TOR Forensic Analysis reveals some files that CCleaner needs to delete


identifies some areas where CCleaner needs to look into. Some evidence of a TOR installation that was deleted before running CCleaner.

C:\Windows\Prefetch\START TOR





The thumbcaches identified in the article were all clear. I have not checked all of the files mentioned in the article.

I am using v4.00.4064

Hi jFlanigan, and welcome to the forum.

I would be happy for you to link to a legitimate website containing the article you mention, but we can't allow links to direct downloads for obvious reasons.

Especially from a non regular member, and I don't mean that to be personal.

I've therefore removed the direct download link.

Hi Dennis.

No problem and I apologize for violating any forum rule on my first visit.

Why do you consider that site not to be legitimate? Its software provides secure and anonymous communication and is highly regarded. See Wikipedia for more information.

My objective was not to make it appear that you or Piriform endorsed the product. The document enlightened me to the fact that there is residual information in the pre-fetch directory that CCleaner should detect and remove.

Best Regards,


Yes, Prefectch contains entries for the TOR browser bundle, which is portable, and other portable programs as well as programs run under Sandboxie, for instance. I guess CC doesn't touch current entries as prefetch is a valid part of the operating system. CC will delete old entries (14 days plus), or if you're really worried you could switch off prefetch for user programs.

As has been said many times before CC is not a forensic evidence cleaner.

Hi Dennis.

Why do you consider that site not to be legitimate? Its software provides secure and anonymous communication and is highly regarded. See Wikipedia for more information.

Best Regards,


My apologies, you misunderstand my meaning John. I didn't open the PDF in your link, and there's nothing in your post to indicate which site the article came from.

I simply meant you can provide a link to any legitimate website in your post, and I've no reason to doubt that the one you refer to is a legitimate one.

We can get new members, and spammers sadly, who provide links to some unusual places, hence the need to mention "legitimate".

By all means, supply us with the link to the site containing the article, and I hope that clears up the misunderstanding.


Dennis and Augeas,

Here is the link we have been speaking of.

https: // research(dot)torproject(dot)org/techreports/tbb-forensic-analysis-2013-06-28.pdf

Thanks for your good responses.

