Matt Nelson
Artifact or Program Version
Vidalia Bundle
Artifact Description
This artifact contains information pertinent to a “default” Tor Vidalia Bundle. The Vidalia Bundle contains Tor, Vidalia, Polipo, and Torbutton. No browser (like Firefox) is included.

Obviously, these artifacts are based on a default full install of the Vidalia Bundle; the user could choose to change some of the features of the install. (like not starting Vidalia at startup, skipping the start menu, or skipping install pieces)

Specific Files:
Tor.exe – executable that handles the creating the “circuit” to the Tor onion network.(vers.
Vidalia – gui controller for Tor. Aids in the configuration of Tor. (without editing config files manually) vers. 0.2.19
Polipo – a tiny caching web proxy. Allows for sending applications through Tor that are not direct SOCKS capable.
Torbutton – a Firefox extension that allows for quickly switching to the Tor browsing. (Firefox must be enabled; Torbutton has been rolled into the TorBrowser)
Additionally, if the user can make configuration changes to Tor by making it a Relay, an Exit Relay, or a Bridge. The user can also server up a Tor Hidden Service that is only available on the Tor network.
Registry Keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Polipo\DisplayName: “Polipo”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Polipo\UninstallString: “”C:\Program Files\Vidalia Bundle\Uninstall.exe””
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Polipo\NoModify: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Polipo\NoRepair: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor\DisplayName: “Tor”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor\UninstallString: “”C:\Program Files\Vidalia Bundle\Uninstall.exe””
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor\NoModify: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor\NoRepair: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vidalia\DisplayName: “Vidalia 0.2.19”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vidalia\UninstallString: “”C:\Program Files\Vidalia Bundle\Uninstall.exe””
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vidalia\NoModify: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vidalia\NoRepair: 0x00000001
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\[username]\Desktop\vidalia-bundle- “Vidalia Bundle”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe: “Vidalia”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\Vidalia: “”C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe””
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Polipo\Install_Dir: “C:\Program Files\Vidalia Bundle”
File Locations
Default install location:
C:\Program Files\Vidalia Bundle
Default Tor location:
C:\Program Files\Vidalia Bundle\Tor\tor.exeDefault location of the Tor configuration file:
C:\Documents and Settings\[username]\Local Settings\Application Data\Vidalia\torrc < (contains the Tor configuration details)Default Polipo location:
C:\Program Files\Vidalia Bundle\Polipo\polipo.exeDefault Polipo config file location:
C:\Program Files\Vidalia Bundle\Polipo\polipo.conf < (contains the Polipo configuration details)Other Key dirs/files:C:\Documents and Settings\[username]\Local Settings\Application Data\Vidalia
vidalia.pidC:\Documents and Settings\[username]\Local Settings\Application Data\Tor
geoipC:\Program Files\Vidalia Bundle\Vidalia\
Research Links
Forensic Programs of Use
RegShot, WireShark, ProcessHacker
Any Other Information
Network Indicators (local):
polipo.exe –, port 8118/TCP, Listening (Polipo proxy port)
tor.exe –, port 9050/TCP, Listening (Tor listening SOCKS)
tor.exe- localhost, port 9051/TCP, Listening (control port)
If Tor has completed a “circuit” to the Tor network you will see established connections to various hosts:
tor.exe –, 1144, [], 9001, TCP, Established < IP can vary
tor.exe –, 1144,, 9001, TCP, Established < remote hostname can vary
As the circuits drop and new ones establish you will see them drop and come online.

