Exploring the Forensic Artifacts of the Tor Browser
Tor Browser is designed to route traffic through Tor's anonymizing relay network and to leave no browsing history on the local device. The network anonymity works as designed. The local privacy is more nuanced — running Tor Browser on a standard Windows installation leaves traces that a forensic examiner can find after the fact.
Understanding which artifacts exist, and which don't, is useful if you're evaluating whether Tor Browser actually meets your operational security requirements.
What you need to know:
- Tor Browser does not record browsing history in
places.sqlite— the Firefox history database contains only Tor's default bookmarks, not visited sites or .onion addresses. - The installation itself is logged. Windows registry entries record that Tor Browser was installed, when, and from which path. Prefetch files record execution timestamps.
- Tor state files record when you last connected to the Tor network — not where you went, but that you used it and when.
- Memory dumps can contain session data including URLs and decrypted traffic if the system is examined while Tor is running or immediately after.
- Running Tor Browser from a USB drive on a clean system eliminates most filesystem artifacts — the registry and prefetch artifacts only appear if the browser is installed on the host OS.
- Tails OS eliminates all local artifacts by design — if leaving no trace on the device is the requirement, Tails is the right tool.
I've examined Tor Browser forensic artifacts on Windows 10 and 11 using SQLite Database Browser, RegRipper, and standard disk imaging tools.
What Forensic Analysis Looks For
A forensic examiner on a Windows system that ran Tor Browser would typically examine:
- Browser history databases — Firefox-based browsers store history in
places.sqlite - Windows registry — installation entries, recent files, shell history
- Prefetch files — Windows logs recently executed applications
- Temp and cache directories — application data left in AppData
- Memory — running processes and recently freed memory pages
- Network capture — if a packet capture was running during use
What Tor Browser Leaves Behind
The places.sqlite Database
Tor Browser is based on Firefox and includes the same places.sqlite structure that stores browsing history, bookmarks, and form inputs. Forensic examiners routinely examine this file.
In Tor Browser, places.sqlite exists — but contains only the default bookmarks (DuckDuckGo, Tor Project pages, and a few others). Actual browsing history and visited .onion addresses do not appear. This matches the design intent: Tor Browser doesn't write session history to disk.
Windows Registry Artifacts
If Tor Browser is installed (not run portably from USB), Windows creates registry entries recording:
- The installation path and executable name
- MRU (Most Recently Used) entries in
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs - Shell bag entries if the Tor Browser folder was opened in Explorer
These entries establish that Tor Browser was present on the system and when it was used — not what sites were visited.
Prefetch Files
Windows creates prefetch files for recently executed applications, stored at C:\Windows\Prefetch\. The prefetch file for TOR.EXE or FIREFOX.EXE records:
- That the application was executed
- How many times it was run
- The last 8 execution timestamps
- Which files the application loaded during startup
Prefetch files don't record network activity or browsing history. They establish execution history.
Tor State Files
The Tor client maintains state files in %APPDATA%\Tor Browser\Browser\TorBrowser\Data\Tor\:
state— records when you last connected to the Tor networkcached-certs,cached-microdesc-consensus— network consensus data (public, doesn't identify you)
The state file timestamps confirm Tor usage and the last connection time. It doesn't record guard node selections, circuit construction, or destinations.
Memory
If the system is examined while Tor Browser is running, or shortly after (before memory pages are overwritten), a forensic memory dump can contain:
- URLs of recently visited pages (in process memory before cleanup)
- Decrypted HTTP response bodies from HTTPS connections (in memory before they're discarded)
- Tor circuit information
This is the most significant local artifact vector for active or recently active sessions. Memory forensics against a running or recently-powered-down system is a documented technique.
What Tor Browser Does NOT Record
- Visited .onion addresses — not in
places.sqlite - Form inputs after session close — cleared on exit
- Cookies after session close — isolated per-session, cleared on exit
- Download history — if using the default "don't save downloads" setting
- Cache — Tor Browser's cache is in-memory only, cleared on exit
Reducing Local Artifacts
Portable installation (USB drive, not installed): eliminates most registry artifacts and installation traces. Prefetch for removable drive executables still appears. The places.sqlite history gap and state files remain.
Running from Tails OS: Tails is an amnesic operating system designed to leave no trace. All storage is RAM-based; nothing writes to the host drive. The correct choice if leaving no local artifacts is the operational requirement.
Encrypted home directory or full-disk encryption: doesn't eliminate the artifacts but makes them unreadable without the decryption key. Not relevant if the device is seized while running (cold boot attack) or if the key is known.
Memory cleanup: shutting down the system cleanly and waiting long enough for memory pages to be overwritten reduces the value of memory forensics — but the time window depends on RAM, usage patterns, and ambient temperature.
The Operational Security Implication
Tor Browser's anonymity guarantee is about network-level anonymity — your destination doesn't see your IP, and your ISP doesn't see your destination. That guarantee holds.
The local artifact question is separate: does using Tor Browser leave evidence on the device that you used it? On a standard Windows installation — yes. Registry entries, prefetch files, and state file timestamps establish that Tor was installed and run, and approximately when.
Whether that matters depends on your threat model. If you're using Tor for general privacy from network surveillance, local artifacts are unlikely to be relevant. If your threat model includes physical access to your device by an adversary who might examine it forensically, Tails or a portable installation from encrypted USB is the appropriate setup.
For the network-level threat model — combining VPN with Tor to address ISP-level timing analysis attacks — see Should You Use a VPN with Tor? and Onion Over VPN.
