I am working on a case involving Yahoo messenger. I received a IP login history for the account in question from Yahoo which shows the IP address for each time the person logged on. All seemed well as I confirmed the location of the IP addresses to be from the city the account holder lives in until the time frames in which the illegal activity was most active on the computer (CP).
During that time frame the IP addresses hop all over the world, Kuwait, Egypt, Germany, Valenzuela, etc. Some multiple logins in on day would show vast differences in the IP locations. I used ARIN, APNIC, LACNIC, etc, to track these IP addresses.
A friend suggested that a onion router such as TOR was in use. I'd never heard of these so checked into it and it seems logical that this is the cause of the different IP addresses (besides the account holder having his account compromised and in use all over the world, unlikely).
So I tried looking for and programs or other artifacts that my indicate the use of something like TOR but am coming up empty. I was hoping to get some help here.
Background on me; A whopping 7 month experience in the field. Been to BDRA and IDRA. I used EnCase primarily, but am starting FTK.
Your help is appreciated.
Greetings,
I've not investigated a system that might have used TOR but if I was presented with this situation, I'd build a VM using the same OS as the suspect's system, add some monitoring tools to it, and then use TOR to access some of the sites the suspect went to. You'd want to track registry, file system, and memory changes.
Now, take a snapshot of the system and see what artifacts appeared on the system.
-David
1. Identify OS partition
2. Locate program files folder
3. Look for tor programs
4. Check install date and prefetch data.
Build likely hypothesis.
You mention that you've looked for programs of interest, have you checked the registry and prefetch cache for remnants? Have you checked every EXE on the disk and done searches in unallocated for exes? (if you need a good keyword use "this program cannot be run in dos mode").
You might find fragments of certificates scattered around the disk as well, last job I did with TOR had loads and while I never made the link or mentioned them in my evidence, I was pretty sure that there was a causal link.
Check the internet history as well for proxies, for example hidemyass.com
Thanks for the replies. I'll get to work on those soon. Checking each EXE seems simple enough. However, not knowing every possible file that belongs to a TOR type program will be a pitfall. I'm still learning about Prefetch data, so I have some research to do in this area, but what little I have read, I sounds like a goldmine for good data.
Not sure if I have the tools for create a VM, but will have to look around. I have recently assumed control of a lab that was run by one guy for the last 10 years, so there's a lot of programs to go through. Doesn't EnCase do this internally?
Thanks for the tips. Keep em coming.
Connecting to Tor is one thing, but my understanding of it is that you still need to browse it as normal once you're connected. This is normally through a copy of Firefox Portable in my experience - which you can use to look for internet artefacts as normal.
Get yourself a copy of "Malware Analyst's CookBook". They have a great write up in this book in Chapter 1. It deals specifically with TOR.
Again, thanks for the tips. To try and help you help me, let me give a bit more info about my suspicions in this case. It's still an on going investigation so I don't know how much I should reveal. But I suspect this person was using Yahoo Messenger to trade CP images, part of my suspicion is based on the registry keys for his profile in Yahoo Messenger which point to the location for files to DL which contain all the CP (there is A LOT). Granted this location is rather generic, no other program I was able to find appeared to use this same path as a location for storing images. Additionally his avatar for Yahoo messenger was CP, and it appears the history for his avatar show previous CP images as well.
This is what led me to getting his Yahoo messenger logon information (IP addresses), which led me to the TOR possibility.
Additionally in the few times I had to talk with him he claims to have given all his doper friends his profile password (for the computer) which makes it hard for me to say HE was the one who knowingly possessed the CP. I've verified other people used the computer under his account and there are even other profiles in Yahoo messenger under his computer profile to support this. So I feel much of my case hinges on being able to prove how the CP got there, which, as I stated, I believe was through his Yahoo messenger account (which he has not said he shared with anyone).
So how does TOR come into play (if at all). If he was using TOR and then logging in to Yahoo Messenger I feel it shows that he was trying to prevent his IP from being traced back to him.
There's a bit more to it than that, so I hope this is not too fragmented to give you a better picture. Please let me know if I can provide anymore info to help you see where I may start looking for more TOR artifacts… I will review the tips you have already given me.
If you have a list of IP addresses that were used from around the world and you want to prove Tor was in use, then maybe you can match the IP addresses against some public lists of known TOR addresses,
For example maybe this list?
http//
Have you considered connecting to these IP addresses, possibly with a Tor client and fingerprint them? (9001, 9030, 443, 80…) You may discover that Tor is still running, which would be a pretty strong evidence for your activity list.
Might be a bit late to help in your case, but following on from the suggestion of Kovar above we have done a tutorial on looking for Tor artifacts in Windows.
http//
Turns out that there are 3 components in Tor. Polipo, Vidalia and Tor itself. The act of installing and uninstalling them leaves a lot of registry and file system artifacts sitting around. Whole folders in /Program Files in fact
Tor basically doesn't uninstall itself very cleanly. So unless the suspect made a special effort to manually clean things up, it should be fairly straight forward to detect that it was used on the machine.
Note however that there are other ways Tor can be used without installing it (e.g. from USB, or via a self booting solution). So consider those possibilities as well.