###
### Notes on traces left by Tor Browser Bundle
###
### Steven J. Murdoch <http://www.cl.cam.ac.uk/users/sjm217/>
###

Filesystem modifications
========================

To study what changes Firefox portable makes I started two instances
of Windows in VMWare, from the same base. In one I ran Tor Browser
Bundle and in the other I ran nothing. By comparing the filesystem
states I was able to find out which files changed.

33 files changed in each instance, 32 of which are common to both
runs.

When the Tor Browser Bundle was run this file was modified:
 
 WINDOWS/system32/wbem/Repository/FS/INDEX.BTR

When Tor Browser was not run this file was modified.

 WINDOWS/Prefetch/WUAUCLT.EXE ... .pf

The former is part of the Windows logging infrastructure, so needs to
be investigated as to whether there is any sensitive information
stored.

The latter file indicates that Windows update ran, which is probably
just a coincidence. Some more investigation to confirm this would be
advisable.

Also, the application was run from a USB drive. The situation could
also be different if the application was run from the hard drive.

Firefox 3 will create a Mozilla directory in the current user's Application
Data directory, which contains
"Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}" and "Firefox\Crash Reports"

Prefetch
--------

If there are less than 128 entries in WINDOWS/Prefetch on reboot, and
sufficient time has passed since booting, the starting of any
executable will create a new file in that location. File names are of
the form <COMMAND>-<HASH>.pf.

There appears to be no difference when the bundle is run from
removable storage as opposed to the hard disk. 

Registry modifications
======================

The dumpreg.py in FindTraces will take a ProcessMonitor trace and dump the
contents of all registry keys opened or modified by Tor Browser Bundle. For each
of these keys, the state before and after Tor Browser Bundle is started can be
saved. Then, by comparing the two files it is possible to find registry keys
modified by Tor Browser Bundle.

On a Windows XP installation, with Firefox installed, only one registry key is
modified: HKLM\Software\Microsoft\Cryptography\RNG\Seed (by vidalia.exe,
tor.exe, FirefoxPortable.exe, firefox.exe)

Without Firefox installed, there appears to be no difference, although
it is difficult to be certain since Windows makes changes to a large
number of binary objects stored in the registry on each boot.

This key is also modifed by a large number of other applications (including
calc.exe, mspaint.exe, notpad.exe, etc...) Therefore the modification of this
does not indicate that Tor Browser Bundle was run.

Windows explorer also logs the ROT-13 encoded names of executables run in:
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Further information can be found in this article:
 http://personal-computer-tutor.com/abc3/v29/vic29.htm

Firefox 3 changes the key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings. This is a binary field and its purpose is unclear.

Other traces
============

If the Tor Browser Bundle is initially saved to the hard disk, then
deleted, the contents will likely be obtainable with a forensic disk
analysis tool or undeletion program. A safer option is to download and
install the bundle on a USB drive, and then take this away after using
the computer.

Future steps
============

These tests were run on a computer which already had Firefox
installed. It is possible that without Firefox the situation will be
different.
