What will a forensic computer audit reveal?

A third-party non-government company is requiring that as a former employee, submit to a forensic computer audit. Without going into the details of why or if enforceable, what will a computer audit find of my use of Tor? I use Tor for Proton email, this forum, and other searches possibly related to this topic or whistleblowing etc. I also may have used Tor for LinkedIn profile unrelated to my main profile. i’ve tried not to download anything, save anything, and certainly not reveal my identify in anything in Tor.

Basically, what will that audit reveal and is there any way to see what the audit might reveal before they do it? (again, please let’s not discuss the why or related).

1 Like

It will definitely show you as a Tor browser user and thus the flags will be raised.

OK, so remove the Tor folder, empty the bin, clean out the search and browsing history and cache of all other browsers, clean the temp folder (lots of stuff accumulates there). Then wipe the free space. Maybe I missed something. That last step, in itself, will also raise a flag: a computer without recoverable files or words in the free space. WOW all zeros. Like walking by a scanner and having no electronic signal.

Or maybe uninstall other browsers and re-install before the wipe. Also lots of stuff in the registry.

I assumed Windows. Leave them something. Leave them Edge and surf out of it for a while.

Never admit anything.

1 Like

This is helpful, thank you. But my follow up is what will the forensic audit reveal in addition to just use of Tor?

For egs, let’s say Proton via Tor was used to email a reporter who published a story about bad things done at the Company. Those emails are E2E encrypted so the audit shouldn’t reveal contents but had to search via Tor for that reporter’s email - would the audit reveal that a computer on X date searched for the email of Y reporter? Also, there would be searches for definitions of misconduct, how serious this might be, etc. Also also :slight_smile: , this post and other posts on online legal forums asking for barrister’s help- would those searches and their respective results show up?

And this is a company, not law enforcement. So only repercussions are company suing - which is still bad. And even if the audit found a submitted whistleblower complaint (it won’t), the Company can’t sue for that; but they could sue for hypothetically revealing info to the press.

And my non-Tor use is clean and significant - they’ll have plenty to keep them busy :wink:

Those emails are E2E encrypted to another Proton user only. I’m assuming you used the web interface for Proton and not a Outlook type application where you bring in the mail and reply from that application. Or did you use public key/private key type encryption?

From what I read, Tor does not use the disk for cache, it is all in memory, so there is no browser history, search history, or cache to look at. OK, so the search company would know but from where and by whom. Remember your are on Tor. The forums would have copies like this one I am looking at right now.

I also felt like giving a barrister comment. That person may advise about your rights like can they force you to submit to a search especially if it is your personal computer. But a lawyer being a lawyer (via email) may not have advised you about wiping the computer as this may be construed as destroying evidence and there may be a legal issue related to that profession. This is Tor dedicated to protecting privacy, protecting identity, and opposing censorship. I’m not bound by that.

If it is a company computer then everything on it is theirs and, by the same logic, if it is your computer then they, de facto, gave you permission to put company info on that computer so is it yours.

Now I do not know what type of forensic search they will do. Will they make a non-destructive copy of the drive and then search that. I would want to be there when they do and want to see them destroy the copy when they finish. At this point it sounds reasonable to have a solicitor advise you. :slightly_smiling_face: If it were law enforcement we would not be having this conversation. They would already have seized it.

In case you are interested in erasing, the site is: eraser dot heidi dot ie and you do not need the 35 pass option when erasing.

For anyone reading this and gets hired by a company where computer work is involved: let them supply one. Don’t use your own. Ditto for the phone.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.