Forensic Analysis of current TBB on Debian Linux
Activity
Status?
- Author
I have everything set up and ready to go, so some progress has been made. I expect to have some partial results within the next couple of weeks.
Trac:
Keywords: N/A deleted, SponsorL added- Author
https://blog.torproject.org/blog/forensic-analysis-tor-linux
Trac:
Status: new to closed
Resolution: N/A to fixed Please publish reports as text files attached to the tickets, not as blog posts.
Trac:
Resolution: fixed to N/A
Status: closed to reopened- Author
The ticket for the report is #7032 (moved). The blog post is a summary of interesting issues, the final report will be more detailed.
- Author
There is a question about whether or not clicking on start-tor-browser (instead of running it using the terminal) will log anything. arma says it would be worth learning the answer.
- Author
Trac:
debian_changed_files.txt Just saying (I don't know your exact goals here), at least...
/home/runa/.local/share/gvfs-metadata/ /var/log/gdm3/ /var/lib/gdm3/ /home/runa/.gconf/are GNOME specific. The Debian default installer boot menu supports choosing at least KDE as alternative desktop environment. I am pretty confident, that traces will be desktop environment specific.
Trac:
Cc: runa to runa, adrelanos@riseup.net- Author
The use case I covered was the following:
- User boots Debian 6 (Squeeze)
- User logs in as a normal user (i.e. not admin)
- User attaches an external drive
- User copies the Tor Browser Bundle from the external drive to the home dir
- User extracts the Tor Browser Bundle with tar -zxvf
- User runs the Tor Browser Bundle with ./start-tor-browser
- User browses a few sites in the Tor Browser
- User closes the Tor Browser window and clicks the Exit-button in Vidalia
- User deletes the Tor Browser package and archive with rm -rf
- User shuts down Debian 6 (Squeeze)
I started with a fresh install of Debian 6 (Squeeze). The file debian_changed_files.txt contains a list of 68 files which were either created or modified between the time I booted Debian, used the Tor Browser Bundle, and shut the system down.
Most files are files you expect to see change when using Debian, and some of them are GNOME specific. However, there are a small number of files which also contain traces of the Tor Browser Bundle and/or show that an external device was attached.
/home/runa/.local/share/gvfs-metadata/home: Created by the system. This file contains the filename of the Tor Browser Bundle tarball: tor-browser-gnu-linux-x86_64-2.3.25-5-dev-en-US.tar.gz. I have created #8695 (moved) for this issue.
/home/runa/.xsession-errors: Modified by the system. This file contains the following string: _Window manager warning: Buggy client sent a NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3800089 (Tor Browse). It is worth noting that a file named .xsession-errors.old could also exist. I have created #8696 (moved) for this issue.
/home/runa/.gconf/apps/nautilus/desktop-metadata/THA@46@volume/%gconf.xml: Created by the system. No trace found in the file, but the filename indicates that a device was mounted (in this case an external drive).
/home/runa/.bash_history: Created by the system. This file contains a record of commands typed into the terminal. I started the Tor Browser Bundle from the command line, so this file contains lines such as ./start-tor-browser. I have created #8697 (moved) for this issue.
/var/log/daemon.log, /var/log/syslog, /var/log/kern.log, /var/log/messages: contains information about attached devices. I had an external drive attached to the virtual machine, so these files contain lines such as Mounted /dev/sdb1 (Read-Write, label “THA”, NTFS 3.1) and_Initializing USB Mass Storage driver…_.
- Author
I then covered a second use case:
- User boots Debian 6 (Squeeze)
- User logs in as a normal user (i.e. not admin)
- User attaches an external drive
- Using the GUI: user copies the Tor Browser Bundle from the external drive to the home dir
- Using the GUI: user extracts the Tor Browser Bundle
- Using the GUI: user runs the Tor Browser Bundle by clicking on the start-tor-browser file
- User browses a few sites in the Tor Browser
- User closes the Tor Browser window and clicks the Exit-button in Vidalia
- Using the GUI: user deletes the Tor Browser package and archive
- Using the GUI: user empties the trash can
- User shuts down Debian 6 (Squeeze)
I started with a fresh install of Debian 6 (Squeeze). The file debian_changed_files2.txt contains a list of 58 files which were either created or modified between the time I booted Debian, used the Tor Browser Bundle, and shut the system down.
Most files are files you expect to see change when using Debian. However, there are a small number of files which also contain traces of the Tor Browser Bundle and/or show that an external device was attached.
/home/runa/.recently-used.xbel: Created by the system. This file contains the filename of the Tor Browser Bundle tarball, tor-browser-gnu-linux-x86_64-2.3.25-5-dev-en-US.tar.gz, as well as the time and date it was added, modified, and visited. I have created #8706 (moved) for this issue.
/home/runa/.xsession-errors: Modified by the system. This file contains the following string: _Window manager warning: Buggy client sent a NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3800089 (Tor Browse). It is worth noting that a file named .xsession-errors.old could also exist. I have created #8696 (moved) for this issue.
/home/runa/.local/share/gvfs-metadata/home-c0ca7993.log: Created by the system. This file contains lines indicating that the Tor Browser Bundle was deleted, such as /.local/share/Trash/expunged/3864782161/start-tor-browser and /.local/share/Trash/expunged/3864782161/App/tor. I have created #8707 (moved) for this issue.
/home/runa/.gconf/apps/nautilus/desktop-metadata/THA@46@volume/%gconf.xml: Created by the system. No trace found in the file, but the filename indicates that a device was mounted (in this case an external drive).
/var/log/daemon.log, /var/log/syslog, /var/log/kern.log, /var/log/messages: contains information about attached devices. I had an external drive attached to the virtual machine, so these files contain lines such as Mounted /dev/sdb1 (Read-Write, label “THA”, NTFS 3.1) and Initializing USB Mass Storage driver….
- Author
- Author
Trac:
Owner: erinn to runa
Status: reopened to assigned - Author
Final report is available on https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf
Trac:
Resolution: N/A to fixed
Status: assigned to closed - Trac closed
closed
- Runa Sandvik mentioned in issue #8706 (moved)
mentioned in issue #8706 (moved)
- Runa Sandvik mentioned in issue #8707 (moved)
mentioned in issue #8707 (moved)
- Trac mentioned in issue tpo/applications/tor-browser#8706 (closed)
mentioned in issue tpo/applications/tor-browser#8706 (closed)
- Trac mentioned in issue tpo/applications/tor-browser#8707 (closed)
mentioned in issue tpo/applications/tor-browser#8707 (closed)