Article

Windows 7 registry forensic evidence created by three popular BitTorrent clients

April 2011
Digital Investigation 7(3-4):127-134

DOI:10.1016/j.diin.2010.10.002

Source
DBLP

Authors:

Harjinder Singh Lallie

University of Warwick

Philip James Briggs

Internet file sharing via the use of peer-to-peer networks is an activity that has been growing steadily for several years. It has rapidly become the most widespread method for the exchange of digital material and as a result raises much controversy. The current, most popular protocol in this field is BitTorrent. Although it is relatively simple in most cases to link particular file sharing activities to an IP address, this does little to prove that a particular user was responsible for using the connection. This study explores three popular BitTorrent client applications, BitComet, Vuze and μTorrent and outlines the registry artefacts that are produced by the installation and use of these programs on a Windows 7 client. These artefacts are examined in detail to establish what useful evidence, if any, can be recovered from them. Relevant information is highlighted for each application.

Effect of Live Evidence Acquisition Process on the Change of Windows XP SP2 Registry

Article

Full-text available

Dec 2012

In the paper, we discuss the impact of performing live registry response on the target windows system during loading memory acquisition tools. Every running tool on an investigated system leaves artifacts and changes the system state. Therefore, we should verify the registry evidences in court exacted from memory invalid or not. Firstly, we measure the memory uncertainty in a natural running state (without any other extra tasks) and calculate the blurriness both during loading acquisition tools for live forensics. Then, we employ the MemoryAnalyzer which is developed by ourselves to extract the registry from the acquired memory. Finally, we analyze and compare keys, subkeys and values of the extracted registry hive fives with the original one using Windows Registry File Viewer. Experiments on Windows XP Service Pack 2 under VMware(R) Workstation show that, the memory state are mainly changed by the loading acquisition tool although it is also influenced by its natural running. And what's interesting is that the novel extracted registry subkeys and values can not be deleted by the live memory acquisition tool, just added some keys and values related with acquisition tools in the SYSTEM hive file, and modified key values (usually represent visited or running time) in the SOFTWRE and NTUSER.DAT hive files. Therefore, the registry is trustable even that it is extracted from acquired memory. (C) 2011 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of Harbin University of Science and Technology

Digital Forensic Readiness Framework for Ransomware Investigation: 10th International EAI Conference, ICDF2C 2018, New Orleans, LA, USA, September 10–12, 2018, Proceedings

Chapter

Full-text available

Jan 2019

Over the years there has been a significant increase in the exploitation of the security vulnerabilities of Windows operating systems, the most severe threat being malicious software (malware). Ransomware, a variant of malware which encrypts files and retains the decryption key for ransom, has recently proven to become a global digital epidemic. The current method of mitigation and propagation of malware and its variants, such as anti-viruses, have proven ineffective against most Ransomware attacks. Theoretically, Ransomware retains footprints of the attack process in the Windows Registry and the volatile memory of the infected machine. Digital Forensic Readiness (DFR) processes provide mechanisms for the pro-active collection of digital footprints. This study proposed the integration of DFR mechanisms as a process to mitigate Ransomware attacks. A detailed process model of the proposed DFR mechanism was evaluated in compliance with the ISO/IEC 27043 standard. The evaluation revealed that the proposed mechanism has the potential to harness system information prior to, and during a Ransomware attack. This information can then be used to potentially decrypt the encrypted machine. The implementation of the proposed mechanism can potentially be a major breakthrough in mitigating this global digital endemic that has plagued various organizations. Furthermore, the implementation of the DFR mechanism implies that useful decryption processes can be performed to prevent ransom payment.

Windows registry harnesser for incident response and digital forensic analysis

Article

Dec 2018

The extraction of digital evidence from storage media is a growing concern in digital forensics, due to the time and space complexity in acquiring, preserving and analysing digital evidence. Microsoft Windows Registry is an example of a potential source of digital evidence that contains a database of evidential information about both the system and users. However, due to the vastness of the Registry, it is difficult to manually sift through this database to extract potential evidence. Furthermore, manually sifting provides room for human error, which could invalidate the entire forensic investigation. This time-consuming and error-prone process can cause several delays in processing and presenting criminal cases during litigation. The need for an automated extraction and analysis process of digital evidence is therefore inherently needed. The aim of this research is to develop an automated forensically sound process for Windows Registry investigation. This entails setting up strict and reliable measures for an investigator to follow whilst minimizing human interaction through automation. To achieve this, an acquisition and analysis tool was developed. A comparative analysis of the developed tool to existing tools showed increased performance with respect to time and forensic soundness.

IJCSDF-Vol. 3, No. 4 (2014)

Article

Full-text available

Dec 2014

The advancement of smartphone technology has attracted many companies in developing mobile operating system (OS). Mozilla Corporation recently released Linux-based open source mobile OS, named Firefox OS. The emergence of Firefox OS has created new challenges, concentrations and opportunities for digital investigators. In general, Firefox OS is designed to allow smartphones to communicate directly with HTML5 applications using JavaScript and newly introduced WebAPI. However, the used of JavaScript in HTML5 applications and solely no OS restriction might lead to security issues and potential exploits. Therefore, forensic analysis for Firefox OS is urgently needed in order to investigate any criminal intentions. This paper will present an overview and methodology of mobile forensic procedures in forensically sound manner for Firefox OS

A Methodology and Tool for Investigation of Artifacts Left by the BitTorrent Client

Article

Full-text available

May 2016

The BitTorrent client application is a popular utility for sharing large files over the Internet. Sometimes, this powerful utility is used to commit cybercrimes, like sharing of illegal material or illegal sharing of legal material. In order to help forensics investigators to fight against these cybercrimes, we carried out an investigation of the artifacts left by the BitTorrent client. We proposed a methodology to locate the artifacts that indicate the BitTorrent client activity performed. Additionally, we designed and implemented a tool that searches for the evidence left by the BitTorrent client application in a local computer running Windows. The tool looks for the four files holding the evidence. The files are as follows: *.torrent, dht.dat, resume.dat, and settings.dat. The tool decodes the files, extracts important information for the forensic investigator and converts it into XML format. The results are combined into a single result file.

Investigation of Artefacts Left by BitTorrent Client in Windows 8 Registry

Article

Jan 2015

BitTorrent client application is a popular tool to download large files from Internet, but this application is quite frequently used for illegal purposes that are one of the types of cybercrimes. If order to fight against this type of cybercrime we carried out the research, during which we investigated the evidences left by BitTorrent client application in registry under Windows 8 operating system. The experiment was carried out in three steps: installation, download, and uninstallation. The snapshots of registry were taken and compared prior and after each step. Changes in Windows registry were collected and joined into tables. The experiment revealed that BitTorrent client application creates Windows registry artefacts that can contain information which might be used as evidence during an investigation. The evidence remains in the registry even after the removal of the application, although it can really prove the fact of usage of the application only. The investigation of file system can reveal the purpose and the contents of the BitTorrent client session.

Investigation of Artifacts Left by BitTorrent Client on the Local Computer Operating under Windows 8.1

Article

Full-text available

Dec 2015

The BitTorrent client application is a popular tool to distribute the large files over the Internet. However, the utility can be used for the illegal distribution of some files. Such an activity is considered as a cybercrime. In order to aid the forensics investigator to fight against the cybercrimes we carried out the research, during which we investigated the evidences left by BitTorrent client application in the local computer operating under Windows 8.1. During the experiment, we studied the evidences left by the BitTorrent client in the Windows registry and in the BitTorrent client configuration files. We investigated as well the possibilities to remove the evidences of the use of the BitTorrent application in order to conceal such a fact. The experiment revealed that the evidences are left either in the Windows registry or in the BitTorrent configuration files or both depending on the removal mode of the BitTorrent client application. The BitTorrent configuration files can reveal only whether the cybercrime was committed. © 2015, Kauno Technologijos Universitetas. All rights reserved.

Vulnerability of the Process Communication Model in Bittorrent Protocol

Article

Full-text available

Apr 2015

Ahmed Elshafee

BitTorrent is the most extensively used protocol in peer-to-peer systems. Its clients are widely spread worldwide and account for a large fraction of today’s Internet traffic. This paper will discuss potential attack that exploits a certain vulnerability of BitTorrent based systems. Code injection refers to force a code – which may be malicious - to run inside another benign code, by inserting it into known process name or process ID. Operating systems supply API functions that can be used by third party to inject a few lines of malicious code inside the original running process, which can effectively damage or harm user resources. Ethernet is the most common internetwork layer for Local Area Networks; the shared medium of LAN enables all users on the same broadcasting domain to listen to all exchanged packets through the network (promiscuous mode), so any adversary can easily perform a simple packet sniffing process on the medium access layer of the network. By capturing and analyzing the sent packets from the P2P application, an adversary can use the revealed process ID by BitTorrent protocol to start the code injection action. So the adversary will be able to seize more machines from the network. Controlled machines can be used to perform many attacks. The study revealed that any adversary can exploit the vulnerability of the process communication model used in P2P by injecting any malicious process inside the BitTorrent application itself exposed by sniffing the exchanged BitTorrent packets through LAN.

Windows registry analysis for forensic investigation

Conference Paper

Full-text available

May 2013

Cyber attack comes in various approach and forms, either internally or externally. Remote access and spyware are forms of cyber attack leaving an organization to be susceptible to vulnerability. This paper investigates illegal activities and potential evidence of cyber attack through studying the registry on the Windows 7 Home Premium (32 bit) Operating System in using the application Virtual Network Computing (VNC) and keylogger application. The aim is to trace the registry artifacts left by the attacker which connected using Virtual Network Computing (VNC) protocol within Windows 7 Operating System (OS). The analysis of the registry focused on detecting unwanted applications or unauthorized access to the machine with regard to the user activity via the VNC connection for the potential evidence of illegal activities by investigating the Registration Entries file and image file using the Forensic Toolkit (FTK) Imager. The outcome of this study is the findings on the artifacts which correlate to the user activity.

Methodology and implementation for tracking the file sharers using BitTorrent

Article

Full-text available

Jan 2013

Sharing copyright protected content without the copyright holder’s permission is illegal in many countries. Regardless, the number of illegal file sharing using BitTorrent continues to grow and most of file sharers and downloader are unconcerned legal action to transfer copywrite-protected files. However, it is difficult to gather enough probative evidence to prosecute illegal file sharers in criminal court and/or sued for damages in civil court. Further, there is a lack of research on investigation techniques to reveal illegal BitTorrent sharers. This is because the role of the server in BitTorrent networks has been changed compared to servers in conventional P2P networks. As a result, it is difficult to apply previous investigation processes for investigation of conventional P2P networks to the investigation of suspected illegal file sharing using BitTorrent. This paper proposes a methodology for the investigation of illegal file sharers using BitTorrent networks through the use of a P2P digital investigation process.

IF-DSS: A forensic investigation framework for decentralized storage services

Article

Oct 2023

Forensic Evidence Collection From Windows Host Using Python Based Tool

Conference Paper

Full-text available

Oct 2022

Microsoft Word Forensic Artifacts in Windows 10 Registry

Conference Paper

Aug 2019

Methodology for digital investigation of illegal sharing using BitTorrent

Article

Apr 2013

Sharing copyrighted files without copyright holder`s permission is illegal. But, a number of illegal file sharers using BitTorrent increase. However, it is difficult to find appropriate digital evidences and legal basis to punish them. And, there are no framework for digital investigation of illegal sharing using BitTorrent. Additionally, role of server in BitTorrent had been reduced than server in conventional P2P. So, It is difficult to apply investigation framework for illegal sharing using conventional P2P to investigation process of illegal sharing using BitTorrent. This paper proposes the methodology about punishing illegal sharer using BitTorrent by suggesting the digital investigation framework.

CuFA: A more formal definition for digital forensic artifacts

Article

Full-text available

Aug 2016
DIGIT INVEST

The term “artifact” currently does not have a formal definition within the domain of cyber/digital forensics, resulting in a lack of standardized reporting, linguistic understanding between professionals, and efficiency. In this paper we propose a new definition based on a survey we conducted, literature usage, prior definitions of the word itself, and similarities with archival science. This definition includes required fields that all artifacts must have and encompasses the notion of curation. Thus, we propose using a new term – curated forensic artifact (CuFA) – to address items which have been cleared for entry into a CuFA database (one implementation, the Artifact Genome Project, abbreviated as AGP, is under development and briefly outlined). An ontological model encapsulates these required fields while utilizing a lower-level taxonomic schema. We use the Cyber Observable eXpression (CybOX) project due to its rising popularity and rigorous classifications of forensic objects. Additionally, we suggest some improvements on its integration into our model and identify higher-level location categories to illustrate tracing an object from creation through investigative leads. Finally, a step-wise procedure for researching and logging CuFAs is devised to accompany the model.

Forensic Artifacts of the flareGet Download Manager

Conference Paper

Dec 2014

There is an increasing interest in finding artifacts (digital evidence) created by various software tools. flareGet is an advanced multi-threaded and multi-segment download manager for Linux. This is the only download manager for Linux that integrates with almost all the browsers. In this paper, we examine (from a digital forensics angle) the artifacts created by flareGet for Linux, specifically on Ubuntu 12.04 distribution. The flareGet artifacts include download path, URL address, settings of flareGet, date and time of the activity performed, the encryption technique used by flareGet, etc. This is useful for the digital forensic investigator to search and interpret the artifacts created or left in the process of using flareGet. © Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2014.

Methodology for Digital Investigation of Illegal Sharing Using BitTorrent

Chapter

Jan 2012

In these days, a number of illegal file sharers using BitTorrent increase. Sharing copyrighted files without copyright holder’s permission is illegal, so they must be punished. However, it is difficult to find appropriate digital evidences and legal basis to punish them. This paper proposes the methodology about punishing illegal sharer using BitTorrent by suggesting the digital investigation framework. This framework consists of two parts. The first part is acquisition of data on network. In process of network analysis, the methodology to acquire and classify information about peers by analyzing packets is suggested. The second part is acquisition and analysis of data from suspect’s PC. In process of suspects’ PC analysis, the methodology to acquire meaningful evidences by finding traces of file sharing on suspects’ PC is suggested.

Trust analysis for the live registry evidence during memory acquisition process

Article

Nov 2012

Live Physical memory contains a lot of useful evidence information, such as registry in the windows operation system. However, some important information would be covered by the covered or altered during the loading and running forensics acquired tool on an investigated system. To improve the validness of the Live Physical Memory of Windows, we first measure and calculate the blurriness of memory content, then investigate the impact of live registry response on the target windows system during loading memory acquisition tools for live forensics. Firstly, we measure the memory uncertainty under a natural running state(as the result of its own running environment) to further determine the changeable proportion of the acquired memory in total. Then, the memory analysis tool is employed o extract the registry evidence information from the acquired live memory. Finally, we analyze and compare registry keys, its corresponding subkeys and corresponding values from the extracted hive fives with the original hive files from copy of the harddisk. Experiments on Windows system under VMware® Workstation Platform show that, the memory content are mainly altered by the loading and running acquisition tool although it is also influenced by its natural running. And the novel extracted registry subkeys and values can't be deleted by the live memory acquisition tool, just added some keys and values related with acquisition tools in the hive files.

Recent Trends in Collection of Software Forensics Artifacts: Issues and Challenges

Conference Paper

Aug 2013

Digital forensics helps an investigator to find traces of any malicious activity of user, done by using a particular piece of software. In recent years, analysis of computer software products has been done for collection of forensics artifacts, using traditional digital forensic approach. But as the traditional forensics has now been established as a standard, more people are familiar with the forensic processes. They know where traces can be left behind and how to get rid of them so as to eliminate possible evidence. Thus anti forensic techniques are imposing as disruptive challenge for investigators. In this paper we discuss recent trends in the field of artifacts collection and highlight some challenges that have made finding and collecting forensics artifacts a very hard job. We examine whether it is possible for a forensics investigator to rely on old traditional approach or not. Furthermore in conclusion we suggest possible solutions and new areas where we can find evidences.

File Marshal: Automatic extraction of peer-to-peer data

Article

Full-text available

Sep 2007
DIGIT INVEST

a b s t r a c t Digital forensic investigators often find peer-to-peer, or file sharing, software present on the computers, or the images of the disks, that they examine. Investigators must first determine what P2P software is present and where the associated information is stored, retrieve the information from the appropriate directories, and then analyze the results. File Marshal is a tool that will automatically detect and analyze peer-to-peer client use on a disk. The tool automates what is currently a manual and labor intensive process. It will determine what clients currently are or have been installed on a machine, and then extracts per-user usage information, specifically a list of peer servers contacted, and files that were shared and downloaded. The tool was designed to perform its actions in a foren-sically sound way, including maintaining a detailed audit trail of all actions performed. File Marshal is extensible, using a configuration file to specify details about specific peer-to-peer clients (e.g., location of log files and registry keys indicating installation). This paper describes the general design and features of File Marshal, its current status, and the plans for continued development and release. When complete, File Marshal, a National Institute of Justice funded effort, will be disseminated to law enforcement at no cost.

Limewire examinations

Article

Full-text available

Sep 2008
DIGIT INVEST

In the world of information sharing Limewire is one of the more popular means for exchanging illicit material and therefore often features in child pornography (CP) cases. In this paper we look at evidence that examiners have available to them, the artifacts left behind by installation and use of the Limewire client that will tell them what the user did and their intent behind that use. We will also look at tips and techniques for finding and extracting evidence from unallocated space, slack space and other corners of the digital evidence. Lastly we introduce a tool AScan that will allow the investigator to extract all the evidence and expand the investigation into the child pornography networks the suspect was a member of. (c) 2008 Digital Forensic Research Workshop. Published by Elsevier Ltd. All rights reserved.

Open Source: Technology and Policy

Article

Jan 2007

The open source movement is a worldwide effort to promote an open style of software development more aligned with the accepted intellectual style of science than the proprietary modes of invention that have been characteristic of modern business. The idea is to keep the scientific advances created by software development openly available for everyone to use, understand, and improve. The very process of open source creation is highly transparent. This book addresses prominent projects in the open source movement, along with its enabling technologies, social characteristics, legal issues, business venues, and public and educational roles. © Fadi P. Deek and James A. M. McHugh 2008 and Cambridge University Press, 2010.

PHAT: A p2p history analysis tool

Article

May 2009

Peer-to-peer file sharing applications are used by many Internet users to quickly and efficiently copy files around the world. Many different tools provide the user with the ability to search for files based on keywords or file type and download files. Because files can be copied easily and efficiently by the general public, crimes that rely on the transfer of large amounts of data are becoming much more common. For example, music and movie piracy has greatly increased over the last several years. Currently, digital investigators follow a time-consuming manual process to analyze a suspect's hard drive for evidence of crimes committed via file sharing applications. Popular file sharing applications, such as LimeWire, were analyzed to determine the type and location of evidence that can be retrieved from the application's data files. A tool was developed to automatically extract this evidence and present it to the user in a form that is easily understood by digital investigators, attorneys, and jury members.

New Perspectives in Computer Concepts-Comprehensive Edition

Article

The Windows Registry as a forensic artefact: Illustrating evidence collection for Internet usage

Article

Sep 2006
DIGIT INVEST

In this paper we examine the use of the Windows Registry as a source of forensic evidence in digital investigations, especially related to Internet usage. We identify the sources of the information, along with the methods used and toolsets available for such examinations, and illustrate their use for recovering evidence. We highlight issues of the forensic practise related to Registry inspections and propose ideas for further improvements of the process and the tools involved. (c) 2006 Elsevier Ltd. All rights reserved.

Identifying an existing file via KaZaA artefacts

Article

Sep 2006
DIGIT INVEST

Paul Sanderson

This child exploitation case study details two newly developed techniques for investigating illegal activity on peer-to-peer networks (names have been changed as the case is ongoing). The defendant in this case is accused of taking three indecent digital video clips of a minor, and sharing these on the KaZaA peer-to-peer file sharing network. The first search method focuses on post-mortem analysis of a forensic duplicate of the defendant's hard drive. The second method employs techniques for live searching of the peer-to-peer network. Tools used to automate these searches are presented. Although the tools and techniques developed for this investigation did not locate additional evidence, they are valid and may be useful in future investigations.

Etude-P2P-2009-Ipoque Digital forensic analysis of peer-to-peer networking. In: International workshop on logistics and manufacturing networks, 22e24 Feb

Jan 2006
2010

P Sanderson
J Sung
E Baek
K Byun
S Lee
Lim

Sanderson P. Identifying an existing file via KaZaA artefacts. Digital Investigation 2006;3(3):174e80. Schulze H, Mochalski K. Internet study 2008/2009 [Online]. Available at, http://www.scribd.com/doc/13516439/Etude-P2P-2009-Ipoque; 2009 [Accessed 15.02.2010]. Sourceforge. Regshot [Online]. Available at, http://sourceforge. net/projects/regshot/; 2008 [Accessed 1502.2010]. Sung J, Baek E, Byun K, Lee S, Lim J. Digital forensic analysis of peer-to-peer networking. In: International workshop on logistics and manufacturing networks, 22e24 Feb 2007. Seoul: Korea University; 2007. Ultima. BEncode editor [Online]. Available at, http://sites.google. com/site/ultimasites/bencode-editor; 2010 [Accessed 18.03. 2010].

Open source: technology and policy Digital Detective Group. Free tool e Dcode

Jan 2008
2010

Cannatella J Geoghegan
Sj Phat57e
Fp Deek
Mchugh
Ja

Cannatella J, Geoghegan SJ. PHAT: a p2p history analysis tool. Journal of Computing Sciences in Colleges 2009;24(5):57e64. Deek FP, Mchugh JA. Open source: technology and policy. Cambridge: Cambridge University Press; 2008. Digital Detective Group. Free tool e Dcode [Online]. Available at, http://www.digital-detective.co.uk/freetools/decode.asp; 2010 [Accessed 30.03.2010]. ej-technologies. install4j [Online]. Available at, http://www.ej-technologies.com/products/install4j/overview.html; 2010 [Accessed 04.042010].

Available at60popular-torrent-clients-for-windows-linux-ubuntu-and-mac

Jan 2008

Linux Raju

Raju. 60þ popular torrent clients for Windows, Linux and Mac [Online]. Available at, http://techpp.com/2008/11/14/60popular-torrent-clients-for-windows-linux-ubuntu-and-mac/; 2008 [Accessed 12.04.2010].

Internet study Available at

Jan 2008

H Schulze
K Mochalski

Schulze H, Mochalski K. Internet study 2008/2009 [Online]. Available at, http://www.scribd.com/doc/13516439/Etude-P2P- 2009-Ipoque; 2009 [Accessed 15.02.2010].

Digital forensic analysis of peer-to-peer networking

J Sung
E Baek
K Byun
S Lee
J Lim

Sung J, Baek E, Byun K, Lee S, Lim J. Digital forensic analysis of peer-to-peer networking. In: International workshop on logistics and manufacturing networks, 22e24 Feb 2007. Seoul: Korea University; 2007.

What is BitComet? [Online] Available at

Jan 2010

Bitcomet

BitComet. What is BitComet? [Online]. Available at, http://www. bitcomet.com/; 2010b [Accessed 14.03.2010].

Mastering Windows network forensics and investigation

Jan 2007

S Bunting

Bunting S, Anson S. Mastering Windows network forensics and investigation. Indianapolis: Wiley; 2007.

Available at, http://wiki. bitcomet.com/Inside_BitComet

Jan 2010

Inside Bitcomet
Bitcomet

BitComet. Inside BitComet [Online]. Available at, http://wiki. bitcomet.com/Inside_BitComet; 2010a [Accessed 16.01.2010].

What is mTorrent [Online] Available at, http:// www.%CE%BCTorrent.com/what-is-%CE%BCTorrent

Jan 2010

Bittorrent Inc

BitTorrent Inc.. What is mTorrent [Online]. Available at, http:// www.%CE%BCTorrent.com/what-is-%CE%BCTorrent; 2010 [Accessed 20.04.2010].

Windows 7 registry forensic evidence created by three popular BitTorrent clients

Abstract

No full-text available

Recommended publications

Determination of model reliability in 3-D resistivity and I.P. Inversion

A Forensic Audit of the Tor Browser Bundle

Validity of Router Responses for IP Aliases Resolution

Optimum Efficient Mobility Management Scheme for IPv6