In CHFI v11, memory dump analysis focuses on identifying volatile artifacts , such as running processes, loaded modules, decrypted data, network connections, and application-specific memory remnants. The availability of Tor Browser artifacts in memory is highly dependent on the execution and installation state of the Tor Browser at the time of acquisition.
When the Tor Browser is opened , it generates the highest number of artifacts in memory. These include active Tor processes, circuit information, encryption keys, temporary buffers, and cached session data. Even when the Tor Browser is closed but still installed , some residual artifacts may remain in memory or be partially recoverable due to delayed memory reuse, along with indirect indicators such as prefetch references and previously allocated memory pages.
However, when the Tor Browser is uninstalled , there are no active Tor-related processes or associated memory segments loaded into RAM. As explicitly covered in the CHFI v11 blueprint under Tor Browser Forensics and Forensic Analysis: Tor Browser Uninstalled , uninstalling Tor significantly reduces both volatile and non-volatile artifacts. Consequently, memory dumps acquired after uninstallation contain the least possible number of recoverable Tor artifacts , often limited to overwritten or non-attributable memory fragments.
Therefore, based strictly on CHFI v11 objectives and forensic principles, Tor browser uninstalled (Option B) is the correct answer.
