Tor Browser issueshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues2022-10-26T13:13:48Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40868Remove the applied update list2022-10-26T13:13:48ZPier Angelo VendrameRemove the applied update listCurrently, Tor Browser lists the updates that a user applied.
We should get rid of that, because it can leak data about users' behavior.
![updates](/uploads/ac3c17d895f1ed13e13e147daf85d711/updates.png)Currently, Tor Browser lists the updates that a user applied.
We should get rid of that, because it can leak data about users' behavior.
![updates](/uploads/ac3c17d895f1ed13e13e147daf85d711/updates.png)Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21830Copying large text from web console leaks to /tmp2022-09-22T10:12:07ZGeorg KoppenCopying large text from web console leaks to /tmpA user reported using the webconsole copying a large section of de-obfuscated html with torbrowser 6.5.1 resulted in those contents being available in /tmp.A user reported using the webconsole copying a large section of de-obfuscated html with torbrowser 6.5.1 resulted in those contents being available in /tmp.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/19356TBB installer creates a folder with files in %temp% on Windows2022-07-12T20:42:23ZbugzillaTBB installer creates a folder with files in %temp% on WindowsInstaller prefers to unpack its temporary files (e.g. LangDLL.dll) to user's %temp% instead of its folder.Installer prefers to unpack its temporary files (e.g. LangDLL.dll) to user's %temp% instead of its folder.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16487Tor Browser has non private browsing mode related cache entries2022-07-09T22:13:07ZGeorg KoppenTor Browser has non private browsing mode related cache entriesAlthough using a Tor Browser in the default configuration there are cache entries visible that are not bound to the private browsing mode. We should investigate whether there are leaks somewhere and their i mpact.
What I am seeing on `a...Although using a Tor Browser in the default configuration there are cache entries visible that are not bound to the private browsing mode. We should investigate whether there are leaks somewhere and their i mpact.
What I am seeing on `about:cache` with `Private` unchecked is an entry of the blocklist extension (check).https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31505Remove "Show update history" button and contained history.2022-07-08T17:46:14ZTracRemove "Show update history" button and contained history.Options - "Keep Tor Browser up to date for the best performance, stability, and security."
Remove "Show update history" button and contained history.
What is the point if this browser keep update history?!
**Trac**:
**Username**: cyp...Options - "Keep Tor Browser up to date for the best performance, stability, and security."
Remove "Show update history" button and contained history.
What is the point if this browser keep update history?!
**Trac**:
**Username**: cyperpunkshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/24866Tor Browser remembering history for certain URLs even after restart2022-06-25T17:06:21ZDavid Fifielddcf@torproject.orgTor Browser remembering history for certain URLs even after restartMy Tor Browser has two entries in the `moz_historyvisits` table in places.sqlite. The two URLs can come up during URL bar autocompletion, and also appear in the ctrl+H history window.
I noticed it just now when I saw URL bar autocomplet...My Tor Browser has two entries in the `moz_historyvisits` table in places.sqlite. The two URLs can come up during URL bar autocompletion, and also appear in the ctrl+H history window.
I noticed it just now when I saw URL bar autocompletions for URLs that were not bookmarks and were not open tabs. Here is a screenshot. The first three matches are bookmarks, as you can tell by the star icon. The accounts.google.com one is not a bookmark, but is for some reason being remembered across restarts.
![blog-autocomplete.png](uploads/blog-autocomplete.png)
The two URLs that are being remembered are:
* !https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/comment-iframe.g?blogID%3D2266550428847361277%26postID%3D6186454555221678264%26blogspotRpcToken%3D3273703%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D2266550428847361277%26postID%3D6186454555221678264%26blogspotRpcToken%3D3273703%26bpli%3D1&passive=true&go=true#%7B%22color%22%3A%22rgb(110%2C%20110%2C%20110)%22%2C%22backgroundColor%22%3A%22rgb(204%2C%20204%2C%20204)%22%2C%22unvisitedLinkColor%22%3A%22rgb(0%2C%200%2C%200)%22%2C%22fontFamily%22%3A%22Verdana%2CGeneva%2Csans-serif%22%7D
* !https://id.rlcdn.com/463496.gif?credir=https%3A%2F%2Fsimage4.pubmatic.com%2FAdServer%2FSPug%3Fo%3D3%26u%3D1292AC75-4860-4D0E-8AC2-F720B90009E0%26vcode%3Dbz0yJnR5cGU9MSZjb2RlPTMzMzkmdGw9MTI5NjAw%26piggybackCookie%3D&redirect=1
The first one kind of makes sense. If I click on it, it takes me to a comment field for the [blog of BreakWa11](https://breakwa11.blogspot.com/), a circumvention developer whose blog I have visited in the past few months. It's not a top-level page though; seems like it belongs in an iframe. The other one looks like an advertising tracking pixel (hope it's nothing personal lol).
I found where the URLs are being stored: they are in the [places.sqlite](http://kb.mozillazine.org/Places.sqlite) database, in the `moz_places` table:
```
$ sqlite3 tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default/places.sqlite
SQLite version 3.21.0 2017-10-24 18:55:49
Enter ".help" for usage hints.
sqlite> select * from moz_places;
[elided other entries which are my bookmarks]
68|https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/comment-iframe.g?blogID%3D2266550428847361277%26postID%3D6186454555221678264%26blogspotRpcToken%3D3273703%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D2266550428847361277%26postID%3D6186454555221678264%26blogspotRpcToken%3D3273703%26bpli%3D1&passive=true&go=true#%7B%22color%22%3A%22rgb(110%2C%20110%2C%20110)%22%2C%22backgroundColor%22%3A%22rgb(204%2C%20204%2C%20204)%22%2C%22unvisitedLinkColor%22%3A%22rgb(0%2C%200%2C%200)%22%2C%22fontFamily%22%3A%22Verdana%2CGeneva%2Csans-serif%22%7D||moc.elgoog.stnuocca.|1|1|0||-1|1510963636686206|jljYEjVwHSTz|0|47357881751906
[elided]
71|https://id.rlcdn.com/463496.gif?credir=https%3A%2F%2Fsimage4.pubmatic.com%2FAdServer%2FSPug%3Fo%3D3%26u%3D1292AC75-4860-4D0E-8AC2-F720B90009E0%26vcode%3Dbz0yJnR5cGU9MSZjb2RlPTMzMzkmdGw9MTI5NjAw%26piggybackCookie%3D&redirect=1||moc.ndclr.di.|1|1|0||-1|1513646987292092|AG--rmyoEVB2|0|47360465205581
[elided]
```
These two entries with `id=68` and `id=71` are referenced in the `moz_historyvisits` table. Here is the whole table:
```
sqlite> select * from moz_historyvisits;
1|0|68|1510963636686206|6|0
2|0|71|1513646987292092|6|0
```
The fourth column looks like a microsecond timestamp, and the one for BreakWa11's blog matches the time frame during which I would have visited the site.
```
$ date -u -d @1510963636.686206
Sat Nov 18 00:07:16 UTC 2017
$ date -u -d @1513646987.292092
Tue Dec 19 01:29:47 UTC 2017
```
The `moz_historyvisits` table seems to underlie the ctrl+H history window. When I open it, there are two entries corresponding to the months of the timestamps. However it doesn't list any URLs: if I click the expander arrows, the arrows just disappear without expanding anything. But if I search for a string like "http", I can make the URLs appear.
![history-default.png](uploads/history-default.png) ![history-search.png](uploads/history-search.png)
Ticket legacy/trac#23704 is potentially related; it's about the browser remembering tabs after upgrading. comment:3:ticket:23704 says "TBB 7.0.5/6 has `places.history.enabled` set to `true` by default. And now TBB 7.5a5 has it set to `false` as a non-default value for unknown reason!" For what it's worth, my about:config looks like this:
|=Preference Name =|=Status =|=Type =|=Value =|
|------------------|---------|-------|--------|
|places.history.enabled |default |boolean |true |
|**places.history.expiration.transient_current_max_pages** |**user set** |**integer** |**122334** |
On another computer of mine, the `moz_historyvisits` table is empty and `moz_places` contains only bookmarks.
This is with Tor Browser 7.0.11 64-bit.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18589Tor browser writes SiteSecurityServiceState.txt with usage history2022-06-18T01:48:31ZcypherpunksTor browser writes SiteSecurityServiceState.txt with usage historyTor browser (hardened-6.0a4) writes a file called SiteSecurityServiceState.txt that has a list of sites I've visited. E.g. it has "en.wikipedia.org" and that definitely wasn't there after I first ran TB. It didn't appear right away when ...Tor browser (hardened-6.0a4) writes a file called SiteSecurityServiceState.txt that has a list of sites I've visited. E.g. it has "en.wikipedia.org" and that definitely wasn't there after I first ran TB. It didn't appear right away when I visited Wikipedia but eventually made it to disk (maybe it writes every few minutes or just at shutdown).
I have all history disabled in privacy prefs (except cookies but they're only till shutdown according to the dropdown). I expect TB will not write history without consent, and I did not approve or even get a warning about this file. I don't even see an obscure option (about:config) to disable it. I guess I'll try symlinking /dev/null, and otherwise write some $LD_PRELOAD to fail the open().
I understand there are security benefits but unless the user has enabled some form of history I don't think it's acceptable. You could ship a default file with popular sites preloaded.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17367Swap files can contain evidence of browsing history2022-03-21T20:14:30ZArthur EdelsteinSwap files can contain evidence of browsing historyTwo forensic reports describe extracting Tor Browser browsing history from a Windows pagefile.sys and hiberfil.sys:
See
http://computerforensicsblog.champlain.edu/wp-content/uploads/2014/06/One-User-Multiple-Devices-Cross-Platform-Recov...Two forensic reports describe extracting Tor Browser browsing history from a Windows pagefile.sys and hiberfil.sys:
See
http://computerforensicsblog.champlain.edu/wp-content/uploads/2014/06/One-User-Multiple-Devices-Cross-Platform-Recovery-and-Analysis...-Saliba-Landry-5-20-2014.pdf#33
and
https://web.archive.org/web/20160403075329/http://dfrws.org/2015eu/proceedings/DFRWS-EU-2015-short-presentation-1.pdf#16
Is there any way we can programmatically clean up the pagefile on New Identity and/or browser exit? What about OS X and Linux?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17208New reported disk leaks in Tor Browser2022-03-21T20:14:30ZArthur EdelsteinNew reported disk leaks in Tor BrowserThis document is interesting:
http://www.dfrws.org/2015eu/proceedings/DFRWS-EU-2015-short-presentation-1.pdf
We should investigate if these disk leaks can be fixed.This document is interesting:
http://www.dfrws.org/2015eu/proceedings/DFRWS-EU-2015-short-presentation-1.pdf
We should investigate if these disk leaks can be fixed.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16743Reconsider "Add Start Menu & Desktop shortcuts" option (Windows)2022-03-21T20:14:30ZTracReconsider "Add Start Menu & Desktop shortcuts" option (Windows)One of Tor Browser's stated objetives is leaving not too much traces in the user's computer; in particular, after deleting it from the desktop, it should be mostly gone.
The desktop shortcut is mostly useless when installing to the desk...One of Tor Browser's stated objetives is leaving not too much traces in the user's computer; in particular, after deleting it from the desktop, it should be mostly gone.
The desktop shortcut is mostly useless when installing to the desktop, you have another shortcut right inside the "Tor Browser" folder, so it looks a bit silly.
The more "scary" one is the start menu one, which resides inside "$HOMEPATH$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs", and is more troubling. With no uninstaller, users have to remember to delete it manually and may miss it completely, specially on some newer versions of Windows where the list of programs is kind of hidden, and where deleting shortcuts is much more involved (can't right click -> delete directly).
So I think, at the very lest, the Start Menu shortcut shouldn't be created by default.
**Trac**:
**Username**: discerhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15164"Print to file" saves filename and most recent printer in prefs2022-03-21T20:14:30ZMike Perry"Print to file" saves filename and most recent printer in prefsThe last file TBB prints is stored in the pref "print.print_to_filename", which persists until the next time you print to file.
The last actual printer you used is also written to the 'print_printer' pref.The last file TBB prints is stored in the pref "print.print_to_filename", which persists until the next time you print to file.
The last actual printer you used is also written to the 'print_printer' pref.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12814No space left in /var prevents Tor Browser from starting properly2022-03-21T20:14:30ZGeorg KoppenNo space left in /var prevents Tor Browser from starting properlyWhile testing 4.0-alpha I realized that Tor Browser is not starting properly on my machine. Extensions were missing and the following errors in the console showed up:
```
[13:29:23.748] ERROR addons.xpi-utils: SQL error 13: database or d...While testing 4.0-alpha I realized that Tor Browser is not starting properly on my machine. Extensions were missing and the following errors in the console showed up:
```
[13:29:23.748] ERROR addons.xpi-utils: SQL error 13: database or disk is full @ re[/gre/modules/XPIProvider.jsm](/gre/modules/XPIProvider.jsm) -> re[/gre/modules/XPIProviderUtils.js:204](/gre/modules/XPIProviderUtils.js:204)
[13:29:23.753] ERROR addons.xpi: Failed to add add-on https-everywhere@eff.org in app-profile to database: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [mozIStorageStatement.execute]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: re[/gre/modules/XPIProvider.jsm](/gre/modules/XPIProvider.jsm) -> re[/gre/modules/XPIProviderUtils.js](/gre/modules/XPIProviderUtils.js) :: XPIDB_rollbackTransaction :: line 457" data: no] @ re[/gre/modules/XPIProvider.jsm](/gre/modules/XPIProvider.jsm) -> re[/gre/modules/XPIProviderUtils.js:457](/gre/modules/XPIProviderUtils.js:457)
[13:29:24.939] ERROR addons.xpi: Error during startup file checks, rolling back any database changes: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [mozIStorageStatement.execute]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: re[/gre/modules/XPIProvider.jsm](/gre/modules/XPIProvider.jsm) -> re[/gre/modules/XPIProviderUtils.js](/gre/modules/XPIProviderUtils.js) :: XPIDB_commitTransaction :: line 442" data: no] @ re[/gre/modules/XPIProvider.jsm](/gre/modules/XPIProvider.jsm) -> re[/gre/modules/XPIProviderUtils.js:442](/gre/modules/XPIProviderUtils.js:442)
[13:29:24.941] ERROR addons.manager: Exception calling provider startup: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [mozIStorageStatement.execute]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: re[/gre/modules/XPIProvider.jsm](/gre/modules/XPIProvider.jsm) -> re[/gre/modules/XPIProviderUtils.js](/gre/modules/XPIProviderUtils.js) :: XPIDB_rollbackTransaction :: line 457" data: no] @ re[/gre/modules/XPIProvider.jsm](/gre/modules/XPIProvider.jsm) -> re[/gre/modules/XPIProviderUtils.js:457](/gre/modules/XPIProviderUtils.js:457)
```
The partition where Tor Browser got extracted had enough space left. The only one that was full was /var. Fixing that fixed the start issues as well. Not sure what exactly gets written to /var but it seems a disk leak to me we need to investigate.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9456Reset file attribute information after usage2022-03-21T20:13:30ZnaifReset file attribute information after usageTorBrowser bundle leak "local" information on when it was last used .
This is because the local filesystem keep MAC (modified, access, creation) time.
It means that from a forensic analyst perspective it will be always possible to iden...TorBrowser bundle leak "local" information on when it was last used .
This is because the local filesystem keep MAC (modified, access, creation) time.
It means that from a forensic analyst perspective it will be always possible to identify which is the last time the TorBrowser has been started (and probably when it has been closed) by carefully looking at the "atime" attribute of the filesystem in the directory where TBB is stored.
To fix this issue the TBB, on start and on close, should reset the "atime attribute" of all the files and directory where it is stored.
This can be done on all major filesystem with proper programming API (FAT32, NTFS, HFS, Ext4, etc) .https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/8990OS X per-user temp files contain traces of the Tor Browser Bundle2022-03-21T20:12:48ZRuna SandvikOS X per-user temp files contain traces of the Tor Browser BundleA forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 showed that per-user temp files contain traces of the Tor Browser Bundle.
OS X stores per-user temporary files and caches in /var/folders/. The follow...A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 showed that per-user temp files contain traces of the Tor Browser Bundle.
OS X stores per-user temporary files and caches in /var/folders/. The following files contain the path to the attached external drive, the path to the Tor Browser Bundle on the Desktop, and the path to the Tor Browser Bundle in the Trash:
* /var/folders/fb/v5wqpgls029d8tp_pcjy0yth0000gn/C/com.apple.LaunchServices-036501.csstore
* /var/folders/fb/v5wqpgls029d8tp_pcjy0yth0000gn/C/com.apple.QuickLook.thumbnailcache/index.sqlite
* /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/com.apple.LaunchServices-0360.csstore
* /var/folders/fb/v5wqpgls029d8tp_pcjy0yth0000gn/C/com.apple.QuickLook.thumbnailcache/thumbnails.data
These files also contain strings such as org.torproject.torbrowserbundle, org.mozilla.torbrowser, torbrowser_en-us.app, torbrowser.app, net.vidalia-project.vidalia, and vidalia.app. I have not been able to open the last file, thumbnails.data but it might contain traces of the Tor Browser Bundle and/or the attached external drive.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/8989OS X swap file may contain traces of the Tor Browser Bundle2022-03-21T20:12:48ZRuna SandvikOS X swap file may contain traces of the Tor Browser BundleA forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 showed that the OS X swap file may contain traces of the Tor Browser Bundle.
OS X relies on swap files and paging for memory and cache management. I h...A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 showed that the OS X swap file may contain traces of the Tor Browser Bundle.
OS X relies on swap files and paging for memory and cache management. I have not been able to open the swap file, but I would say it is likely that /var/vm/swapfile0 contains traces of the Tor Browser Bundle and/or the attached external drive.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/8988Spotlight and mds may have indexed the Tor Browser Bundle2022-03-21T20:12:48ZRuna SandvikSpotlight and mds may have indexed the Tor Browser BundleA forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 showed that Spotlight and mds may have indexed the Tor Browser Bundle.
Spotlight, and the Metadata Server (mds), indexes all items and files on a syst...A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 showed that Spotlight and mds may have indexed the Tor Browser Bundle.
Spotlight, and the Metadata Server (mds), indexes all items and files on a system and allows the user to perform system-wide searches for all sorts of items; documents, pictures, applications, system preferences, etc.
I have not been able to open the files in /.Spotlight-V100 and /var/db/mds/messages/, but I would say it is likely that Spotlight and mds picked up the Tor Browser Bundle and the attached external drive at some point.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/8986OS X preference files contain traces of the Tor Browser Bundle2022-03-21T20:12:48ZRuna SandvikOS X preference files contain traces of the Tor Browser BundleA forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 showed that the preference files contain traces of the Tor Browser Bundle.
OS X applications store preference settings in plist files, and the files b...A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 showed that the preference files contain traces of the Tor Browser Bundle.
OS X applications store preference settings in plist files, and the files below are related to system fonts, the file manager, recent items, and the Tor Browser Bundle. These files contain traces of the Tor Browser Bundle and the attached external drive.
* /Users/runa/Library/Preferences/com.apple.ATS.plist
* /Users/runa/Library/Preferences/com.apple.finder.plist
* /Users/runa/Library/Preferences/com.apple.recentitems.plist
* /Users/runa/Library/Preferences/org.mozilla.torbrowser.plisthttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/8985OS X HFS+ files may contain traces of the Tor Browser Bundle2022-03-21T20:12:48ZRuna SandvikOS X HFS+ files may contain traces of the Tor Browser Bundle
A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 indicates that OS X HFS+ files may contain traces of the Tor Browser Bundle.
HFS+ is the default filesystem on OS X; it supports journaling, quotas, ...
A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 indicates that OS X HFS+ files may contain traces of the Tor Browser Bundle.
HFS+ is the default filesystem on OS X; it supports journaling, quotas, Finder information in metadata, hard and symbolic links, aliases, etc. HFS+ also supports hot file clustering, which tracks read-only files that are frequently requested and then moves them into a "hot zone". The hot file clustering scheme uses an on-disk B-Tree file for tracking.
I have not been able to open /.hotfiles.btree and /.journal, but they might contain traces of the Tor Browser Bundle and/or the attached external drive.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/8984OSX FSEvents API files contain traces of the Tor Browser Bundle2022-03-21T20:12:48ZRuna SandvikOSX FSEvents API files contain traces of the Tor Browser BundleA forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 showed that FSEvents API files contain traces of the Tor Browser Bundle.
The FSEvents API allows applications to register for notifications of changes...A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 showed that FSEvents API files contain traces of the Tor Browser Bundle.
The FSEvents API allows applications to register for notifications of changes to a given directory tree. Whenever the filesystem is changed, the kernel passes notifications to a process called fseventsd. The following file contains the path to the attached external drive, the path to the Tor Browser Bundle on the Desktop, and the path to the Tor Browser Bundle in the Trash:
* /.fseventsd/0000000000172019
Other files in the .fseventsd directory may also contain traces of the Tor Browser Bundle and/or the attached external drive.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/8983OS X Crash Reporter and Diagnostic Messages contain traces of the Tor Browser...2022-03-21T20:12:48ZRuna SandvikOS X Crash Reporter and Diagnostic Messages contain traces of the Tor Browser BundleA forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 showed that the Crash Reporter and Diagnostic Messages contain traces of the Tor Browser Bundle, even though the bundle did not crash or hang while I u...A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 showed that the Crash Reporter and Diagnostic Messages contain traces of the Tor Browser Bundle, even though the bundle did not crash or hang while I used it:
* /Library/Application Support/CrashReporter/Intervals_00000000-0000-1000-8000-000C2976590B.plist
* /var/log/DiagnosticMessages/2013.05.22.asl
I have not been able to open the file StoreData, which can be found in the same DiagnosticMessages directory, but it may also contain traces of the bundle.