According to the CHFI v11 Dark Web and Tor Browser Forensics objectives, the Tor network anonymizes user traffic by routing it through a series of relays: Entry (Guard) Relay → Middle Relay → Exit Relay . Each relay plays a distinct role in preserving anonymity, but only one relay is directly visible to the destination server.
The Exit Relay is the final node in the Tor circuit and is responsible for forwarding decrypted traffic from the Tor network to the target destination on the regular internet. As a result, destination servers see the IP address of the exit relay , not the original attacker. This makes exit relays highly visible and frequently misattributed as the source of malicious activity such as hacking attempts, scanning, spam, or data exfiltration.
CHFI v11 explicitly notes that exit relays commonly face legal complaints, abuse reports, and law enforcement scrutiny , even though they do not originate the traffic. Investigators must understand this distinction to avoid false attribution during dark web investigations. Entry relays only see the client IP but not the destination, and middle relays see neither source nor destination. “Transfer relay” is not a valid Tor relay type.
From a forensic and legal perspective, recognizing the role of exit relays is critical when analyzing Tor-related incidents, as they represent the point of exposure to external networks.
Therefore, the Tor relay most likely to face legal scrutiny due to its visibility to destination servers —fully aligned with CHFI v11—is the Exit Relay , making Option A the correct answer.
