[tor-bugs] #8166 [Tor bundles/installation]: Forensic Analysis of current TBB on Debian Linux
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Apr 15 23:06:21 UTC 2013
#8166: Forensic Analysis of current TBB on Debian Linux
-----------------------------------------+----------------------------------
Reporter: runa | Owner: erinn
Type: task | Status: reopened
Priority: normal | Milestone:
Component: Tor bundles/installation | Version:
Resolution: | Keywords: SponsorJ, SponsorL
Parent: | Points:
Actualpoints: |
-----------------------------------------+----------------------------------
Comment(by runa):
The use case I covered was the following:
* User boots Debian 6 (Squeeze)
* User logs in as a normal user (i.e. not admin)
* User attaches an external drive
* User copies the Tor Browser Bundle from the external drive to the home
dir
* User extracts the Tor Browser Bundle with ''tar -zxvf''
* User runs the Tor Browser Bundle with ''./start-tor-browser''
* User browses a few sites in the Tor Browser
* User closes the Tor Browser window and clicks the ''Exit''-button in
Vidalia
* User deletes the Tor Browser package and archive with ''rm -rf''
* User shuts down Debian 6 (Squeeze)
I started with a fresh install of Debian 6 (Squeeze). The file
''debian_changed_files.txt'' contains a list of 68 files which were either
created or modified between the time I booted Debian, used the Tor Browser
Bundle, and shut the system down.
Most files are files you expect to see change when using Debian, and some
of them are GNOME specific. However, there are a small number of files
which also contain traces of the Tor Browser Bundle and/or show that an
external device was attached.
'''/home/runa/.local/share/gvfs-metadata/home''': Created by the system.
This file contains the filename of the Tor Browser Bundle tarball: ''tor-
browser-gnu-linux-x86_64-2.3.25-5-dev-en-US.tar.gz''. I have created #8695
for this issue.
'''/home/runa/.xsession-errors''': Modified by the system. This file
contains the following string: ''Window manager warning: Buggy client sent
a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3800089 (Tor
Browse)''. It is worth noting that a file named ''.xsession-errors.old''
could also exist. I have created #8696 for this issue.
'''/home/runa/.gconf/apps/nautilus/desktop-
metadata/THA at 46@volume/%gconf.xml''': Created by the system. No trace
found in the file, but the filename indicates that a device was mounted
(in this case an external drive).
'''/home/runa/.bash_history''': Created by the system. This file contains
a record of commands typed into the terminal. I started the Tor Browser
Bundle from the command line, so this file contains lines such as
''./start-tor-browser''. I have created #8697 for this issue.
'''/var/log/daemon.log''', '''/var/log/syslog''', '''/var/log/kern.log''',
'''/var/log/messages''': contains information about attached devices. I
had an external drive attached to the virtual machine, so these files
contain lines such as ''Mounted /dev/sdb1 (Read-Write, label “THA”, NTFS
3.1)'' and''Initializing USB Mass Storage driver…''.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8166#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list