[tbb-dev] TBB forensic analysis

jb jblm at gmx.com
Mon Mar 30 21:37:55 UTC 2015

> Sent: Friday, March 27, 2015 at 10:03 PM
> From: "Mike Perry" <mikeperry at torproject.org>
> To: "discussion regarding Tor Browser Bundle development" <tbb-dev at lists.torproject.org>
> Subject: Re: [tbb-dev] TBB forensic analysis
> jack bloom:
> > hi all,
> > 
> > I've read Runa's forensic analysis of the TBB
> > (https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf)
> > and I'm currently redoing the analysis of the current TBB. I'm more or less
> > following what runa did (plus ram dump/hibernation file), I was wondering if
> > you have any suggestions, ideas or any other kind of input on the subject.  I
> > asked on #tor and they suggested to say something here.
> Refreshing this study will be very useful.
> Three things come to mind immediately:
> 1. Please use Tor Browser 4.5a5, which should appear on the tor-qa list
> (https://lists.torproject.org/pipermail/tor-qa/) in the next day or two,
> and should be officially released on https://blog.torproject.org on
> Tuesday/Wednesday. Tor Browser 4.5-stable should be out in mid-April.

At the moment I was using TBB version 4.0.4 but I will replicate what I did
with the version you suggested. Actually using 4.5 makes much more sense, I didn't
think of that before.

> 2. With respect to new features in 4.5 that may change disk leaks: the
> new .desktop launcher for Linux
> (https://trac.torproject.org/projects/tor/ticket/13375), the optional
> Windows shortcuts
> (https://trac.torproject.org/projects/tor/ticket/14688), and the Windows
> authenticode signatures
> (https://trac.torproject.org/projects/tor/ticket/3861) all may change
> disk records kept by the OS.
> Since Runa did that report, we've also updated to a newer version of
> Firefox, which should have fixed several leaks in their Private Browsing
> Mode (which we use as a basis to prevent disk records of browsing
> activity). We've also added an updater, added Pluggable Transport
> support, removed Vidalia, and completely reorganized the bundles. Both
> Windows and Mac bundles were also changed to use NSIS and DMG packaging
> respectively, instead of zip files. There were quite a few more changes,
> as well.
> 3. You may want to have a look over
> https://trac.torproject.org/projects/tor/query?keywords=~tbb-disk-leak&status=!closed.
> Those are the disk leaks we know about, and some of them might actually
> no longer apply. Information about leaks that no longer happen will be
> especially useful to help us triage that list and focus on what still
> happens. Any new issues you find should also be tagged with the
> tbb-disk-leak keyword. The most serious issues are ones that cause
> information about websites that have been visited to be leaked to disk.

This is really helpful, thank you for your reply. I hope to get back in touch
with you soon, hopefully with some results.


More information about the tbb-dev mailing list