At present,96%of the resources available into the World-Wide-Web belongs to theDeep Web, which is composed of contents that are not indexed by search engines. TheDark Webis a subset of theDeep Web, which is currently the favorite place for hiding illegal markets and contents. The most important tool that can be used to access theDark Webis theTor Browser. In this article, we propose a bottom-up formal investigation methodology for the Tor Browser's memory forensics. Based on a bottom-up logical approach, our methodology enables us to obtain information according to a level of abstraction that is gradually higher, to characterize semantically relevant actions carried out by the Tor browser. Again, we show how the proposed three-layer methodology can be realized through open-source tools. Also, we show how the extracted information can be used as input to a novel Artificial Intelligence-based architecture for mining effective signatures capable of representing malicious activities in the Tor network. Finally, to assess the effectiveness of the proposed methodology, we defined three test cases that simulate widespread real-life scenarios and discuss the obtained results. To the best of our knowledge, this is the first work that deals with the forensic analysis of the Tor Browser in a live system, in a formal and structured way.
A machine learning‐based memory forensics methodology for TOR browser artifacts
Pizzolante, Raffaele
;Castiglione, Arcangelo;Carpentieri, Bruno;D'Angelo, Gianni;Palmieri, Francesco
2020-01-01
Abstract
At present,96%of the resources available into the World-Wide-Web belongs to theDeep Web, which is composed of contents that are not indexed by search engines. TheDark Webis a subset of theDeep Web, which is currently the favorite place for hiding illegal markets and contents. The most important tool that can be used to access theDark Webis theTor Browser. In this article, we propose a bottom-up formal investigation methodology for the Tor Browser's memory forensics. Based on a bottom-up logical approach, our methodology enables us to obtain information according to a level of abstraction that is gradually higher, to characterize semantically relevant actions carried out by the Tor browser. Again, we show how the proposed three-layer methodology can be realized through open-source tools. Also, we show how the extracted information can be used as input to a novel Artificial Intelligence-based architecture for mining effective signatures capable of representing malicious activities in the Tor network. Finally, to assess the effectiveness of the proposed methodology, we defined three test cases that simulate widespread real-life scenarios and discuss the obtained results. To the best of our knowledge, this is the first work that deals with the forensic analysis of the Tor Browser in a live system, in a formal and structured way.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
