[tor-bugs] #8166 [Tor bundles/installation]: Forensic Analysis of current TBB on Debian Linux
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Apr 15 23:26:37 UTC 2013
#8166: Forensic Analysis of current TBB on Debian Linux
-----------------------------------------+----------------------------------
Reporter: runa | Owner: erinn
Type: task | Status: reopened
Priority: normal | Milestone:
Component: Tor bundles/installation | Version:
Resolution: | Keywords: SponsorJ, SponsorL
Parent: | Points:
Actualpoints: |
-----------------------------------------+----------------------------------
Comment(by runa):
I then covered a second use case:
* User boots Debian 6 (Squeeze)
* User logs in as a normal user (i.e. not admin)
* User attaches an external drive
* Using the GUI: user copies the Tor Browser Bundle from the external
drive to the home dir
* Using the GUI: user extracts the Tor Browser Bundle
* Using the GUI: user runs the Tor Browser Bundle by clicking on the
''start-tor-browser'' file
* User browses a few sites in the Tor Browser
* User closes the Tor Browser window and clicks the ''Exit''-button in
Vidalia
* Using the GUI: user deletes the Tor Browser package and archive
* Using the GUI: user empties the trash can
* User shuts down Debian 6 (Squeeze)
I started with a fresh install of Debian 6 (Squeeze). The file
''debian_changed_files2.txt'' contains a list of 58 files which were
either created or modified between the time I booted Debian, used the Tor
Browser Bundle, and shut the system down.
Most files are files you expect to see change when using Debian. However,
there are a small number of files which also contain traces of the Tor
Browser Bundle and/or show that an external device was attached.
'''/home/runa/.recently-used.xbel''': Created by the system. This file
contains the filename of the Tor Browser Bundle tarball, ''tor-browser-
gnu-linux-x86_64-2.3.25-5-dev-en-US.tar.gz'', as well as the time and date
it was added, modified, and visited. I have created #8706 for this issue.
'''/home/runa/.xsession-errors''': Modified by the system. This file
contains the following string: ''Window manager warning: Buggy client sent
a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3800089 (Tor
Browse)''. It is worth noting that a file named ''.xsession-errors.old''
could also exist. I have created #8696 for this issue.
'''/home/runa/.local/share/gvfs-metadata/home-c0ca7993.log''': Created by
the system. This file contains lines indicating that the Tor Browser
Bundle was deleted, such as ''/.local/share/Trash/expunged/3864782161
/start-tor-browser'' and
''/.local/share/Trash/expunged/3864782161/App/tor''. I have created #8707
for this issue.
'''/home/runa/.gconf/apps/nautilus/desktop-
metadata/THA at 46@volume/%gconf.xml''': Created by the system. No trace
found in the file, but the filename indicates that a device was mounted
(in this case an external drive).
'''/var/log/daemon.log''', '''/var/log/syslog''', '''/var/log/kern.log''',
'''/var/log/messages''': contains information about attached devices. I
had an external drive attached to the virtual machine, so these files
contain lines such as ''Mounted /dev/sdb1 (Read-Write, label “THA”, NTFS
3.1)'' and ''Initializing USB Mass Storage driver…''.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8166#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list