[wulczer]

Logs subpoenaed from your ISP show that you were using Tor between 3:10 and 5:23 PM on 02/05/2012.

Logs from forensic analysis of a breakin to EvilCorp show that the attacker came in from Tor and was downloading secret data from 3:10 to 5:23 PM on the same day.

Not enough to prove anything, but there's definitely some circumstantial evidence there.

[nilved]

But if you use Tor for all of your day-to-day browsing, in strict contrast with the OP's recommendation, then there's not such a glaring correlation.

[SamReidHughes]

You've still got the spike in network activity, and if you're running a relay, you've still got the spike in outgoing activity minus incoming activity.

[nilved]

Yes, but the local and remote activity can't be connected. Were somebody to connect and disconnect from Tor in the time surrounding an attack, you could; but you couldn't say that a Tor user is a culprit of an attack that went over the Tor network because they were using the Internet at the time. Perhaps they're just using Facebook or HN as they do many times each day.

[SamReidHughes]

Um, yes it can be connected. You have a graph that looks like /\_/-\_ of bandwidth differential on one machine and you have the graph that looks like /\_/-\_ of bandwidth used on the targeted machine. Case closed. The occasional connection to Facebook isn't going to obfuscate that.