OS X HFS+ files may contain traces of the Tor Browser Bundle
|Reported by:||runa||Owned by:||tbb-team|
A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 indicates that OS X HFS+ files may contain traces of the Tor Browser Bundle.
HFS+ is the default filesystem on OS X; it supports journaling, quotas, Finder information in metadata, hard and symbolic links, aliases, etc. HFS+ also supports hot file clustering, which tracks read-only files that are frequently requested and then moves them into a "hot zone". The hot file clustering scheme uses an on-disk B-Tree file for tracking.
I have not been able to open /.hotfiles.btree and /.journal, but they might contain traces of the Tor Browser Bundle and/or the attached external drive.