{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,4]],"date-time":"2026-02-04T18:33:03Z","timestamp":1770229983626,"version":"3.49.0"},"reference-count":37,"publisher":"MDPI AG","issue":"8","license":[{"start":{"date-parts":[[2024,8,19]],"date-time":"2024-08-19T00:00:00Z","timestamp":1724025600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>The Tor browser is widely used for anonymity, providing layered encryption for enhanced privacy. Besides its positive uses, it is also popular among cybercriminals for illegal activities such as trafficking, smuggling, betting, and illicit trade. There is a need for Tor Browser forensics to identify its use in unlawful activities and explore its consequences. This research analyzes artifacts generated by Tor on Windows-based systems. The methodology integrates forensic techniques into incident responses per NIST SP (800-86), exploring areas such as registry, storage, network, and memory using tools like bulk-extractor, autopsy, and regshot. We propose an automated PowerShell script that detects Tor usage and retrieves artifacts with minimal user interaction. Finally, this research performs timeline analysis and artifact correlation for a contextual understanding of event sequences in memory and network domains, ultimately contributing to improved incident response and accountability.<\/jats:p>","DOI":"10.3390\/info15080495","type":"journal-article","created":{"date-parts":[[2024,8,19]],"date-time":"2024-08-19T10:11:28Z","timestamp":1724062288000},"page":"495","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["Analyzing Tor Browser Artifacts for Enhanced Web Forensics, Anonymity, Cybersecurity, and Privacy in Windows-Based Systems"],"prefix":"10.3390","volume":"15","author":[{"given":"Muhammad Shanawar","family":"Javed","sequence":"first","affiliation":[{"name":"Department of Cyber Security, Air University, Islamabad 44000, Pakistan"}]},{"given":"Syed Muhammad","family":"Sajjad","sequence":"additional","affiliation":[{"name":"Department of Cyber Security, Air University, Islamabad 44000, Pakistan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2511-6638","authenticated-orcid":false,"given":"Danish","family":"Mehmood","sequence":"additional","affiliation":[{"name":"Department of Computing, Shaheed Zulfiqar Ali Bhutto Institute Of Science and Technology, Islamabad 44000, Pakistan"}]},{"given":"Khawaja","family":"Mansoor","sequence":"additional","affiliation":[{"name":"Department of Cyber Security, Air University, Islamabad 44000, Pakistan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6937-4161","authenticated-orcid":false,"given":"Zafar","family":"Iqbal","sequence":"additional","affiliation":[{"name":"Department of Cyber Security, Air University, Islamabad 44000, Pakistan"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-8533-7183","authenticated-orcid":false,"given":"Muhammad","family":"Kazim","sequence":"additional","affiliation":[{"name":"Department of Computer Science, North Dakota State University, Fargo, ND 58102, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9172-5212","authenticated-orcid":false,"given":"Zia","family":"Muhammad","sequence":"additional","affiliation":[{"name":"Department of Computer Science, North Dakota State University, Fargo, ND 58102, USA"},{"name":"Department of Computer Science and Technology, University of Jamestown, Jamestown, ND 58405, USA"}]}],"member":"1968","published-online":{"date-parts":[[2024,8,19]]},"reference":[{"key":"ref_1","unstructured":"Schriner, J. (2017). Monitoring the Dark Web and Securing Onion Services, City University of New York."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Kumar, A., Sondarva, K., Gohil, B.N., Patel, S.J., Shah, R., Rajvansh, S., and Sanghvi, H. (2022, January 2\u20133). Forensics Analysis of TOR Browser. Proceedings of the International Conference on Information Security, Privacy and Digital Forensics, Goa, India.","DOI":"10.1007\/978-981-99-5091-1_24"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Angeli, V.M., Atamli, A., and Karafili, E. (2022, January 23\u201326). Forensic analysis of Tor in Windows environment: A case study. Proceedings of the 17th International Conference on Availability, Reliability and Security, Vienna, Austria.","DOI":"10.1145\/3538969.3543808"},{"key":"ref_4","first-page":"1","article-title":"A forensic examination of anonymous browsing activities","volume":"17","author":"Teng","year":"2018","journal-title":"Forensic Sci. J."},{"key":"ref_5","first-page":"776","article-title":"A review on classification of tor-nontor traffic and forensic analysis of tor browser","volume":"9","author":"Mehta","year":"2020","journal-title":"Int. J. Eng. Res. Technol. (IJERT)"},{"key":"ref_6","unstructured":"Huang, M.J.C., Wan, Y.L., Chiang, C.P., and Wang, S.J. (2018, January 7\u201310). Tor browser forensics in exploring invisible evidence. Proceedings of the 2018 IEEE International Conference on Systems, Man, and Cybernetics (SMC), Miyazaki, Japan."},{"key":"ref_7","unstructured":"Warren, A. (2017). Tor browser Artifacts in Windows 10, SANS Information Security Reading Room."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"59","DOI":"10.1016\/j.forsciint.2019.03.030","article-title":"Forensic analysis of Tor browser: A case study for privacy and anonymity on the web","volume":"299","author":"Jadoon","year":"2019","journal-title":"Forensic Sci. Int."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"118","DOI":"10.1016\/j.diin.2019.03.009","article-title":"A forensic audit of the tor browser bundle","volume":"29","author":"Muir","year":"2019","journal-title":"Digit. Investig."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Fiaz, F., Sajjad, S.M., Iqbal, Z., Yousaf, M., and Muhammad, Z. (2024). MetaSSI: A Framework for Personal Data Protection, Enhanced Cybersecurity and Privacy in Metaverse Virtual Reality Platforms. Future Internet, 16.","DOI":"10.3390\/fi16050176"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Nelson, R., Shukla, A., and Smith, C. (2020). Web browser forensics in google chrome, mozilla firefox, and the tor browser bundle. Digital Forensic Education: An Experiential Learning Approach, Springer.","DOI":"10.1007\/978-3-030-23547-5_12"},{"key":"ref_12","first-page":"63","article-title":"Cloud computing in healthcare-investigation of threats, vulnerabilities, future challenges and counter measure","volume":"3","author":"Asif","year":"2022","journal-title":"LC Int. J. STEM"},{"key":"ref_13","unstructured":"Darcie, W., Boggs, R., Sammons, J., and Fenger, T. (2014). Online anonymity: Forensic analysis of the tor browser bundle. Forensic Sci. Int., Available online: https:\/\/www.marshall.edu\/forensics\/files\/WinklerDarcie_ResearchPaper_8-6-141.pdf."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Gunapriya, S., Vatsavayi, V.K., and Varma, K.S. (2021, January 13). Forensic Investigation of Tor Bundled Browser. Proceedings of the International Conference on Intelligent and Smart Computing in Data Analytics: ISCDA 2020, Guntur, India.","DOI":"10.1007\/978-981-33-6176-8_31"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"102311","DOI":"10.1016\/j.cose.2021.102311","article-title":"Tor forensics: Proposed workflow for client memory artefacts","volume":"106","author":"Alfosail","year":"2021","journal-title":"Comput. Secur."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Leng, T., and Yu, A. (2021, January 26\u201328). A framework of darknet forensics. Proceedings of the 3rd International Conference on Advanced Information Science and System, Sanya, China.","DOI":"10.1145\/3503047.3503082"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Rehman, F., Muhammad, Z., Asif, S., and Rahman, H. (2023, January 22\u201323). The next generation of cloud security through hypervisor-based virtual machine introspection. Proceedings of the 2023 3rd International Conference on Artificial Intelligence (ICAI), Islamabad, Pakistan.","DOI":"10.1109\/ICAI58407.2023.10136655"},{"key":"ref_18","unstructured":"Flanagan, J. (2015). Using Tor in Cybersecurity Investigations. [Master\u2019s Thesis, Utica College]."},{"key":"ref_19","first-page":"1326","article-title":"Exploring The Synergistic Effects of Blockchain Integration with IOT and AI for Enhanced Transparency and Security in Global Supply Chains","volume":"3","author":"Irfan","year":"2024","journal-title":"Int. J. Contemp. Issues Soc. Sci"},{"key":"ref_20","unstructured":"Akintaro, M., Pare, T., and Dissanayaka, A.M. (2019, January 5\u20136). Darknet and black market activities against the cybersecurity: A survey. Proceedings of the Midwest Instruction and Computing Symposium (MICS), North Dakota State University, Fargo, ND, USA."},{"key":"ref_21","first-page":"60","article-title":"Practical vulnerabilities of the tor anonymity network","volume":"60","author":"Syverson","year":"2013","journal-title":"Adv. Cyber Secur. Technol. Oper. Exp."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"482","DOI":"10.1109\/49.668972","article-title":"Anonymous connections and onion routing","volume":"16","author":"Reed","year":"1998","journal-title":"IEEE J. Sel. Areas Commun."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Dingledine, R., Mathewson, N., and Syverson, P.F. (2004, January 9\u201313). Tor: The second-generation onion router. Proceedings of the USENIX Security Symposium, San Diego, CA, USA.","DOI":"10.21236\/ADA465464"},{"key":"ref_24","unstructured":"Aggarwal, G., Bursztein, E., Jackson, C., and Boneh, D. (2010, January 11\u201313). An analysis of private browsing modes in modern browsers. Proceedings of the 19th USENIX Security Symposium (USENIX Security 10), Washington, DC, USA."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Iesar, H., Iqbal, W., Abbas, Y., Umair, M.Y., Wakeel, A., Illahi, F., Saleem, B., and Muhammad, Z. (2024, January 19\u201320). Revolutionizing Data Center Networks: Dynamic Load Balancing via Floodlight in SDN Environment. Proceedings of the 2024 5th International Conference on Advancements in Computational Sciences (ICACS), Lahore, Pakistan.","DOI":"10.1109\/ICACS60934.2024.10473246"},{"key":"ref_26","first-page":"27","article-title":"Analysis of privacy of private browsing mode through memory forensics","volume":"132","author":"Ghafarian","year":"2015","journal-title":"Int. J. Comput. Appl."},{"key":"ref_27","first-page":"1251","article-title":"Windows 10\u2019s Browser Forensic Analysis for Tracing P2P Networks\u2019 Anonymous Attacks","volume":"72","author":"Kauser","year":"2022","journal-title":"Comput. Mater. Contin."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"S121","DOI":"10.1016\/j.diin.2009.06.003","article-title":"Extraction of forensically sensitive information from windows physical memory","volume":"6","author":"Hejazi","year":"2009","journal-title":"Digit. Investig."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"953","DOI":"10.1007\/978-981-15-5113-0_80","article-title":"Dark web Activity on Tor\u2014Investigation challenges and retrieval of memory artifacts","volume":"Volume 1","author":"Chetry","year":"2021","journal-title":"Proceedings of the International Conference on Innovative Computing and Communications: Proceedings of ICICC"},{"key":"ref_30","unstructured":"Goldschlag, D.M., Reed, M.G., and Syverson, P.F. (June, January 30). Hiding routing information. Proceedings of the International Workshop on Information Hiding, Cambridge, UK."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Rehman, A.U., Nadeem, A., and Malik, M.Z. (2022, January 9\u201313). Fair feature subset selection using multiobjective genetic algorithm. Proceedings of the Genetic and Evolutionary Computation Conference Companion, Boston, MA, USA.","DOI":"10.1145\/3520304.3529061"},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"e701","DOI":"10.7717\/peerj-cs.701","article-title":"A survey on common criteria (CC) evaluating schemes for security assessment of IT products","volume":"7","author":"Fatima","year":"2021","journal-title":"PeerJ Comput. Sci."},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"141273","DOI":"10.1109\/ACCESS.2021.3119724","article-title":"Forensic analysis of tor browser on windows 10 and android 10 operating systems","volume":"9","author":"Arshad","year":"2021","journal-title":"IEEE Access"},{"key":"ref_34","first-page":"5599","article-title":"Tor browser forensics","volume":"12","author":"Sajan","year":"2021","journal-title":"Turk. J. Comput. Math. Educ. (TURCOMAT)"},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"e5935","DOI":"10.1002\/cpe.5935","article-title":"A machine learning-based memory forensics methodology for TOR browser artifacts","volume":"33","author":"Pizzolante","year":"2021","journal-title":"Concurr. Comput. Pract. Exp."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Kent, K., Chevalier, S., Grance, T., and Dang, H. (2006). Sp 800-86. Guide to Integrating Forensic Techniques into Incident Response.","DOI":"10.6028\/NIST.SP.800-86"},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Hariyadi, D., Kusuma, M., Sholeh, A. (2021, January 27). Digital Forensics Investigation on Xiaomi Smart Router Using SNI ISO\/IEC 27037: 2014 and NIST SP 800-86 Framework. Proceedings of the International Conference on Science and Engineering (ICSE-UIN-SUKA 2021), Yogyakarta, Indonesia.","DOI":"10.2991\/aer.k.211222.023"}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/15\/8\/495\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T15:39:04Z","timestamp":1760110744000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/15\/8\/495"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,8,19]]},"references-count":37,"journal-issue":{"issue":"8","published-online":{"date-parts":[[2024,8]]}},"alternative-id":["info15080495"],"URL":"https:\/\/doi.org\/10.3390\/info15080495","relation":{},"ISSN":["2078-2489"],"issn-type":[{"value":"2078-2489","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,8,19]]}}}