Host-Based Digital Forensics Analysis of Tor Browser Usage Artifacts on Linux Operating System

Authors

  • Rico Saputra Universitas Ma'arif Nahdlatul Ulama Kebumen
  • Ghufron Zaida Muflih Universitas Ma'arif Nahdlatul Ulama Kebumen

DOI:

https://doi.org/10.58466/e4aq5a03

Keywords:

Tor Browser, host-based digital forensics, Linux, digital artifacts, memory forensics, network forensics

Abstract

The use of Tor Browser as a digital anonymity platform continues to increase alongside the growing demand for internet privacy. Although Tor is designed to conceal user identities and activities through onion routing mechanisms, previous studies have shown that digital artifacts can still be recovered from the host system. This study aims to analyze the existence of digital artifacts generated by Tor Browser usage on the BackBox Linux operating system using a host-based digital forensics approach. The research employed an experimental method consisting of seven testing scenarios, namely behavioral forensic leakage, session persistence, cross-session correlation, host versus virtualization comparison, memory footprint analysis, network pattern consistency, and passive onion observation. Data acquisition and analysis were conducted using Autopsy, Hindsight, Plaso, LiME, Volatility, Bulk Extractor, and Wireshark. The results indicate that Tor Browser usage still leaves digital artifacts within storage media, volatile memory, and network traffic. This study concludes that the host-based digital forensics approach remains effective for identifying Tor Browser activities in Linux environments.

References

[1] H. F. Nugranto and M. Koprawi, “Investigasi Kejahatan Siber pada Surface Web dan Deep Web Menggunakan Metode NIST,” JATISI (Jurnal Tek. Inform. dan Sist. Informasi), vol. 11, No.1, no. https://jurnal.mdp.ac.id/index.php/jatisi/article/view/3245, pp. 1–5, Mar. 2024, doi: https://doi.org/10.35957/jatisi.v11i1.3245.

[2] G. Z. Muflih, I. Riadi, A. Yudhana, and H. I. Azmi, “Comparison of Forensic Tools on Social Media Services Using the Digital Forensic Research Workshop Method,” J. Inform. dan Komputer) Accredit. KEMENDIKBUD RISTEK, vol. 6, no. 1, 2023, doi: 10.33387/jiko.v6i1.5872.

[3] I. Sihaloho, A. Widjajarto, and M. T. Kurniawan, “Analisis Penilaian Metrik Anonymity dan Privacy pada Kodachi Linux,” JIPI (Jurnal Ilm. Penelit. dan Pembelajaran Inform., vol. 10, no. 3, pp. 2355–2365, Aug. 2025, doi: 10.29100/jipi.v10i3.6437.

[4] J. Saleem, R. Islam, and M. A. Kabir, “The Anonymity of the Dark Web: A Survey,” IEEE Access, vol. 10, pp. 33628–33660, 2022, doi: 10.1109/ACCESS.2022.3161547.

[5] H. Hariani, “Eksplorasi Web Browser Dalam Pencarian Bukti Digital Menggunakan Sqlite Hariani 1,” J. INSTEK (Informatika Sains Dan Teknol., vol. 6, no. https://journal.uin-alauddin.ac.id/index.php/instek/issue/view/1321, pp. 66–74, Jan. 2021, doi: https://doi.org/10.24252/instek.v6i1.18638.

[6] M. Syukri, I. Riadi, and T. Sutikno, “Validation and Evaluation of Browser Forensics Using Digital Forensic Approach Based on the National Institute of Standards and Technology (NIST) Framework,” J. Tek. Inform., vol. 6, no. 4, pp. 2516–2529, Sep. 2025, doi: 10.52436/1.jutif.2025.6.4.4977.

[7] H. Idhofi and G. Zaida Muflih, “Akuisisi Barang Bukti Digital pada Media Penyimpanan Flashdisk Menggunakan Framework National Institute of Justice (NIJ),” 2025.

[8] A. Tofik and G. Zaida Muflih, “Akuisisi Barang Bukti Digital pada Aplikasi Discord Menggunakan Metode ACPO,” 2024.

[9] W. Sanjaya, B. Sugiantoro, and Y. Prayudi, “A Metode Offline Forensik Untuk Analisis Digital Artefak Pada TOR Browser Di Sistem Operasi Linux,” JITU J. Inform. Technol. Commun., vol. 4, no. 2, pp. 41–51, Jun. 2020, doi: 10.36596/jitu.v4i2.345.

[10] A. Fitriani Shabira and F. Fachri, “Analisis Forensik Digital Pada File Steganografi Menggunakan Ftk Imager Dan Winhex Dalam Kasus Peredaran Narkoba Dengan Live Forensic,” Rabit J. Teknol. dan Sist. Inf. Univrab, vol. 10, no. 2, pp. 228–240, Jul. 2025, doi: 10.36341/rabit.v10i2.6020.

[11] D. D. Hutagalung, C. Hanifurohman, and D. R. Baskhara, “Analisa Forensik Memori pada Aplikasi E-Commerce Berbasis Web Menggunakan Metode National Institute of Justice (NIJ),” J. Teknol. Sist. Inf. dan Apl., vol. 6, no. 2, pp. 135–146, Apr. 2023, doi: https://doi.org/10.32493/jtsi.v6i2.31535.

[12] A. S. Rido and F. Fachri, “Identifikasi Bukti Digital Whatsapp pada Sistem Operasi Propietary Menggunakan Live Forensics,” JIPI (Jurnal Ilm. Penelit. dan Pembelajaran Inform., vol. 9, no. 2, pp. 1043–1051, Jun. 2024, doi: 10.29100/jipi.v9i2.5238.

[13] M. N. Bahreisy, R. Rahmadi, and Y. Prayudi, “Analisis Halaman Darkweb Untuk Mendukung Investigasi Kejahatan,” J. Inform. dan Komputer) Akreditasi KEMENRISTEKDIKTI, vol. 4, no. 1, pp. 2614–8897, 2021, doi: 10.33387/jiko.

[14] M. S. Javed et al., “Analyzing Tor Browser Artifacts for Enhanced Web Forensics, Anonymity, Cybersecurity, and Privacy in Windows-Based Systems,” Inf., vol. 15, no. 8, Aug. 2024, doi: 10.3390/info15080495.

[15] R. R. Chand, N. A. Sharma, and M. A. Kabir, “Advancing Web Browser Forensics: Critical Evaluation of Emerging Tools and Techniques,” Oct. 2024, [Online]. Available: http://arxiv.org/abs/2410.12605

[16] F. G. P. Zamsari and T. Wahyono, “Forensic Investigation of Digital Evidence on Flash Disk with Forensic Process Method Based on NIST,” J. Ecotipe (Electronic, Control. Telecommun. Information, Power Eng., vol. 11, no. 1, pp. 88–96, Apr. 2024, doi: 10.33019/jurnalecotipe.v11i1.4489.

[17] A. R. Triyanto and F. Fachri, “Analisis Forensik Bukti Digital pada Kejahatan Pembunuhan Berencana Menggunakan Metode National Institute of Justice,” JIPI (Jurnal Ilm. Penelit. dan Pembelajaran Inform., vol. 9, no. 2, pp. 1031–1042, Jun. 2024, doi: 10.29100/jipi.v9i2.5558.

[18] N. Anwar, A. M. Widodo, B. A. Sekti, M. B. Ulum, M. Rahaman, and H. D. Ariessanti, “Comparative Analysis of NIJ and NIST Methods for MicroSD Investigations: A Technopreneur Approach,” APTISI Trans. Technopreneursh., vol. 6, no. 2, pp. 169–181, Jul. 2024, doi: 10.34306/att.v6i2.407.

[19] E. Daraghmi, Z. Qaroush, M. Hamdi, and O. Cheikhrouhou, “Forensic Operations for Recognizing SQLite Content (FORC): An Automated Forensic Tool for Efficient SQLite Evidence Extraction on Android Devices,” Appl. Sci., vol. 13, no. 19, Oct. 2023, doi: 10.3390/app131910736.

[20] M. C. Ghanem, E. Almeida Palmieri, W. Sowinski-Mydlarz, S. Al-Sudani, and D. Dunsin, “Weaponized IoT: A Comprehensive Comparative Forensic Analysis of Hacker Raspberry Pi and PC Kali Linux Machine,” Internet of Things, vol. 6, no. 1, Mar. 2025, doi: 10.3390/iot6010018.

[21] G. Choi, J. Bang, S. Lee, and J. Park, “Chracer: Memory analysis of Chromium-based browsers,” Forensic Sci. Int. Digit. Investig., vol. 46, Oct. 2023, doi: 10.1016/j.fsidi.2023.301613.

[22] I. Hamid and M. M. H. Rahman, “A Comprehensive Literature Review on Volatile Memory Forensics,” Aug. 01, 2024, Multidisciplinary Digital Publishing Institute (MDPI). doi: 10.3390/electronics13153026.

[23] J. Bergman and O. B. Popov, “Recognition of tor malware and onion services,” J. Comput. Virol. Hacking Tech., vol. 20, no. 2, pp. 261–275, Jun. 2024, doi: 10.1007/s11416-023-00476-z.

[24] P. Choorod, T. J. Bauer, and A. Aßmuth, “Distinguishing Tor From Other Encrypted Network Traffic Through Character Analysis,” May 2024, [Online]. Available: http://arxiv.org/abs/2405.09412

Downloads

Published

2026-06-12

How to Cite

Host-Based Digital Forensics Analysis of Tor Browser Usage Artifacts on Linux Operating System. (2026). Applied Information Technology and Computer Science (AICOMS), 5(1), 230-243. https://doi.org/10.58466/e4aq5a03

Similar Articles

11-20 of 57

You may also start an advanced similarity search for this article.