What forensic artifacts on a device most often reveal user identity despite VPN or Tor use?

1. Volatile memory and swapped pages are the richest identity sources

Live RAM captures and paged memory often contain fragments of webpages, form data, cookies, and even unique identifiers or session tokens that tie browsing to a user; multiple forensic studies show that memory forensics can recover significant leakage from Tor Browser sessions and paged memory can retain artifacts even after the browser is closed ^{[1] [4] [5]}. The Tor Project itself warns that contents of deleted temporary files, swap and other non‑file artifacts may reveal not only that the Tor Browser ran but specifics about user activity when investigators have physical access to the machine ^[6].

2. OS artifacts: registry keys, recently‑run lists, and installation footprints

Windows registry entries, recently run program lists, and installation/uninstallation traces commonly survive and reconstruct a timeline for Tor or VPN use; an MDPI study recovered dozens of registry entries useful for establishing installation, configuration, and last‑run timestamps for Tor on Windows hosts ^[2]. Independent guides and forensic writeups likewise flag state files and Windows Registry entries as reliable indicators of Tor installation and use even when network IPs are obscured ^{[3] [7]}.

3. Disk and browser state files: slow‑decaying breadcrumbs

Browser profile files, cached data, and on‑disk copies of state (including remnants in unallocated space) are repeatedly recovered in controlled experiments and case studies, allowing examiners to tie specific browsing sessions or files to the host machine; static analysis and file carving have been demonstrated to reveal Tor‑related artifacts long after a session ended ^{[1] [4]}. Studies using forensic suites (Autopsy, Volatility, FTK) routinely locate tor.exe, firefox.exe and installer artifacts in images, and Autopsy can flag these as evidence in “recently run” storage ^{[2] [1]}.

4. Network and classification attacks: useful but indirect

Network captures are constrained: Tor’s onion routing obfuscates payload and endpoints, so raw packet traces rarely expose onion addresses or user identity, though traffic analysis, deep‑packet inspection and machine‑learning fingerprinting studies can sometimes classify Tor vs non‑Tor traffic or infer visited pages under lab conditions ^{[3] [8] [9]}. Website‑fingerprinting research can probabilistically identify pages visited over Tor, and machine‑learning classifiers have been proposed to detect Tor use, but these techniques typically require extensive baseline data and are not conclusive identifications on their own ^{[4] [9]}.

5. Correlation, adversary access, and practical limits

The recurring theme across peer‑reviewed papers and Tor’s own commentary is that identity resolution usually relies on correlating multiple artifact classes and, crucially, external logs (VPN provider records, ISP logs, cloud provider metadata) or physical access to the device; a host‑level artifact showing Tor usage and timestamps is forensic value, but proving the human identity behind a session often needs additional authoritative sources that these technical papers do not themselves supply ^{[1] [6]}. Some community projects and repositories describe active deception or honeypot approaches to unmask IPs, but those are ad hoc, variably documented and not peer‑validated in the sources provided here ^[10].

6. Alternate viewpoints and implicit agendas in the literature

Forensic research samples and vendor blog posts emphasize recoverability to aid law enforcement and incident responders, which biases experiments toward demonstrating traceability; the Tor Project’s own posts counterbalance that by highlighting limits of user‑mode approaches and warning that physical compromise of the host undermines anonymity claims ^{[6] [4]}. Readers should note that academic studies tend to use controlled lab scenarios and virtualization that maximize artifact recovery, so practical results in the field can differ; the sources demonstrate likely indicators but do not promise a guaranteed path from artifact to legal identity without corroboration ^{[1] [2]}.