Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Hiding Behind the Keyboard

In this excerpt from chapter 2 of Hiding Behind the Keyboard, authors Brett Shavers and John Bair discuss the Tor Browser.

The following is an excerpt from Hiding Behind the Keyboard by authors Brett Shavers and John Bair and published by Syngress. This section from chapter 2 explores the Tor Browser.

Few Internet technologies have had more of an impact on anonymous Internet use than The Onion Router browser, commonly known as "Tor," Tor is simply an Internet browser modified from the popular Firefox Internet browser. The browser modifications hide the user's originating Internet Protocol (IP) address when surfing websites or sending e-mail. By hiding the true IP address of the user, attempts to trace or identify the user are nearly impossible without the use of extraordinary methods.

Tor combines ease of use with effective anonymity in which practically anyone can use without technical instructions. The sheer ingenuity of the Tor browser combines ease of use without any requirement of how the software operates to operate effectively. Although there are other means of browsing the Internet anonymously, the Tor browser is by far one of the simplest to use and is freely downloaded. In theory, anyone with an Internet connection and the Tor browser can anonymously surf the Internet and communicate without being identified.


Tor's intention is to allow unfettered and anonymous communication over the Internet. Tor allows anyone to connect to websites that may be blocked by oppressive governments, allows whistleblowers to communicate with officials anonymously, and gives a means for legitimate communication between businesses and persons who desire to keep their private conversations private. However, much like a car that is used to take your kids to school can also be used as a bank robbery getaway car, the Tor browser can be used to either facilitate crimes or commit crimes.

Although Tor was initially developed by the US government in 2002, it is not presently controlled by the US government. In fact, Tor is practically not controlled by any one entity but rather open for improvements by virtually anyone with the technical ability to test and improve it. For that reason alone, Tor receives worldwide input from privacy motivated experts to ensure it remains relevant and effective. As a point of irony, the US government not only created Tor but is also researching methods to deanonymize users of it.

Two Ways of Looking at The Onion Router

Before you finish reading this chapter, you will invariably think back to every forensic analysis you have conducted and wonder if you missed a golden nugget of evidence. The Tor browser is not typical of any other Internet browser in purpose or design. The mere existence or Tor on electronic evidence should give you concern on the evidence you can easily overlook along with the evidence you know will not be found because of Tor use.

One perspective of looking at Tor is that of forensically examining devices that may have had Tor installed. From this perspective, the examination of the device for Tor artifacts is your target and not so much an ongoing use of Tor. The forensic analysis of Tor is detailed later in this chapter, but at this point, keep in mind that a forensic analysis of Tor artifacts is one way we will be looking at Tor. Tor can run on Windows, Linux, and Mac. In the section of forensic analysis, the focus will be on the Windows operating system as it is the most commonly used operating system.

Hiding Behind the Keyboard

Author: Brett Shavers and John Bair

Learn more about  Hiding Behind the Keyboard from publisher Syngress

At checkout, use discount code PBTY25 for 25% off this and other Elsevier titles

The other perspective of looking at Tor is that of it being currently used by your suspect. Without having the actual devices to examine, your investigation will have to depend solely on defeating Tor to either capture communications or identify your suspects who are using Tor. There are some aspects of Tor use that currently are unbreakable, at least to the nonintelligence agency investigator, and even then, Tor remains one of the most difficult systems to beat. Even with that, the last thing you should do is throw up your arms in defeat without trying. There are some methods that may work in your investigation now and others that may work later.


In the most basic explanation, Tor directs the route of a user's Internet traffic through random relays on the Internet. The data is first layered with elliptic curve cryptography, which is currently unbreakable with brute-force. As the encrypted data enters the first relay ("entry"), one layer of encryption is stripped and sent to the next relay ("middle"). The middle relay strips another layer of encryption and sends the encrypted data to the last relay ("exit"). The exit relay now connects to the user's desired target with an unencrypted connection.

The exit relay does not know anything of the traffic route other than the single previous relay. Making Tor traffic even more difficult, if not impossible, to track is that this random route chooses a different entry, middle, and exit relay every 10 minutes or so. Fig. 2.1 shows a graphic from Tor Project (n.d.) visualizing this concept of Tor.

An analogy of Tor would be mailing a letter that is received and forwarded by different people. Let's say Mary wants to mail Johnny a letter, but does not want Johnny to know where the letter originated. The steps Mary needs to take to remain anonymous would be as follows:

  1. Mary writes a letter and places it into an envelope addressed to Johnny in Boston.
  2. Mary places that envelope into another and addresses it to Susan in Seattle.
  3. Mary places that envelope into another and addresses it to Barry in Dallas.
  4. Mary places that envelope into another and addresses it to Bob in Denver.
  5. Mary places the letter in a mailbox from her home in San Francisco.

In this analogy, an envelope represents a layer of encryption. Using the rule that each person in this analogy can only unwrap the first envelope, the contents remain hidden (encrypted) in the most inner envelope.

Bob in Denver ("entry") receives the letter, removes the outer envelope, and places the letter in a mailbox to Barry. Bob never saw the contents of the letter and only knows it came from San Francisco and is going to Dallas.

Barry ("middle") receives the envelope, removes the outer envelope, and places the letter in a mailbox to Susan in Seattle. Barry never saw the contents and only knows that it originated in Denver.

Susan ("exit") receives the envelope, removes the outer envelope, and mails the letter to Johnny in Boston. Susan only knows that the letter came to her from Dallas. At this point, the contents can be read since the envelopes are removed. Susan does not know the letter originated in San Francisco.

Johnny receives the letter and contents, but only knows it came from Seattle. If Mary wants to mail another anonymous letter to Johnny, she will send through three different people with the same process. The main difference is that where regular mail will take days to arrive, Tor is instantaneous, yet virtually and completely anonymous.

As to the name "The Onion Router", you can see that sending data over Tor is like an onion, where a layer of encryption is peeled off as it goes through the Tor nodes to its final destination.


Sometimes the IP address you get is not the IP address you need.

In 2011, Immigration and Customs Enforcement (ICE) executed a search warrant on Nolan King's home and seized his computers because an ICE investigation found that child pornography was being distributed from his home IP address (Hoffman, 2011). No child porn was found because King was simply operating a Tor exit node

A Few Important Points About Tor

Before continuing, a few more explanations are needed to describe how Tor works along with the terminology used with Tor. As we continue, you will begin to understand why breaking Tor is practically impossible without extraordinary resources, but there are some aspects of Tor that may be compromised.

The Tor network of relays is run by volunteers. Anyone, including you, can configure a server to be one of the thousands of relays used by hundreds of thousands of Tor users. Being a volunteer means your server would simply "remove the outer envelope and forward the inner envelope" to the next destination. Keep this in mind when investigating IP addresses with any investigation

where Tor is involved. The IP address you believe may be your target just may be an innocent volunteer running a Tor relay.

Perhaps the most enlightening aspect of Tor is the amount of users since anonymity is strengthened with more users making it difficult to find one user among many. Fig. 2.2 is a graph of the number of worldwide, daily Tor users. According to the Tor Metric Portal (Tor Metrics, n.d.), there are over 750,000 users of Tor using over 6000 relays worldwide.

From Fig. 2.2, you can see where tracing Internet traffic on a Tor network can literally take you around the world, through the relays of innocent volunteers, and still not be closer to reaching the originating target. Additionally, even if the Tor circuit could be broken, gaining cooperation in foreign countries adds another layer of legal and diplomatic issues to identify the Tor users. In short, if a victim receives a harassing e-mail that appears to have originated in Italy do not assume that the suspect was physically in Italy.

A simple visual of a Tor circuit can be seen in Fig. 2.3. The entry relay, or node, is also the "guard." The Tor client chooses entry guards at random to be used only for the first encrypted hop. If an entry guard is suspected of being compromised, it is no longer used. A random middle node is chosen for the encrypted middle hop which then sends the encrypted data to the exit node. The exit node then sends unencrypted data to the target. Keep in mind that not only are there over 6000 nodes from which the Tor client will choose from but that after 10 minutes or so, the Tor circuit changes the nodes among the thousands to choose.

The middle node does not know the origin or the data nor the final destination, and by the same token, neither the origin nor destination will know the middle relay. This makes it safe as a volunteer of a middle node to avoid being wrongly suspected of criminal activity based on IP addresses.

Each of these relays is publicly posted on the Internet for use by Tor clients. However, there are "bridges" which are typically not posted publicly. Since Tor relays are public, Internet Service Providers, or governments, can block them. But bridges are not normally listed publicly which makes blocking bridge relays nearly impossible. In countries where Internet blocking occurs, Tor bridges are used more commonly. Tor directory servers maintain Tor router information that is publicly listed.

From a Tor User's Perspective

As mentioned, the Tor browser is simply a modified Firefox browser. Besides downloading the Tor browser, the only user technical skill required is that of entering URLs in the browser or entering terms in a search engine. Even the skill of installing a Tor is less than installing most programs. The Tor browser bundle is a portable application and only needs to be extracted, not installed, to run. The Tor browser file is self-executable to make the process even simpler for anyone to use. As the Tor browser is a portable application, it can be installed (extracted) to any location on a computer or external media device without any default paths.

From downloading to using the most anonymous browser in the world only requires about 10 mouse clicks and 10 minutes to download, extract, and configure. When accepting default settings, which fits the needs of most users, the Tor browser configuration step is completed in one click as seen in Figs. 2.5–2.7.

Most users do not need to configure Tor to use with a bridge or local proxy settings. However, if this is necessary, it only adds a few minutes of setup time and is not terribly difficult for most computer users. Generally, Tor is just as effective with or without bridges, except in countries where Internet censoring will require bridges for Tor to work with the Tor network.

At this point, Tor is ready to use similar to any web browser. As you can see, the simplicity of Tor coupled with the strong anonymity makes it a great choice for legitimate purposes as well as a prime choice for illicit use. It's free, fast to set up, easy to use, portable, and provides near breakable anonymity.

So What's the Big Deal?

Using Tor as an anonymous Internet browser is more than just surfing the web anonymously. Tor allows criminals and terrorists to communicate, share files, target, and attack with near absolute anonymity. For example, information transmitted using a webmail provider without Tor for criminal activity is easily discovered by law enforcement through search warrants and subpoenas once the e-mail address is known. The user's true IP address is also captured in e-mails and web browsing. Everything the user does online is potentially able to be captured, intercepted, and recovered down to the physical address of the computer system.

Read an excerpt

Download the PDF of chapter 2 in full to learn more!

However, with Tor, this is not completely possible. Using a webmail service with Tor provides that service provider with the random exit node IP addresses and not the true IP address. Even by knowing the e-mail address, obtaining the originating IP address is practically impossible. Servers logging visitors will also only be able to log the random exit node IP addresses as well. This allows criminals to communicate openly without being identified. By using encryption methods with the communications, not only are they anonymous online, but the contents may also be encrypted end-to-end. Tor works to protect innocent communications but also provides that same level of protection to criminal and terrorist communications.

From Your Perspective

Generally, as an investigator, you will be looking at Tor either through the device on which it was used or the Internet traffic that is using Tor. As a forensic analyst, you may see more use of examining the Tor artifacts rather than the use of Tor, but as an investigator, you may be tasked with harassing or threatening e-mails being sent anonymously through Tor. Either way, your task to unmask Tor is more than difficult, it is overwhelming.

One thing to keep in mind is that it is the manner of use that determines whether or not Tor is a tool for legitimate use or illicit use. Businesses use Tor to browse a competitor's website to avoid the competitor logging the traffic. Whistleblowers, government agents and informants, and tourists use the Tor browser to protect their communications from being disclosed for legitimate communications. Law enforcement should encourage the use of Tor in their investigations to avoid suspects being aware of government IP addresses looking at websites being investigated.


About the author: Brett Shavers is a Digital Forensics Practitioner, expert witness, and Adjunct Instructor, University of Washington Digital Forensics program. He is a former law enforcement officer of a municipal police department. Brett has been an investigator assigned to state and federal task forces. Besides working many specialty positions, Brett was the first digital forensics examiner at his police department, attended more than 2000 hours of forensic training courses across the country, collected more than a few certifications along the way, and set up the department’s first digital forensics lab in a small, cluttered storage closet.

John Bair is currently employed as a detective with the Tacoma Police Department. He has been commissioned as a law enforcement officer since May 1989. During his assignment in the homicide unit he began specializing in Cell Phone Forensics. In 2006 John created the current forensic lab that focuses on mobile evidence related to violent crimes. His case experience shortly thereafter gained the attention of Mobile Forensics Incorporated (MFI) where he was hired and spent several years serving as a contract instructor. MFI soon merged with AccessData to become the only training vendor for their mobile forensics core. This relationship fostered direct contact with engineers who assist in criminal cases which need anomalies and exploits addressed within their forensics products. July 2013 he was hired as a contract instructor by Fox Valley Technical College to assist in training for the Department Of Justice - Amber Alert Program. His expertize with mobile forensics is being utilized to structure a digital evidence module for investigators responding to scenes where children had been abducted. The program promotes how to prevent mobile evidence contamination and how to triage live devices under exigent circumstances. Within in Pierce County, he began a mobile forensics training program for Superior Court Prosecutors and Judicial Officers which is currently in its fourth year. The program stresses the technical origins of the warrant language, what to check for, validation of evidence and how to present this dynamic content in court. In December 2013, Detective Bair gave a presentation to the University Of Washington Tacoma (UWT) Institute of Technology which provided an outline to merge digital solutions between the Tacoma Police Department and UWT. The relationship will focus on building a digital forensic lab that will be modeled after the Marshall University Forensic Science Center in West Virginia. The lab proposal also includes the ability to conduct advanced destructive forensics which will be a one of kind facility on the west coast. Based upon the proposal to create a combined lab, John created a mobile forensic course and began part time lecturing at UWT in April 2014. The course covers legal concepts, logical, physical searching methods and manual “carving”. John authored his own student and lab manuals for these courses. In March 2015, John started an intern program within the lab at the Tacoma Police which involved students from this program. In late August 2015, one of the interns was able to use advance python writing to assist with parsing over 3300 deleted messages in a homicide that took place earlier that year. John Bair has instructed at various federal labs within the United States (Secret Service, ICE). He has presented on mobile evidence as a guest speaker at Paraben’s Innovative Conference, Washington State Association of Prosecuting Attorney’s (WAPA) Summit, and the Computer Technology Investigations Network Digital Forensics Conference. Recently he spoke at the 16th Annual Conference on Information Technology Education / 4th Annual Research in IT Conference in Chicago Illinois. These conferences are sponsored by the ACM Special Interest Group for Information Technology Education (SIGITE). John and two other professors from the University Of Washington - Tacoma (UWT) recently co-authored a paper regarding the current Mobile Forensic Program. John has 26 certifications related to digital evidence. The following reflect the most significant related to mobile forensics: Mobile Forensics Certified Examiner (MFCE), Cellebrite Certified Physical Analyst (CCPA), AccessData Certified Examiner (ACE), Cellebrite Mobile Forensics Fundamentals (CMFF), AccessData Mobile Examiner (AME), and Cellebrite Certified Instructor (CCI).

This was last published in December 2016

Dig Deeper on Web browser security