Forensic Analysis of Tor Browser on Windows 10 and Android 10 Operating Systems

Smartphones and Internet have become prevalent in our society with various applications in businesses, education, healthcare, gaming, and research. One of the major issues with the Internet today is its lack of security since an eavesdropper can potentially intercept the communication. This has contributed towards an increased number of cyber-crime incidents, resulting in an increase in users’ consciousness about the security and privacy of their communication. One example is the shift towards using private browsers such as Tor. Tor is a well-recognized and widely used privacy browser based on The Onion Router network that provisions anonymity over the insecure Internet. This functionality of Tor has been a major hurdle in cybercrime investigations due to the complex nature of its anonymity. This paper investigates artifacts from the Tor privacy browser on the latest Windows 10 and Android 10 devices to determine potential areas where evidence can be found. We examine the registry, storage, and memory of Windows 10 devices and the memory, storage, logs, and Zram of Android 10 devices for three possible scenarios i.e. before, during, and after use of the Tor browser. Our results do not support the claims made by the Tor Project regarding user privacy and anonymity. We find that it is possible to retrieve significant details about a user’s browsing activities while the Tor browser is in use as well as after it is closed (on both operating systems). This paper also provides an investigative methodology for the acquisition and analysis of Tor browser artifacts from different areas of the targeted operating systems. Therefore, it can serve as a base to expand research in the forensic analysis of other privacy browsers and improve the efficiency of cybercrime investigations efficiency.


I. INTRODUCTION
The prevalence of workstations, laptops, and smartphones is increasing on a daily basis. These devices have now become a lifeline of our society. Since its introduction back in 1994, the Simon Personal Communicator (SPC) created by IBM emerged as the first smartphone and. Later then in 2007, Apple Inc. become became the first modern smartphone manufacturer with their iPhone running a proprietary mobile operating system iOS. These devices offered consumers the ability to browse the web just as they would do on a desktop computer. Android was the next mobile operating system The associate editor coordinating the review of this manuscript and approving it for publication was Aniello Castiglione .
to be officially introduced in 2008. 1 It immediately became a popular platform in the smartphone market due to its open-source license and the availability of a wide range of applications. In the case of computers and laptops, Microsoft Windows became the first choice for the user because it came pre-loaded with necessary software(s), a feature-rich user-friendly graphical user interface, and provided a much wider driver and peripheral compatibility. 2 As of the first quarter of 2020-21, Android shares 71.81% of the worldwide smartphone market and Windows shares 75.55% of the worldwide PC market. 3 Laptops and smartphones have been purchased in an almost equal ratio in 2019, 2020, and 2021. 4 On one hand, this widespread adoption of Android smartphones and laptops creates an opportunity for businesses and industries to expand their productivity and resources. But, on the other hand, it has created problems for law enforcement agencies and other Internet users because it has provided more mobility and agility to cybercriminals, enabling them to launch sophisticated cyber-attacks. One such problem is the anonymity that enables individuals to engage in illicit activities without revealing themselves and/or their actions to others because they are constantly able to cover their tracks [1]. They are also able to maintain anonymity over the public network owing to the use of VPNs and other privacy protection software.
Tor privacy browser is one such privacy protection software that is widely used for anonymity by both ordinary users and cyber-criminals. For the common user, the aim is to provide privacy protection on the insecure Internet while cyber-criminals use it to cover their tracks 5 while carrying out illegal activities. Tor browser works by directing encrypted traffic via an overlay of layered networks [2]. The digital investigation of a Tor network is a complex and tedious task. However, things can be simplified by investigating a seized suspect device (mobile or PC) to look for traces of illicit online activities.
The evolution of operating systems and application development technologies has posed considerable challenges in conducting digital investigations which serves as the motivation for our work. Although several studies have been conducted on forensic analysis of the Tor privacy browser, they have focused on the older versions of Android and Windows platforms with limited browsing activities. These studies are also limited in their examination of storage, registry, and ADB logs. No single study analyzes the Tor privacy browser on both Windows and Android systems. In this study, we undertake the forensic analysis of the current version of the Tor privacy browser on the latest builds of two different operating systems. As per our knowledge, the targeted builds of the Tor privacy browser, Windows OS, and Android OS have not been explored yet.
In this research, we design and simulate a dark web cybercrime scenario and then acquire and analyze evidence of the Tor browser from both operating systems and try to identify the suspect's online activities. More specifically, we aim to better understand the following questions: • What methods are used for the collection of evidence? 3  • What kind of challenges can be faced?
• What kind of evidence can be extracted? The remainder of this paper is organized as follows. Section 2 contains the work related to the forensic investigation of the Tor browser. Section 3 outlines the methodology for this study and section 4 explains the evidence acquisition for Windows 10 and Android 10 OS. Section 5 provides the findings from both devices while section 6 provides a comparison with existing research. Section 7 highlights the recommendations for Tor project developers and Section 8 presents the conclusion and directions for future work.

II. RELATED WORK
In this section, we will discuss the related work. In [3], a study was conducted to examine Orweb (now called Tor browser for mobile) browsing sessions on Samsung Galaxy S2 running Android. The device was examined in both rooted and unrooted states for the Tor privacy browser. It was concluded that browsing sessions were recovered only on rooted devices. Meanwhile, the selected version of Android was too old 2.3.3 as compared to the latest Android 10. In [4], a similar study was conducted on Samsung Galaxy S2 running Android 4.1.1. It proposed that there is no need to root the device as evidence can also be obtained by flashing the custom recovery on the device and then acquiring an image of the device's flash memory. Although, this method proves to be very useful from a forensic point of view but again this custom flashing recovery method is different on the latest devices.
In [5], the researchers performed a thorough analysis of Orweb and Orfox (another version of Orweb with bookmark feature -currently both versions are combined into a single version) on Samsung Galaxy S5 running Android version 5.0 and extracted the artifacts. However, no details about the employed tools and techniques were provided. Furthermore, the browsing history was not fully extracted in this research. Moreover, this research was also conducted on an old version of Android and Tor privacy browser that is not compatible with the recent version. In [6] researchers examined 6 different privacy browsers i.e. Epic Privacy Browser, Secure Browser, Comodo Dragon, SRWare Iron, Dooble, and Maxthon along with Tor privacy browser on Windows OS. Evidence was captured using filesystem analysis, registry analysis, network packet captures, memory analysis, and unallocated space analysis. Techniques can be mapped to Android OS but the actual methodology would be different. Similarly, in [7], the authors developed a tool named AndroKit to conduct web browser forensic on rooted Android devices. The tool targets the four famous web browsers available on Android i.e. Chrome, Opera, Mozilla Firefox, and Dolphin. A comparative analysis of AndroKit with standard forensics toolkits was also presented. The tool can recover cookies, bookmarks, web history, visited URLs, stored sessions, and URL credentials from these browsers. This work also employed older versions of Android, Android emulators, and Web Browsers. AndroKit can be used to perform Tor browser forensic as it is based on the Mozilla Firefox web browser.
In [8], the researchers performed a forensic analysis of Tor browser version 5.0 on 64-bit Windows 10. They analyzed the registry settings before and after installation, other filesystem artifacts, and memory of the system to conclude that the Tor browser leaves minimal on-disk evidence. Further, in [9], the authors performed a forensic analysis of Tor privacy browser 7.02 (32-bit) on Windows 8.1 OS in which they analyzed Tor browser artifacts from registry, memory, and storage. However, they only covered normal surface-web based user browsing activities on Tor privacy browser to uncover artifacts related to Tor. They considered only ''Browser open'' and ''Browser closed'' scenarios for memory and storage analysis aspects. Rebecca N and et al. [10], recovered forensic artifacts from normal and private browsing modes of two famous browsers i.e. Google Chrome and Mozilla Firefox. The private browsing results were compared with the famous anonymous browser TOR v7.0.5 on Windows 7 (64-bit) using AccessData FTK as a primary tool. Their research predominantly uncovered artifacts from the storage of experimental VMs with the conclusion that the Tor browser reveals limited user browsing artifacts when compared to private browsing modes of Chrome and Firefox. Satrya and Kurniawan [11] proposed a novel Android internal memory forensic acquisition tool called fridump to aid in acquiring Android internal memory more effectively as compared to preceding proposed methodologies, tools, and techniques. They used GDrive as a case study to uncover artifacts from the victim and investigator's Android smartphones i.e. Samsung A7 and Oppo A37F. However, there are some limitations in the tool since it works only with running processes that need to be monitored. Similarly, other works [12]- [15] proposed a framework to recover artifacts of Tor privacy browser from memory, but their investigation covers Windows 10 build 10586 only on memory to reveal user-related information. They have not explored any other areas of the operating system (i.e. registry, file system) for artifacts relevant to the Tor browser.
In the aforementioned related work, most of the techniques only consider the basic Tor browsing activity (i.e. open, close, normal website browsing) for investigation purposes. In addition, the older versions of the Tor browser and operating system builds were employed for experiments that are not useful on the latest versions of applications. For example, due to the significant evolution of applications and platforms that may update its internal structures and the results in these previous studies may not be repetitive and not fresh anymore for further forensic investigations. Therefore, there exists a dire need to explore the latest Tor browser version(s) on the latest OS builds that can help us to perform an evidence profiling of the Tor Browser application. In addition, this can aid investigators in conducting effective forensic investigations for Tor Browser.
To the best of our knowledge, the current version of the Tor browser has not been explored, and no recent study has simultaneously forensically analyzed the Tor browser on two different OS platforms. We forensically analyze the latest version of Tor privacy browser artifacts on the latest builds of Windows and Android OS after simulating a dark-web-based cyber-crime scenario.
This study aims to identify potential areas in Windows and Android devices where a forensic investigator can look for evidence related to the Tor privacy browser. Our findings will help the forensic practitioners to identify and analyze the artifacts of illicit activity conducted on seized Windows and Android-based devices which may contribute as digital evidence in the court of law.

III. PROPOSED METHODOLOGY
The objective of this research was to collect evidentiary artifacts related to the usage of the Tor privacy browser on a Windows 10 host machine and an Android 10 smartphone. We simulate dark-web browsing scenarios and analyze the registry, memory, and storage on Windows 10 while on Android 10, we analyze storage, zram (swap partition), and memory for potential artifacts. We then perform a cross-platform comparison of the results. This research methodology is primarily based on earlier work by A. Jadoon et.al. [9] and R.Nelson et.al. [10] with NIST SP 800-63 guidelines.

A. WINDOW 10
Three different areas of the Windows 10operating system are explored i.e. Registry, Memory, and Storage. Acquisition and analysis are aimed at collecting potential artifacts generated during the installation, execution (with or without any browsing), and uninstallation of the Tor privacy browser. We didn't cover uninstallation activity in storage analysis on Windows 10 because Tor uninstallation simply involves the deletion of an application folder.

B. ANDROID 10
For Android 10 devices, we explore four different areas for artifacts i.e. Storage, Zram, memory (RAM), and ADB (Android Device Bridge) Logs.
ADB is a command-line tool that allows us to communicate with the device [16] and fetch Android device logs using two important tools. The first is logcat [17] that outputs logs of system messages and the second is Dumpsys [18] that outputs information about system services.
In Linux-based OS such as Android, Zram is a compressed block device in RAM which 1) can be used as a swap space because it does not have an exclusive swap 2) helps to increase the memory available on Android by compressing the excessive storage resources to a dedicated space in RAM which can be later retrieved by operating system 3) mounts as a block device in Android and its acquisition can be easily achieved using a simple copy-paste operation via the ADB shell or a forensic tool.
The acquisition of RAM on Android requires installation of a specialized kernel module e.g. LiME, or execution of specialized binary e.g. Frida-server which may compromise device storage evidence. Even then, the acquired RAM is for a specific process when it is executing. Our aim is the acquisition of artifacts generated during the installation, execution (with or without any browsing activity), and un-installation of the Tor privacy browser. The exception is that we cover only execution activity (with and without any browsing) in memory acquisition and analysis due to the reason outlined in section IV(II).
In addition to the browsing activities, our experimentation also considers three different states for Android devices i.e. Unrooted Android device (without admin privileges) and Rooted Android device (with admin privileges) [19], and NANDroid Backup (with Custom Recovery software installed making a perfect mirror image of the device) [20].
To work in a clean environment, a fresh Windows 10 virtual machine was created to analyze the registry, memory, and storage artifacts. The tools used include: VMware We simulate every possible activity (browsing or nonbrowsing) that a suspect may have performed using the Tor privacy browser as per the simulated scenario mentioned above. This includes visiting various kinds of scenario-specific websites including dark-web (.onion) websites. Websites included for suspicious browsing activities are as follows:  The details of all the browsing activities on Windows 10 and Android 10 devices are provided in Table 1 and Table 2 respectively.
After the acquisition, the Windows 10 virtual machine was returned to a clean state snapshot and the free space on the Android 10 file system was shredded. The flowcharts of our proposed digital investigation methodology (based on NIST Special Publication 800-86 [23]) and adopted for our targeted platforms are shown in Figures 1 & 2.

E. TARGETED TOR BROWSER ACTIVITIES FOR DIGITAL INVESTIGATION
We covered four different activities of Tor privacy browser to acquire evidence(s) linked to the application lifecycle on Windows 10 and Android 10 operating systems and these are described below: I. Installationthe Tor browser is installed but not executed.

II. Simple Execution -the Tor browser is executed.
Browser is connected to the Tor network, but no browsing activity is performed during this time. III. Browsethe browsing activities mentioned in Table 1 and 2 of section III(D) are performed in this activity IV. Un-installationthe Tor browser is uninstalled.      a) First, we tried to acquire as much evidence as possible from an unrooted Android device after installation, browsing, and uninstallation. Since we do not have a lot of access, we are only able to acquire ADB logs and other basic non-browsing evidence(s) from emulated storage using ADB platform tools and MOBILedit Forensic Express. b) Next, we unlocked the bootloader of our targeted Android device [24] using ABD platform tools in Fastboot mode to install a custom recovery software i.e. TWRP [25] to acquire NANDroid backup of the device's filesystem. NANDroid backup is a physical backup of the Android device. It is occasionally performed by investigators to access the underlying restricted filesystem areas most specifically /data/data/ directory. We stored the NANDroid backup on SD Card for further analysis. Using TWRP, we can only be able to acquire storage evidence for the ''Browser Closed'' state because NANDroid backup requires rebooting the device into recovery mode. c) Finally, we rooted our device using Magisk [26] to gain unrestricted access to the underlying filesystem.

IV. EVIDENCE ACQUISITION
In this way, we were able to acquire storage and Zram evidence for all the targeted activities mentioned in section III(E) using MOBILedit Forensic Express. However, we were only able to acquire memory evidence using the most efficient Android memory forensic tool developed by Satrya and Kurniawan [11] for Simple Execution and Browsing activity because Fridump tool only let us acquire memory evidence while the process is running.

Warning: Acquisition methodologies mentioned at Sr. No. 2 & 3 were only emulated here for experimentation. Use of these methodologies in real case scenarios without any authorization & precautions will be dangerous and can destroy your seized evidence. These evidence acquisition techniques are only recommended if the device already has an unlocked bootloader or is rooted which may vary.
To cover all the activities, we mentioned in section III(E) on both OS, we performed the evidence acquisition as per the matrix given in Table 3.
After completion of each phase, the system is reverted to a clean state and/or restarted to ensure that no artifacts from the previous acquisition phase remain on the system. Acquired images are dumped to the external storage and then to the forensic workstation to ensure host integrity.

A. WINDOWS 10
Forensics analysis on Windows 10 was done in three phases. In the first phase, registry snapshots were analyzed for all our targeted activities while memory and storage images were analyzed in the next two phases.

1) REGISTRY ANALYSIS
In Windows forensic investigations, the Registry is considered as the heart of the Windows operating system and an important forensic resource that provides significant information about who, what, where, and when something that took place on a system which can directly link the suspect to the actions being taken i.e., users, the time when they last used the system or the application. Registry files normally store data (values) under unique values called ''Keys'' which requires investigators to acquire sufficient knowledge about Registry keys and the data which are stored under those Keys for conducting effective forensic analysis.
We used Regshot, RegScanner, Notepad++, and WinMerge tools to analyze our registry snapshots. Our analysis reveals that the Tor browser adds eight (08) registry keys after installation and three (03) other registry keys relevant VOLUME 9, 2021 to the Tor Brower installer file during installation. All these registry keys have varying values which are dependent on the opening and closing of the Tor browser which will be very helpful in cases where an investigator is interested to know that whether the user just installed the Tor browser or used it as well after installation, but unfortunately, they do not provide any information related to the user browsing activities. In addition to these keys, some keys will be helpful for investigators to check recent programs executed on the system.
All these keys persist in the registry after uninstallation as shown in Fig 3 and may help the investigator in building a hypothesis about the case. For further details regarding registry artifacts, refer to Table 4.

2) MEMORY ANALYSIS
In Memory analysis, we first extract ''Tor browser only artifacts'' and then in the second phase we look for ''Browsing artifacts''.

a: TOR ONLY ARTIFACTS
In this phase, we only extract artifacts that are related to the Tor application. We extract artifacts left on the memory of the system after installation, first time and subsequent executions, and after uninstallation of the Tor browser. HxD and Belkasoft Evidence Center are used for forensics analysis of acquired memory images. A list of all recovered artifacts during this phase of memory analysis is given in Table 5.
Artifacts related to router information can also be helpful for law enforcement agencies in case of backtracking a Tor user for any illegal activity. This can be done by collecting artifacts from the relays with the aid of respective LEAs and ISPs. However, it was beyond our scope of digital investigation.

b: BROWSING ARTIFACTS
In this phase, we only looked for user browsing artifacts in the memory. As explained in the Data Acquisition section, two VMware snapshots were taken for ''Browser Open'' and ''Browser Closed'' scenarios. Memory images (.vmem files) of these two VMware snapshots were analyzed for browsing artifacts using HxD and Belkasoft Evidence Center.
We performed most of our analysis using string searches and found remnants of visited websites/URLs, search queries, credentials (emails, usernames, and passwords), emails sent/ received, uploaded & downloaded files, and other artifacts. All emails in the Inbox of Gmail, Outlook, and Secmail accounts including unread emails are present in memory. The artifacts we found in the ''Browser Open'' memory image were almost identical to the ''Browser Closed'' memory image which implies that the Tor browser does not instantly clear the user browsing history from memory while closing the application. Screenshots of some of these artifacts are shown in Fig. 4. The summary of all the user browsing artifacts found in memory is listed in Table 6.

3) STORAGE ANALYSIS
In this phase, we analyzed forensic images of the Tor Browser application. Three image files were analyzed which include one for ''Post-Installation'', second for ''Browser Open'' and third for ''Browser Closed'' scenario. Application-related configuration and database files were analyzed in this phase to look for timestamps, bookmarks, and traces of user browsing activity, but no browsing evidence was found on the filesystem. Uninstallation activity was not covered purposely because it just involves deleting the main application folder from the filesystem (https://tb-manual. torproject.org/uninstalling/). Only file carving and deleted data recovery can be performed which we have omitted from the scope of this research VOLUME 9, 2021

a: POST-INSTALLATION
In this stage, the artifacts produced after the Tor browser was installed on the Windows 10 were analyzed. Moreover, the browser was not executed at all. Only application-related configuration files along with installation timestamps were found at this stage.

b: BROWSING-BROWSER OPEN
Artifacts that are present in the hard disk when the browser is open were searched in this part of the analysis. The artifacts we found had all the downloaded data and bookmarks information and timestamps. No user browsing-related information was found in this stage. However, all registry artifacts were present.

c: BROWSING-BROWSER CLOSED
In this stage of analysis, all those artifacts were searched which are present on the filesystem after the browser was closed. All steps performed in the previous part of the storage analysis were also repeated in this stage. Artifacts similar to those found in the browser open stage were present in this stage. However, user browsing information was still not available. A summary of all the browsing artifacts retrieved from the Tor privacy browser on Windows 10 is provided in Table 7.

B. ANDROID 10
On Android, forensic analysis is done in three phases.
In our first phase, filesystem and ADB logs were analyzed for artifacts on an un-rooted Android device which is a normal state of an android device we usually use in our daily life, while in the second phase, we performed NANDroid backup of our device for storage artifacts and in the third phase, VOLUME 9, 2021  the device was rooted and its storage including ADB logs, Zram and memory images were analyzed for artifacts.

1) UN-ROOTED DEVICE -STORAGE ANALYSIS
On an un-rooted device, analysis of storage (including ADB logs) does not yield any significant evidence of user browsing activities except downloaded files and application related files Analysis of ADB logs (Dumpsys and Logcat service logs) only show underlying activities of Tor application on the device including timestamps as shown in Fig 5.

2) NANDROID BACKUP -STORAGE ANALYSIS
We dumped the org.torproject.torbrowser directory from /data/data folder in user data archive available in the NANDroid backup we performed as shown in Fig 6 & 7. Analysis of the files using HxD, Notepad, and DB Browser for SQLite yields only Bookmarks, timestamps, and Tor circuit information from the NANDroid backup. No user browsing information was retrieved from the NANDroid backup except downloaded files. ADB Logs were not available in NANDroid backup.

3) ROOTED DEVICE -STORAGE ANALYSIS (INCLUDING ADB LOGS)
As in NANDroid backup, rooting the device allows us to access the Tor application root directory /data/data/org. torproject.torbrowser/ on filesystem using Root Browser application and MOBILEdit Forensic Express. Analysis of the files using HxD, Notepad, and DB Browser for SQLite tools yield only bookmarks, timestamps, and Tor circuit information. No user browsing information was retrieved from the rooted android device except downloaded files. Analysis of ADB logs only shows underlying activities of the Tor application on the device including timestamps.

4) ROOTED DEVICE -ZRAM ANALYSIS
As per our existing knowledge and research, this area of Android device is explored for the first time to retrieve browsing and other application-related evidence because private browsers do not offer 100% privacy in terms of user browsing history as they leave many artifacts in RAM/memory. As Zram is a part of our device's physical RAM, its analysis revealed potential evidence of illicit browsing activities from the forensic point of view.

a: TOR ONLY ARTIFACTS
During this stage, we analyzed the artifacts left on Zram during the Tor browser's installation and execution without any browsing and uninstallation. Summary of all the artifacts retrieved during these activities are listed in Table 8   filename, URLs, and local paths; most of the search queries we performed, and clipboard content from Tor; traces of few email addresses, and usernames used for login and communication. No passwords and email content were found, but session information, timestamps of few visited websites, and bookmarked websites information were found. In application-related traces, we found applicationrelated file paths, loaded application files, functions, resources, SQLite DB Tables and operations, Tor control port, routers info, circuit Info, public keys, router's nicknames, User-agent. Some of these artifacts are shown in Fig 8.

ii. Browser Closed
Analysis in this case only reveals traces of very few visited websites/URLs and domain names including few webpage components and redirected/visited URLs information; Downloaded files information contains only local path and filenames; No search queries and clipboard content was found. Very few traces of email addresses used for login and communication were found, but no password and email content were found. In application-related traces, a small number of file paths and only some loaded application files were found. Summary of all the Tor browsing artifacts retrieved from Android 10 Zram is listed in Table 9.

5) ROOTED DEVICE -MEMORY ANALYSIS
In this analysis, we only covered two types of activities because of our memory acquisition tool's limitation as mentioned in section IV(II). We analyzed the Tor-only artifacts and user browsing artifacts during the ''Browser Open'' scenario. VOLUME 9, 2021

a: TOR ONLY ARTIFACTS
Unlike Zram, we only analyzed the artifacts left on the memory Tor browser that was opened either with or without any browsing activity performed. Summary of all the artifacts retrieved during these activities are listed in Table 10

i. Browser Open
Analysis reveals significant information about user browsing activities including visited websites/URLs including webpage components and redirected/visited URLs information; Downloaded files information including filename, URL, timestamps, and local paths; Uploaded file information; all search queries performed & clipboard content from Tor; Traces of most email addresses &usernames used for login and communication, and few passwords were also found but no email content was found. In addition, session information and timestamps of few visited websites were also found. We also found bookmarked websites. In application-related traces, we found file paths, loaded application files, functions, resources, SQLite DB Tables and operations, tor control port, routers info, circuit Info, public keys, router's nicknames, User-agent info. Some of these artifacts we discovered are shown in Fig 9. ii

. Browser Closed
Analysis in this state is not possible due to our tool's limitation so it did not reveal anything. The summary of all the Tor browsing artifacts we retrieved from Android 10 RAM is listed in Table 11. All the browsing artifacts gathered from Android 10's experimental setup are listed in Table 12.

VI. COMPARISON WITH EXISTING RESEARCH
A vast amount of research has been conducted on the security and privacy of the Tor network, but limited research has been performed in the field of Tor forensics especially on the latest Windows and Android OS builds.
We only found three studies focused on forensics analysis of the Tor browser performed on different Windows OS version(s): 1) On Windows 10 version 1709 by Warren [8] -this study examined the registry, storage, and memory after normal VOLUME 9, 2021  websites e.g. google.com were visited. They discovered mostly application-related artifacts and were only able to retrieve bookmarks (browsing artifacts) from storage. They did not include any significant effort for discovering browsing artifacts from registry and memory. 2) On Windows 8.1 by Jadoon et.al. [9] -this research examined the registry, storage, and memory and included a lot of effort into the exploration of userbrowsing artifacts but lacked the exploration of Tor application-related artifacts. 3) On Windows 10 version 1703 by Muir et.al. [12] -this study also examined the registry, storage, and memory for Tor browser artifacts and was able to uncover most of the application-related and browsing artifacts for normal websites. However, Tor-based websites and its related artifacts were missing. Also, this study was limited to Windows and did not cover Tor for Android. In contrast to the above-mentioned research work, we have performed a forensic analysis of the latest Tor browser version on the latest Windows build i.e. version 20H2 (October 2020 build), and in various directions (i.e. registry, storage, memory). We also include normal and Tor-based  websites and retrieve both browsing and application-related artifacts.
Similarly, for Android OS, previous research works have only examined storage and file systems for Tor browser artifacts and generally on rooted Android devices. The only exception is Al Barghouthy and Marrington [4] in which the NANDroid backup is also examined. In contrast, our research work explores four distinct areas of Android 10 OS (i.e. storage, ADB Logs, Zram, and memory) and three different device states (i.e. Un-rooted, Rooted, and NANDroid backup) for Tor browser application-related and browsing artifacts.
A detailed comparison of proposed and existing work can be seen in Table 13. We have made an effort to cover every possible scenario an investigator may face during the forensic analysis of Tor on both platform(s) with tools that are either open-source (due to limited budget) or recognized as an industry-standard. This can help forensic investigators and developers reproduce our results

VII. RECOMMENDATIONS FOR TOR PROJECT DEVELOPERS
Tor developers have implemented numerous decoy settings to provide fail-safe anonymity and privacy. However, several browser-related settings and timestamps are stored in plaintext files which can forensically reveal usage patterns of the Tor browser. In this regard, the inclusion of a mechanism for the storage of browser-based settings in encrypted files is recommended. These files should only be decrypted by the browser binary while it is executing. Secondly, as we have shown a significant amount of user browsing information can be retrieved from Zram (in Android only) and RAM (in Windows and Android). This can have a significant impact on a user's privacy and this issue should be addressed in upcoming releases. A memory encryption scheme that can encrypt and decrypt ''Tor only'' and ''User browsing'' artifacts from RAM is recommended.

VIII. CONCLUSION AND FUTURE WORK
This paper investigated artifacts from the Tor privacy browser on the latest Windows 10 and Android 10 devices to determine potential areas where evidence can be found. Our analysis suggests that the Tor browser leaves limited information about a user's browsing activity in the storage of both (Windows and Android) platforms. However, there is still ample evidence concerning the usage of the Tor browser in storage (including in ADB logs and registry). This work was explored Android swap file (Zram) (which has not been analyzed before) for evidence related to the Tor browser. A deeper analysis revealed that the knowledge and likelihood of extraction from Zram is approximately 60 percent. This percentage can be considered good for an anonymous browser especially if there is not enough time and resources to explore the RAM.
Our results also show that the Tor browser leaves more artifacts in the RAM of Windows 10 OS than on the Android 10 platform. However, just like previous research, the probability of user attribution based on these artifacts is very little.
As part of our future work, we intend to carry out detailed network forensic analysis of the Tor circuit on Android 10 and Windows 10 platforms as limited research has been performed in this area. We also plan to perform a detailed forensic analysis of the Tor browser on iOS devices. Lastly, we would like to develop a specialized cross-platform module(s) for MobilEdit and other forensic tools for the acquisition and analysis of evidence from the Tor privacy browser.
SANA QADIR received the bachelor's degree (Hons.) in IT from the University of Southern Queensland, Australia, and the M.Sc. and Ph.D. degrees from International Islamic University Malaysia, in 2010 and 2016, respectively. She is currently working as an Assistant Professor with the School of Electrical Engineering & Computer Science (SEECS), NUST. She also has more than three years' experience working as a Research and Development Software Engineer. Her research interests include network security and applied cryptography.