A few more string to add to the proverbial bow:This c/o the OS Forensics website:A detailed list of registry keys which can be examined on an unencrypted OS to show that the Tor Browser was present on the system even after uninstallation:http://www.osforensics.com/faqs-and-tutorials/identifying_uninstalled_software.htmlThis one care of Andrew Case of Digital Forensic Solutions who was investigating ways to de anonymise use of the TAILS Live CD:Memory analysis of Tor revealed that it makes minimal effort to securely erase memory after it has been used and this allows recovery of historical data such as HTTP headers and requests, downloaded files, visited URLs, and Tor-specific data such as the identity of other Tor network nodes. We also show that the research performed and tools developed during this project are applicable against a number of other live CD distributions and not just TAILS.Another extract:4 Memory Analysis of TorIn order to fully deconstruct the defensive systems of the TAILS distribution, we also chose to perform memory analysis of Tor. ...The combination of filesystem and Tor memory analysis attacks the two key components that TAILS and other live CD offer for anti-forensics. ...Before deep analysis of Tor was performed, the classic forensics technique of using strings and grep to find interesting information was performed on memory dumps of the Tor process to ensure that useful information is indeed not overwritten on deallocation. To test this we installed the privoxy proxy server, configured it to send requests through Tor, and then set the http_proxy environment variable to the address of the prixovy server. Once this was completed, we then used wget to recursively download information from a number of websites, all of which contained tens of web pages, downloads (doc, pdf, etc), and other information. To verify that this information was still in Tors memory after the requests were completed, we used Michal Zalewskis memfetch [11] utility todownload memory regions of the Tor process such as the heap, .data segment, and .bss segment. strings and grep were then run across the extracted memory regions and it was confirmed that information such as the HTTP headers,file and web pages contents, virtual hosts of requested pages, and more were contained in clear text in memory."(Source : http://media.blackhat.com/bh-dc-11/Case/BlackHat_DC_2011_Case_De-Anonymizing_Live_CDs-wp.pdf) TLDR : Using a Live CD will not protect you from forensic analysis of your machine and it is inadvisable to store your private key anywhere except on a machine to which you have physical access - all of the above forensic analysis of Tor could not have been done on a system with an encrypted drive. While disk encryption is only a layer of defence and not 100% immune from attacks, as I've said already it's a vital one. At the very least you should have your Tor Browser and GPG keyring stored on an encrypted USB.V.