TOR Artifacts

Not sure if I have the tools for create a VM, but will have to look around. I have recently assumed control of a lab that was run by one guy for the last 10 years, so there's a lot of programs to go through. Doesn't EnCase do this internally?

Thanks for the tips. Keep em coming.

For your VM query…

Download and install LiveView 0.7b (http//liveview.sourceforge.net/), obtain VM Workstation (trialware will do for 30 days), now try running LiveView 0.7b (on first install it will prompt you to install some added VM stuff and maybe .net or java updates, eventually LiveView will load and you are ready to rock n roll), close LiveView (now you know it works), mount the E01 image with FTK 3 as a physical device, open LiveView (again) and point it at the mounted physical drive and create the VM, once created you can run it in VMWare (not too much success with Win7 as tends to BSOD, anyone know of fixes?). Now you can run the OS in GUI and do your searching/tests.

mount the E01 image with FTK 3 as a physical device, open LiveView (again) and point it at the mounted physical drive and create the VM, once created you can run it in VMWare (not too much success with Win7 as tends to BSOD, anyone know of fixes?)

That is because of new security features introduced in nt6.x. See my doc at vmtn for vmware fix; http//communities.vmware.com/docs/DOC-10455
Of course don't use the original hack for numerous reasons.

Hi,

I have used TOR for just such a purpose in the course of an investigation.
Almost impossible to trace. And, It doesn't have to be installed on a computer. I use the LiveCD and no traces can be had on the computer.

However, "Passmark" had a very good suggestion.

PostPosted Wed Jul 27, 2011 723 am Post subject Re TOR Artifacts
If you have a list of IP addresses that were used from around the world and you want to prove Tor was in use, then maybe you can match the IP addresses against some public lists of known TOR addresses,

For example maybe this list?
proxy.org/tor.shtml

To add to that, if you have access to the subjects firewall, check the logs to see if those ip's match the TOR list.

good luck
Stegil

Yet another thought. My 2nd one for today -)

There are Window's event log entries when software is installed.

Application Log Events
#11707 - Product installed

It is unlikely these would have been cleaned up if Tor was installed then cleaned

Again, thanks for all the replies. To try and bring some closure to anyone who may read this or is following this thread. I have done almost all the suggested tasks given, except for the VM and checking firewall logs. Searching the event logs did not result in finding a TOR install. I verified this on a machine I have TOR installed on, and it was not there either. TOR appears to run as a stand alone executable (at least it does now). Searching the known TOR IP list got some mixed results, but nothing absolute. I think my case is too old for the current IP list to give me accurate results. Anyone now if a historical IP list or TOR servers?

My problem is explaining these overseas IP addresses… if not TOR, then what created them. All Yahoo Messenger account activity stopped upon seizing the computer so a "hacker" having his account info does not make sense. Besides my badguy stopping the use of this particular Yahoo Messenger account and creating another which may explain why the activity stopped.

Additionally! Each overseas login was a double login (except two which only had one login), what I mean is there where only two logins from each IP address and they were seconds (if that) apart… Yahoo can not explain why this would occur. Seems like a automated process to me (a bot maybe?)

Again, thanks for all the replies. To try and bring some closure to anyone who may read this or is following this thread. I have done almost all the suggested tasks given, except for the VM and checking firewall logs. Searching the event logs did not result in finding a TOR install. I verified this on a machine I have TOR installed on, and it was not there either. TOR appears to run as a stand alone executable (at least it does now). Searching the known TOR IP list got some mixed results, but nothing absolute. I think my case is too old for the current IP list to give me accurate results. Anyone now if a historical IP list or TOR servers?

My problem is explaining these overseas IP addresses… if not TOR, then what created them. All Yahoo Messenger account activity stopped upon seizing the computer so a "hacker" having his account info does not make sense. Besides my badguy stopping the use of this particular Yahoo Messenger account and creating another which may explain why the activity stopped.

Additionally! Each overseas login was a double login (except two which only had one login), what I mean is there where only two logins from each IP address and they were seconds (if that) apart… Yahoo can not explain why this would occur. Seems like a automated process to me (a bot maybe?)

If you are simply trying to confirm that Tor was used try the link below. Its an updated list of tor exit nodes, you should find the IP addresses from Yahoo in the list.

https://www.dan.me.uk/torlist/

Maybe in this specific case an outdated list 😯 (like one from 2011 or so) would have been more useful. wink

jaclaz