Software Installation

The subject installs a browser capable of accessing anonymity networks, such as the Tor Browser (used for .onion sites), I2P Router Console, or Freenet, as part of preparation for covert research, anonymous communication, or unmonitored data exchange. This behavior may support future infringement by enabling non-attributable activity outside sanctioned IT controls.

Installation of the Tor Browser Bundle typically involves downloading a signed executable or compressed package from https://www.torproject.org, executing an installer that unpacks a portable browser (a custom-hardened Firefox variant), and launching start-tor-browser.exe—which spawns both the Tor daemon (tor.exe) and the browser instance (firefox.exe) in a sandboxed environment. Configuration files such as torrc may be modified to enable pluggable transports (e.g., obfs4, meek) designed to evade deep packet inspection (DPI) or proxy enforcement.

In environments with proxy filtering, the subject may attempt to chain Tor through bridge relays or VPNs, obfuscate traffic using SOCKS5 tunneling, or execute from non-standard directories (e.g., cloud-sync folders, external volumes). Some subjects bypass endpoint controls entirely by booting into live-operating systems (e.g., Tails, Whonix) which route all system traffic through Tor by default and leave minimal forensic artifacts on host storage.

This installation is rarely accidental and often coincides with other policy evasions or drift indicators. The presence of anonymizing tools—even in dormant form—warrants scrutiny as a preparatory indicator linked to potential data exfiltration, credential harvesting, or external coordination.

A subject can install unapproved browser extensions that provide additional features and functionality to the browser.

A subject can install an unapproved browser with features that frustrate or prevent preventions or detections, such as built-in VPN, Tor access, or automatic browser artifact destruction.

A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet.

A subject installs a File Transfer Protocol (FTP) client which can be used to access FTP servers across the a network.

A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet.

A subject installs an unapproved note taking application with the ability to sync notes across the Internet.

A subject installs a Remote Desktop Protocol (RDP) client which can be used to access RDP servers across a network.

A subject installs screen sharing software which can be used to capture images or other information from a target system.

A subject installs a Secure Shell (SSH) client, which can be used to access SSH servers across a network.

A subject installs a hypervisor that allows them to create and access virtual environments on a device.

A subject installs a VPN application that allows them to tunnel their traffic.