Tor browser in linux
TBB is designed to 'avoid the disk' but I`ve read that this isn't always the case. If a suspect had downloaded TBB onto a Linux OS and ran it a few times, would it be possible to recover any helpful artefacts about their usage of TBB? Thanks
I would love to do the write up to answer your question, bit someone already beat me to it. Here's a very nice article covering Forensic examination of Tor on Linux. https://blog.torproject.org/forensic-analysis-tor-linux
Thanks Soviet. That work is interesting but from 6 years ago. The more recent papers I've read seem to say very little is written to disk although RAM can offer more of note. Do you have any hands on experience in relation to my query?