a process
that only dumps information concerning certain keywords or imagery.

2– Tor Forensics: Local Computer

            In this section, the forensics done on the actual
computer using the Tor browser will be explored. While Tor is known for its
ability to hide the user’s information and location, there is still a useful
cache of information that can be located on the user’s computer. It may prove challenging
to locate at first, but knowing where to look and what tools to use can prove
fruitful in any investigation.

            The investigation I will use to talk about the different
attainable artifacts was conducted by John Doe on Dataforensics.org. The user
performed the following actions on a computer.

website http://www.dropbox.com
was opened and then closed.
user signed into Gmail and then closed the window.
User opened an image on a website and then closed it.

the user performed these actions, he created a memory dump specifically of the
Tor Browser. The last Tor execution date can be located in the registry as well
as the state file with the path Tor BrowserBrowser TorBrowserDataTor.

Image source: http://www.dataforensics.org/tor-browser-forensics/


            A hex editor was then used to open the memory dump and
look through the information

obtained. The screenshots
below show the information that could be located based on the previous actions
taken by the user.

Image source: http://www.dataforensics.org/tor-browser-forensics/

image above shows the website that the user visited in the Tor browser.

Image source: http://www.dataforensics.org/tor-browser-forensics/

This image shows the username used on
Gmail.com in the Tor browser.

Image source: http://www.dataforensics.org/tor-browser-forensics/

This image shows information
on the content of one of the Gmail messages.

Image source: http://www.dataforensics.org/tor-browser-forensics/

This is the image was
opened on a website through the Tor browser and could be extracted.

            The user concluded the investigation, noting that while
the Tor network focuses on its user’s privacy over the network, many artifacts
could still be located on the local machine using an application specific
memory dump. The only information that could not be obtained was the user’s
password for the Gmail account, which seemed to be cleared from memory.


is easy to see why so many law enforcement and government agencies are
interested in tor forensics. It is the cloak of countless criminals and
emboldens them to take risks they might not otherwise. As previous cases have
shown though, Tor is not impenetrable. Vulnerabilities inherent in the
network’s structure make it easy for an experienced and technically
knowledgeable individual to utilize.

            Along with the current methods for obtaining information
from Tor comes a plethora of advances designed to crack down on these
vulnerabilities. Timeline analysis is now being combated with Garlic routing,
and exit node vulnerability is becoming a thing of the past due to secure
end-to-end connections which include SSL and S-HTTP. If End-to-end encryption
is being used by the source and the destination, then no node in the chain has
the ability to view the contents of the message.

            If new advancements such as these continue to be
developed, the law enforcement community will have a great deal of trouble
figuring out new ways to collect evidence and catch criminals. Cyber-Security
and Digital Forensic experts both new and old will need an increased amount of
schooling and training to keep on top of new technologies and trends. Without
it, they may very well get left behind in this new age of cyberspace. 


I'm Simon!

Would you like to get a custom essay? How about receiving a customized one?

Check it out