At present, 96% of the resources available into the World-Wide-Web belongs to the Deep Web, which is composed of contents that are not indexed by search engines. The Dark Web is a subset of the Deep Web, which is currently the favorite place for hiding illegal markets and contents. The most important tool that can be used to access the Dark Web is the Tor Browser. In this article, we propose a bottom-up formal investigation methodology for the Tor Browser's memory forensics. Based on a bottom-up logical approach, our methodology enables us to obtain information according to a level of abstraction that is gradually higher, to characterize semantically relevant actions carried out by the Tor browser. Again, we show how the proposed three-layer methodology can be realized through open-source tools. Also, we show how the extracted information can be used as input to a novel Artificial Intelligence-based architecture for mining effective signatures capable of representing malicious activities in the Tor network. Finally, to assess the effectiveness of the proposed methodology, we defined three test cases that simulate widespread real-life scenarios and discuss the obtained results. To the best of our knowledge, this is the first work that deals with the forensic analysis of the Tor Browser in a live system, in a formal and structured way.

中文翻译：

---

一种基于机器学习的内存取证方法，用于 TOR 浏览器工件

目前，万维网中96 %的可用资源都属于深网，它由未被搜索引擎索引的内容组成。该暗网是的一个子集的Deep Web，这是目前对隐匿违法市场和内容的最喜欢的地方。可用于访问暗网的最重要工具是Tor 浏览器. 在本文中，我们为 Tor 浏览器的内存取证提出了一种自下而上的正式调查方法。基于自下而上的逻辑方法，我们的方法使我们能够根据逐渐更高的抽象级别获取信息，以表征 Tor 浏览器执行的语义相关操作。我们再次展示了如何通过开源工具实现所提出的三层方法。此外，我们展示了如何将提取的信息用作新的基于人工智能的架构的输入，以挖掘能够表示 Tor 网络中恶意活动的有效签名。最后，为了评估所提出方法的有效性，我们定义了三个测试用例来模拟广泛的现实生活场景并讨论获得的结果。