Forensic Analysis of Tor on OS X As part of a deliverable for two Tor Project sponsors (Sponsor J, Sponsor L), I have been working on a forensic analysis of the Tor Browser Bundle. In this three part series, I will summarize the most interesting or significant traces left behind after using the bundle, deleting it, and then shutting down the computer. Part one covered Debian Linux (#8166) and part two covered Windows 7 (#6845). This third, and final, part will cover OS X 10.8 (#6846). Process I set up a virtual machine with a fresh install of OS X 10.8, created a normal, non-admin user account, installed available updates, and shut it down cleanly. I connected the virtual drive to another virtual machine, used hashdeep to compute hashes for every file on the drive, and then rsync to copy all the files over to an external drive. After having secured a copy of the clean virtual machine, I rebooted the system, connected an external drive, and copied the Tor Browser Bundle (version 2.3.25-6, 64-bit) from the external drive to the Desktop. I extracted the package archive by clicking on the archive, then started the Tor Browser Bundle by clicking on the TorBrowser_en-US app. Once the Tor Browser was up and running, I browsed to a few pages, read a few paragraphs here and there, clicked on a few links, and then shut it down by closing the Tor Browser and clicking on the Exit-button in Vidalia. The Tor Browser did not crash and I did not see any error messages. I deleted the Tor Browser folder and the package archive by moving the folder and the archive into the Trash, clicking on it and choosing Empty Trash. I repeated the steps with hashdeep and rsync to create a copy of the tainted virtual machine. Results Using hashdeep, I compared the hashes from the tainted virtual machine against the hashes from the clean virtual machine: 131 files had a hash that did not match any of the hashes in the clean set. I have sorted the most interesting findings into different groups, depending on the location, how they were created, and so on. Apple System Log (ASL) The following Apple System Log (ASL) files contain traces of the attached external drive and the Tor Browser Bundle:   /var/log/asl/2013.05.22.U0.G80.asl   /var/log/asl/2013.05.22.U501.asl I have created #8982 for this issue. I have been not been able to open the following two files, but they may contain traces of the attached drive and the bundle as well:   /var/log/asl/StoreData   /var/log/asl/SweepStore Crash Reporter and Diagnostic Messages The Tor Browser Bundle did not crash or hang, but I still found traces of the Tor Browser Bundle in the following files:   /Library/Application Support/CrashReporter/Intervals_00000000-0000-1000-8000-000C2976590B.plist   /var/log/DiagnosticMessages/2013.05.22.asl I have not been able to open the file StoreData, which can be found in the same DiagnosticMessages directory, but it may also contain traces of the bundle. I have created #8983 for this issue. FSEvents API The FSEvents API allows applications to register for notifications of changes to a given directory tree. Whenever the filesystem is changed, the kernel passes notifications to a process called fseventsd. The following file contains the path to the attached external drive, the path to the Tor Browser Bundle on the Desktop, and the path to the Tor Browser Bundle in the Trash:   /.fseventsd/0000000000172019 Other files in the .fseventsd directory may also contain traces of the Tor Browser Bundle and/or the attached external drive. I have created #8984 for this issue. HFS+ HFS+ is the default filesystem on OS X; it supports journaling, quotas, Finder information in metadata, hard and symbolic links, aliases, etc. HFS+ also supports hot file clustering, which tracks read-only files that are frequently requested and then moves them into a hot zone. The hot file clustering scheme uses an on-disk B-Tree file for tracking. I have not been able to open /.hotfiles.btree and /.journal, but they might contain traces of the Tor Browser Bundle and/or the attached external drive. I have created #8985 for this issue. Preferences OS X applications store preference settings in plist files, and the files below are related to system fonts, the file manager, recent items, and the Tor Browser Bundle. These files contain traces of the Tor Browser Bundle and the attached external drive. I have created #8986 for this issue.   /Users/runa/Library/Preferences/com.apple.ATS.plist   /Users/runa/Library/Preferences/com.apple.finder.plist   /Users/runa/Library/Preferences/com.apple.recentitems.plist   /Users/runa/Library/Preferences/org.mozilla.torbrowser.plist Saved Application State Resume is one of the new features in OS X 10.7 and 10.8. The feature allows applications to save their last known state when they are closed, and then return to this state when they are later reopened. While the Tor Browser does not use this feature, it does leak information in the files which are written to the /Users/runa/Library/Saved Application State/ directory:   /Users/runa/Library/Saved Application State/org.mozilla.torbrowser.savedState/data.data   /Users/runa/Library/Saved Application State/org.mozilla.torbrowser.savedState/window_3.data   /Users/runa/Library/Saved Application State/org.mozilla.torbrowser.savedState/windows.plist The windows.plist file contains the HTML title tag of the last active tab in the Tor Browser (or currently active tab, if the browser is still open). If the last active tab was torproject.org, then the following string will be present in the file:   Tor Project: Anonymity Online I have created #8987 for this issue. Spotlight Spotlight, and the Metadata Server (mds), indexes all items and files on a system and allows the user to perform system-wide searches for all sorts of items; documents, pictures, applications, system preferences, etc. I have not been able to open the files in /.Spotlight-V100 and /var/db/mds/messages/, but I would say it is likely that Spotlight and mds picked up the Tor Browser Bundle and the attached external drive at some point. I have created #8988 for this issue. Swap OS X relies on swap files and paging for memory and cache management. I have not been able to open the swap file, but I would say it is likely that /var/vm/swapfile0 contains traces of the Tor Browser Bundle and/or the attached external drive. I have created #8989 for this issue. System Log The system log file, /var/log/system.log, contains traces of the attached drive. Temporary data OS X stores per-user temporary files and caches in /var/folders/. The following files contain the path to the attached external drive, the path to the Tor Browser Bundle on the Desktop, and the path to the Tor Browser Bundle in the Trash:   /var/folders/fb/v5wqpgls029d8tp_pcjy0yth0000gn/C/com.apple.LaunchServices-036501.csstore   /var/folders/fb/v5wqpgls029d8tp_pcjy0yth0000gn/C/com.apple.QuickLook.thumbnailcache/index.sqlite   /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/com.apple.LaunchServices-0360.csstore   /var/folders/fb/v5wqpgls029d8tp_pcjy0yth0000gn/C/com.apple.QuickLook.thumbnailcache/thumbnails.data These files also contain strings such as org.torproject.torbrowserbundle, org.mozilla.torbrowser, torbrowser_en-us.app, torbrowser.app, net.vidalia-project.vidalia, and vidalia.app. I have not been able to open the last file, thumbnails.data but it might contain traces of the Tor Browser Bundle and/or the attached external drive. I have created #8990 for this issue. References http://encrypted.cc/post/51552592311/forensic-analysis-of-tor-on-os-x https://trac.torproject.org/projects/tor/ticket/8982 https://trac.torproject.org/projects/tor/ticket/8983 https://trac.torproject.org/projects/tor/ticket/8984 https://trac.torproject.org/projects/tor/ticket/8985 https://trac.torproject.org/projects/tor/ticket/8986 https://trac.torproject.org/projects/tor/ticket/8987 https://trac.torproject.org/projects/tor/ticket/8988 https://trac.torproject.org/projects/tor/ticket/8989