Skip to content
Snippets Groups Projects
New look
Closed (moved) OSX FSEvents API files contain traces of the Tor Browser Bundle
  • View options

    • OSX FSEvents API files contain traces of the Tor Browser Bundle

  • View options
    • Closed (moved) Issue created by Runa Sandvik

    A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 showed that FSEvents API files contain traces of the Tor Browser Bundle.

    The FSEvents API allows applications to register for notifications of changes to a given directory tree. Whenever the filesystem is changed, the kernel passes notifications to a process called fseventsd. The following file contains the path to the attached external drive, the path to the Tor Browser Bundle on the Desktop, and the path to the Tor Browser Bundle in the Trash:

    • /.fseventsd/0000000000172019

    Other files in the .fseventsd directory may also contain traces of the Tor Browser Bundle and/or the attached external drive.

    Linked items ... 0

    • Activity

    • All activity
    • Comments only
    • History only
    • Newest first
    • Oldest first
    Loading Loading Loading Loading Loading Loading Loading Loading Loading Loading