Silk Road forums

dont mean to sound ignorant, but are there instances when accessing Tor is illegal in and of itself?? or are the implications that one would not want to leave traces on a shared machine or for forensic analysis?

There are plenty of instances where it is illegal, in China, Iran, Syria. Even if no law exists on the books, they may arbitrarily imprison or torture you for using Tor. However, I've never heard of someone in a Western country being prosecuted for merely using Tor.

Yes, the threat model for us is to avoid leaving traces of Tor use that help to build a case against us.

Looks like I'm getting another hard drive tomorrow :/ My first Tor & SR usage was from a regular desktop when I was new and I still have that computer since I don't use SR through it for any orders etc. Guess it could do with a storage upgrade anyway.

You could save some money by DBANing it and reinstalling the OS.  http://dban.org

@partycat

It works.

PC yes. No encryption no. Sr bookmarks in Tor. Guilty. (FECK!)

If LE intercepted a package and did a controlled delivery, any plausible deniability you might have had would be destroyed when they found links to SR on your computer. Many small data points add up to a tell a story. Having a bookmark to SR alone doesn't prove anything. Lots of curious people visit the site without buying anything. But having a package of drugs with your name on it, AND links to SR, and AND a PGP key, all add up to tell a story: that you were buying drugs online.

Im not sure if my PGP private key is encrypted. No unencrypted messages stored.

Do you need a password to decrypt messages? Then your private key is encrypted.

Im thinking to set up all of this bizzo on a USB stick and have no trace on my PC, i have a laptop/pc and access to many computers so i want it to be flexible and portable with no trace left on the computers i use.

I just downloaded keypassx then and am gonna look at it.

Tails is for my USB stick yeh? Ill download that now too.

Thanks Astor true bro.

Those are good choices.

Yeah, this sucks. The forensic analysis will depend on your set up, as others have mentioned, but probably also the extent of the charges against you, your jurisdiction, the "level" of LE you're dealing with (local cops vs DEA), etc.

What sort of set up do you guys run ?

This would be a good opportunity for someone to give me a run down on an excellent security set up

Im using PC Win 7 ToR and PGP ... what else should i know?

Not hijacking or anything

Good: an encrypted thumb drive with the browser bundle and a portable PGP program like GPG4USB.

Great: Tails on a thumb drive with the persistent volume enabled.


Your setup: potentially very bad. I'm assuming that you're not using any type of encryption. Do you have bookmarks to SR and the forum in TorBrowser, or a text file? Do you have passwords saved anywhere? Your PGP private key is encrypted, but do you have encrypted messages stored on the hard drive? Do you have *unencrypted* messages stored on the hard drive? Even if the messages are encrypted, there's a saying that "metadata in aggregate is content". LE can find the key IDs in the encrypted PGP messages and match them up to key IDs of vendors on SR, thus proving evidence that you were communicating with them. There are ways to anonymize the recipients, but you'd have to convince the vendors to do. It's better to keep all that data on an encrypted volume than to rely on someone else doing the right thing for your security.

It's probably this issue:  http://dkn255hz262ypmii.onion/index.php?topic=161015.0

Just disable it.

The long-awaited part two is here!

======

Forensic Analysis of Tor on Windows

As part of a deliverable for two Tor Project sponsors (Sponsor J, Sponsor L), I have been working on a forensic analysis of the Tor Browser Bundle. In this three part series, I will summarize the most interesting or significant traces left behind after using the bundle, deleting it, and then shutting down the computer. Part one covered Debian Linux (#8166), this part will cover Windows 7 (#6845), and part three will cover OS X 10.8 (#6846).

Process

I set up a virtual machine with a fresh install of Windows 7, logged in with the default admin account, installed available updates, and shut it down cleanly. I connected the virtual drive to another virtual machine, used hashdeep to compute hashes for every file on the drive, and then rsync to copy all the files over to an external drive.

After having secured a copy of the clean virtual machine, I rebooted the system, connected an external drive, and copied the Tor Browser Bundle (version 2.3.25-6, 64-bit) from the external drive to the Desktop. I extracted the package archive by clicking on the file, then started the Tor Browser Bundle by going into the Tor Browser folder and clicking on Start Tor Browser.exe.

Once the Tor Browser was up and running, I browsed to a few pages, read a few paragraphs here and there, clicked on a few links, and then shut it down by closing the Tor Browser and clicking on the Exit-button in Vidalia. The Tor Browser did not crash and I did not see any error messages. I deleted the Tor Browser folder and the package archive by moving the folder and the archive into the Recycle Bin, right-clicking on it and choosing Empty Recycle Bin.

I repeated the steps with hashdeep and rsync to create a copy of the tainted virtual machine. I also used Noriben, written by Brian Baskin, to create a report of everything the Tor Browser Bundle did while it was running.

Results

Using hashdeep, I compared the hashes from the tainted virtual machine against the hashes from the clean virtual machine: 256 files have hashes that do not match any of the hashes in the clean set. Additionally, the Noriben output shows the Tor Browser Bundle create, edit, and remove a bunch of files.

I have sorted the most interesting findings into different groups, depending on the location, how they were created, and so on. Windows 7 has built-in symbolic links designed for backward compatibility, which is why Noriben and hashdeep list the same files in different locations.

Prefetch

Windows keeps track of the way the system starts and which programs the user commonly opens. This information is saved as a number of small files in the prefetch folder:

    C:\Windows\Prefetch\START TOR BROWSER.EXE-F5557FAC.pf
    C:\Windows\Prefetch\TBB-FIREFOX.EXE-350502C5.pf
    C:\Windows\Prefetch\TOR-BROWSER-2.3.25-6_EN-US.EX-1354A499.pf
    C:\Windows\Prefetch\TOR.EXE-D7159D93.pf
    C:\Windows\Prefetch\VIDALIA.EXE-5167E0BC.pf

The following cache files are most likely similar to prefetch files and might contain traces of the Tor Browser Bundle:

    C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
    C:\Users\runa\AppData\Local\Microsoft\Windows\Caches{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
    C:\Windows\AppCompat\Programs\RecentFileCache.bcf

I have created #8916 for this issue.

SetupAPI

SetupAPI and the Plug and Play (PnP) manager write entries to SetupAPI.dev.log and SetupAPI.app.log about operations that install devices and drivers. The following files contain information about the attached external drive:

    C:\Windows\inf\setupapi.dev.log
    C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_ neutral_0725c2806a159a9d\usbstor.PNF

Thumbnail Cache

Windows stores thumbnails of graphics files, and certain document and movie files, in Thumbnail Cache files. The following files contain the Onion Logo icon associated with the Tor Browser Bundle:

    C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
    C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
    C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

Other Thumbnail Cache files, such as thumbcache_1024.db, thumbcache_sr.db, thumbcache_idx.db, and IconCache.db, may also contain the Onion Logo icon. I have created #8921 for this issue.

Windows Defender

Windows Defender is the default anti-virus software on Windows 7. Windows Defender will write log files to the following location:

    C:\ProgramData\Microsoft\Windows Defender\Support\

The log files will contain traces of the Tor Browser Bundle if Windows Defender ever decides to flag it as malware. This is true for any anti-virus software.

Windows Error Reporting (WER)

Windows Error Reporting (WER) captures and logs information about software crashes and other issues. I found information about the attached external drive in the following file:

    C:\Users\runa\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_ 84cd279a5e83221bfa7edcb36665592c1974e4_cab_0b21673a/DMI671B.tmp.log.xml

The logs will probably contain traces of the Tor Browser Bundle if any part of the bundle, such as the Tor Browser or Vidalia, ever hangs or crashes.

Windows Event Log

The following two event logs contain information about the attached external drive:

    C:\Windows\System32\winevt\Logs\Application.evtx
    C:\Windows\System32\winevt\Logs\System.evtx

Windows Paging File

Microsoft Windows uses a paging file, called pagefile.sys, to store frames of memory that do not currently fit into physical memory. The file C:\pagefile.sys contains information about the attached external drive, as well as the filename for the Tor Browser Bundle executable. I have created #8918 for this issue.

Windows Registry

The Windows Registry is a databse that stores various configuration settings and options for the operating system. HKEY_CURRENT_USER, abbreviated HKCU, stores settings that are specific to the currently logged-in user. Each user’s settings are stored in files called NTUSER.DAT and UsrClass.dat.

The path to the Tor Browser Bundle executable is listed in the following two files:

    C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat
    C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1

I did not find traces of the Tor Browser Bundle in any of the NTUSER.DAT files. I have created #8919 for this issue.

Additionally, the output from Noriben indicates that the Tor Browser Bundle touches the registry by creating keys and setting values. The following value points to the Tor Browser Bundle executable on the attached external drive:

    [Set Value] Explorer.EXE:1196 > HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\E:\tor-browser-2.3.25-6_en-US.exe = 7z SFX

The output also makes it look like the Tor Browser Bundle adds the following keys and values:

    [Set Value] tbb-firefox.exe:1124 > HKCU\Software\Classes\Local Settings\MuiCache\11\52C64B7E\LanguageList = en-US, en
    [CreateKey] tbb-firefox.exe:1124 > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}
    [CreateKey] tbb-firefox.exe:1124 > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
    [CreateKey] tbb-firefox.exe:1124 > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}
    [CreateKey] tbb-firefox.exe:1124 > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count

I found that these keys and values are present on a clean Windows 7 system where the Tor Browser Bundle has never been used. I also downloaded and tested the German version of the Tor Browser Bundle to make sure that the LanguageList value does not represent the language of the Tor Browser Bundle.

Windows Search

Windows Search, which is enabled by default, builds a full-text index of files on the computer. One component of Windows Search is the Indexer, which crawls the file system on initial setup, and then listens for file system notifications to index changed files. Windows Search writes a number of files to the following location:

    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\

I have not found a way to read the Windows Search database files, but I would say it is likely that Windows Search picked up the Tor Browser Bundle at some point. I have created #8920 for this issue.

======

As expected, it leaves a lot more traces on Windows.


References

http://blog.encrypted.cc/blog/2013/05/20/forensic-analysis-of-tor-on-windows/
https://trac.torproject.org/projects/tor/ticket/6845
https://trac.torproject.org/projects/tor/ticket/8916
https://trac.torproject.org/projects/tor/ticket/8921
https://trac.torproject.org/projects/tor/ticket/8918
https://trac.torproject.org/projects/tor/ticket/8919
https://trac.torproject.org/projects/tor/ticket/8920

I "cleaned" the files, rebooted and now there are more rootkits.

Anti-virus programs are fucking snake oil. It's a sham industry. If you got hit with this, format your hard drive and do a clean reinstall.

I'm deleting my VM now...

Then what I would do is create a new encrypted volume, copy the files you want to keep into it, and destroy the first encrypted volume by writing over the first few megabytes, destroying the decryption key. And from now on, use separate encrypted volumes for different things.

That's not a perfect solution, because the hard drive may have been defragmented, leaving other copies of the encrypted file in other locations, but I doubt LE is going to forensically analyze the free space of a small time drug user/dealer. That takes a lot of time and costs money. Bradley Manning, yes. A low level drug buyer, no.