At present, 96% of the resources available into the World-Wide-Web belongs to the Deep Web, which is composed of contents that are not indexed by search engines. The Dark Web is a subset of the Deep Web, which is currently the favorite place for hiding illegal markets and contents. The most important tool that can be used to access the Dark Web is the Tor Browser. In this article, we propose a bottom-up formal investigation methodology for the Tor Browser's memory forensics. Based on a bottom-up logical approach, our methodology enables us to obtain information according to a level of abstraction that is gradually higher, to characterize semantically relevant actions carried out by the Tor browser. Again, we show how the proposed three-layer methodology can be realized through open-source tools. Also, we show how the extracted information can be used as input to a novel Artificial Intelligence-based architecture for mining effective signatures capable of representing malicious activities in the Tor network.Finally, to assess the effectiveness of the proposed methodology, we defined three test cases that simulate widespread real-life scenarios and discuss the obtained results. To the best of our knowledge, this is the first work that deals with the forensic analysis of the Tor Browser in a live system, in a formal and structured way.
K E Y W O R D Sanonymity, private browsing, the onion router, TOR, Tor browser, Web browser forensics
INTRODUCTIONAt present, millions of users browse the World-Wide-Web daily. In particular, most of these users browse easily accessible resources on the Web, such as search engines, social networks, academic-related sites, e-commerce platforms, and so on. However, while such amount of resources appears to be enormous, it represents only the 4% of all the available ones, and it is referred to as Surface Web. On the other hand, the remaining 96% is denoted as Deep Web. The Deep Web is composed of resources and contents that are not indexed by search engines, that is, Google, Yahoo, and so on. Again, there is a part of the Deep Web, which is even more challenging to discover; it is referred to as the Dark Web. Dark Web is populated by intentionally hidden pages and services, which can only be accessed through addresses that are impossible to remember. Although the Dark Web represents about the 6% of the whole Web, it is the favorite hiding place for illegal markets (eg, black markets, etc.) and other illegal contents. 1In detail, the Dark Web can only be accessed through the use of anonymizing networks, such as I2P, FreeNET, and especially by the Tor (The Onion Router) overlay network. There are many tools to access this network, but the most convenient and used is the Tor Browser. The Tor Browser, which is available for different OSes including Microsoft Windows, Apple OS X/macOS, Linux, and Google Android, is a free and open-source browser that enables to surf the Web using the Tor protocol. The features provided by this tool are many and mainly aim to preserve the anonymity of the
