Tor Browser investigations usually don't go beyond possible user saved bookmarks. Thanks to a find by Loicforensic@protonmail.com (no online presence) we can locate Tor Browser thumbnails of opened tabs in the following Android directories:
- /data/data/org.torproject.torbrowser/cache/mozac_browser_thumbnails/thumbnails
- /data/user/0/org.torproject.torbrowser/cache/mozac_browser_thumbnails/thumbnails
The thumbnail files are named in a GUID format with a .0 extension. For example: 8c7defaa-12b9-44f4-ae78-cc8850b92ab4.0
These thumbnails are in RIFF format contained in a WEBPVP8 container.
They can be easily viewed by opening them with Chrome browser. In order to facilitate review I have made an artifact for the Android Logs Events And Protobuf Parser (ALEAPP) framework. Using the PIL library in Python we can convert the file to PNG format for easy reporting.
Here is ALEAPP's TOR Thumbnails report. The report contains the modified time, converted to PNG thumbnail, filename, and file location path.
ALEAPP can be downloaded here: https://github.com/abrignoni/ALEAPP
Thanks to Josh Hickman (https://twitter.com/josh_hickman1) for his most excellent Android 12 test image which enabled the creation of this artifact. You can get his Android 12 test image here: https://thebinaryhick.blog/2021/12/17/android-12-image-now-available/
Any questions or any comments I can be reached on twitter @AlexisBrignoni and email 4n6[at]abrignoni[dot]com.