Opened 5 years ago

Closed 4 years ago

#8166 closed task (fixed)

Forensic Analysis of current TBB on Debian Linux

Reported by: runa Owned by: runa
Priority: Medium Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords: SponsorJ, SponsorL
Cc: runa, adrelanos@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description


Child Tickets

Attachments (2)

debian_changed_files.txt (2.3 KB) - added by runa 5 years ago.
debian_changed_files2.txt (2.0 KB) - added by runa 5 years ago.

Download all attachments as: .zip

Change History (14)

comment:1 Changed 5 years ago by phobos

Status?

comment:2 Changed 5 years ago by runa

I have everything set up and ready to go, so some progress has been made. I expect to have some partial results within the next couple of weeks.

comment:3 Changed 5 years ago by phobos

Keywords: SponsorL added

comment:4 Changed 5 years ago by runa

Resolution: fixed
Status: newclosed

comment:5 Changed 5 years ago by phobos

Resolution: fixed
Status: closedreopened

Please publish reports as text files attached to the tickets, not as blog posts.

comment:6 Changed 5 years ago by runa

The ticket for the report is #7032. The blog post is a summary of interesting issues, the final report will be more detailed.

comment:7 Changed 5 years ago by runa

There is a question about whether or not clicking on start-tor-browser (instead of running it using the terminal) will log anything. arma says it would be worth learning the answer.

Changed 5 years ago by runa

Attachment: debian_changed_files.txt added

comment:8 Changed 5 years ago by proper

Cc: adrelanos@… added

Just saying (I don't know your exact goals here), at least...

/home/runa/.local/share/gvfs-metadata/
/var/log/gdm3/
/var/lib/gdm3/
/home/runa/.gconf/

are GNOME specific. The Debian default installer boot menu supports choosing at least KDE as alternative desktop environment. I am pretty confident, that traces will be desktop environment specific.

comment:9 Changed 5 years ago by runa

The use case I covered was the following:

  • User boots Debian 6 (Squeeze)
  • User logs in as a normal user (i.e. not admin)
  • User attaches an external drive
  • User copies the Tor Browser Bundle from the external drive to the home dir
  • User extracts the Tor Browser Bundle with tar -zxvf
  • User runs the Tor Browser Bundle with ./start-tor-browser
  • User browses a few sites in the Tor Browser
  • User closes the Tor Browser window and clicks the Exit-button in Vidalia
  • User deletes the Tor Browser package and archive with rm -rf
  • User shuts down Debian 6 (Squeeze)

I started with a fresh install of Debian 6 (Squeeze). The file debian_changed_files.txt contains a list of 68 files which were either created or modified between the time I booted Debian, used the Tor Browser Bundle, and shut the system down.

Most files are files you expect to see change when using Debian, and some of them are GNOME specific. However, there are a small number of files which also contain traces of the Tor Browser Bundle and/or show that an external device was attached.

/home/runa/.local/share/gvfs-metadata/home: Created by the system. This file contains the filename of the Tor Browser Bundle tarball: tor-browser-gnu-linux-x86_64-2.3.25-5-dev-en-US.tar.gz. I have created #8695 for this issue.

/home/runa/.xsession-errors: Modified by the system. This file contains the following string: Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3800089 (Tor Browse). It is worth noting that a file named .xsession-errors.old could also exist. I have created #8696 for this issue.

/home/runa/.gconf/apps/nautilus/desktop-metadata/THA@46@volume/%gconf.xml: Created by the system. No trace found in the file, but the filename indicates that a device was mounted (in this case an external drive).

/home/runa/.bash_history: Created by the system. This file contains a record of commands typed into the terminal. I started the Tor Browser Bundle from the command line, so this file contains lines such as ./start-tor-browser. I have created #8697 for this issue.

/var/log/daemon.log, /var/log/syslog, /var/log/kern.log, /var/log/messages: contains information about attached devices. I had an external drive attached to the virtual machine, so these files contain lines such as Mounted /dev/sdb1 (Read-Write, label “THA”, NTFS 3.1) andInitializing USB Mass Storage driver….

comment:10 Changed 5 years ago by runa

I then covered a second use case:

  • User boots Debian 6 (Squeeze)
  • User logs in as a normal user (i.e. not admin)
  • User attaches an external drive
  • Using the GUI: user copies the Tor Browser Bundle from the external drive to the home dir
  • Using the GUI: user extracts the Tor Browser Bundle
  • Using the GUI: user runs the Tor Browser Bundle by clicking on the start-tor-browser file
  • User browses a few sites in the Tor Browser
  • User closes the Tor Browser window and clicks the Exit-button in Vidalia
  • Using the GUI: user deletes the Tor Browser package and archive
  • Using the GUI: user empties the trash can
  • User shuts down Debian 6 (Squeeze)

I started with a fresh install of Debian 6 (Squeeze). The file debian_changed_files2.txt contains a list of 58 files which were either created or modified between the time I booted Debian, used the Tor Browser Bundle, and shut the system down.

Most files are files you expect to see change when using Debian. However, there are a small number of files which also contain traces of the Tor Browser Bundle and/or show that an external device was attached.

/home/runa/.recently-used.xbel: Created by the system. This file contains the filename of the Tor Browser Bundle tarball, tor-browser-gnu-linux-x86_64-2.3.25-5-dev-en-US.tar.gz, as well as the time and date it was added, modified, and visited. I have created #8706 for this issue.

/home/runa/.xsession-errors: Modified by the system. This file contains the following string: Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3800089 (Tor Browse). It is worth noting that a file named .xsession-errors.old could also exist. I have created #8696 for this issue.

/home/runa/.local/share/gvfs-metadata/home-c0ca7993.log: Created by the system. This file contains lines indicating that the Tor Browser Bundle was deleted, such as /.local/share/Trash/expunged/3864782161/start-tor-browser and /.local/share/Trash/expunged/3864782161/App/tor. I have created #8707 for this issue.

/home/runa/.gconf/apps/nautilus/desktop-metadata/THA@46@volume/%gconf.xml: Created by the system. No trace found in the file, but the filename indicates that a device was mounted (in this case an external drive).

/var/log/daemon.log, /var/log/syslog, /var/log/kern.log, /var/log/messages: contains information about attached devices. I had an external drive attached to the virtual machine, so these files contain lines such as Mounted /dev/sdb1 (Read-Write, label “THA”, NTFS 3.1) and Initializing USB Mass Storage driver….

Changed 5 years ago by runa

Attachment: debian_changed_files2.txt added

comment:11 Changed 5 years ago by runa

Owner: changed from erinn to runa
Status: reopenedassigned

comment:12 Changed 4 years ago by runa

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.