OSX FSEvents API files contain traces of the Tor Browser Bundle
|Reported by:||runa||Owned by:||tbb-team|
A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 showed that FSEvents API files contain traces of the Tor Browser Bundle.
The FSEvents API allows applications to register for notifications of changes to a given directory tree. Whenever the filesystem is changed, the kernel passes notifications to a process called fseventsd. The following file contains the path to the attached external drive, the path to the Tor Browser Bundle on the Desktop, and the path to the Tor Browser Bundle in the Trash:
Other files in the .fseventsd directory may also contain traces of the Tor Browser Bundle and/or the attached external drive.