Skip to content

Windows Prefetch records the Tor Browser Bundle

A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on Windows 7 showed that the Windows Prefetcher keeps records of the different Tor Browser Bundle applications:

  • C:\Windows\Prefetch\START TOR BROWSER.EXE-F5557FAC.pf
  • C:\Windows\Prefetch\TBB-FIREFOX.EXE-350502C5.pf
  • C:\Windows\Prefetch\TOR-BROWSER-2.3.25-6_EN-US.EX-1354A499.pf
  • C:\Windows\Prefetch\TOR.EXE-D7159D93.pf
  • C:\Windows\Prefetch\VIDALIA.EXE-5167E0BC.pf

The following cache files are most likely similar to prefetch files and might contain traces of the Tor Browser Bundle:

  • C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
  • C:\Users\runa\AppData\Local\Microsoft\Windows\Caches{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
  • C:\Windows\AppCompat\Programs\RecentFileCache.bcf
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information