No full-text available
To read the full-text of this research,
you can request a copy directly from the author.
Forensics of BitTorrent
Abstract
The aim of this study was to identify forensic artefacts produced by BitTorrent file sharing, and specifically, to establish if the artefacts could lead to identification of the files downloaded or the files shared. A further objective was to identify any artefacts that could determine IP addresses of remote computers from which data was downloaded, or shared, during the test phase. The final aim was to test whether automated erasing software would delete the BitTorrent artefacts identified. The BitTorrent clients BitComet, uTorrent, Azureus, ABC, and BitTornado were chosen to test as these were determined to be the most "popular" at the time of this study. Each client was analysed with forensic software on generated image files and also in situ. The analysis demonstrated that it was possible to identify files that were currently being downloaded and files currently being shared. It was also possible to identify the amount of data that had been exchanged i.e. uploaded or downloaded for specific files. Some clients produced artefacts that revealed a complete record of the torrent files that had been downloaded and shared. Analysis also revealed that some clients stored the Internet Protocol (IP) addresses of remote computers, with which they had connected when downloading or sharing specific files. The detail and forensic quality of information identified, varied between the clients tested. Finally the Cyberscrub Privicy Suite software (version 4.5) was found to successfully delete (beyond recovery) most of the BitTorrent artefacts identified. The program is designed to specifically delete "sensitive" information produced by the clients: BitComet, uTorrent and Azureus.
... Human goal and usage diversity with partial investigative opacity are central to the modus operandi of the DW. From a theoretical perspective, Gambetta [2] has previously explored various ways in which mimicry, deception and identity verification operate within criminal gangs such as the Mafia. His perspective is sociological rather than linguistic, informally presented rather than rigorous [2]. ...
... From a theoretical perspective, Gambetta [2] has previously explored various ways in which mimicry, deception and identity verification operate within criminal gangs such as the Mafia. His perspective is sociological rather than linguistic, informally presented rather than rigorous [2]. Criminals typically seek to communicate in ways designed to obfuscate their "true" identities. ...
We offer a partial articulation of the threats and opportunities posed by the so-called Dark Web (DW). We go on to propose a novel DW attack detection and prediction model. Signalling aspects are considered wherein the DW is seen to comprise a low cost signaling environment. This holds inherent dangers as well as rewards for investigators as well as those with criminal intent. Suspected DW perpetrators typically act entirely in their own self-interest (e.g. illicit financial gain, terrorism, propagation of extremist views, extreme forms of racism, pornography, and politics; so-called 'radicalisation'). DW investigators therefore need to be suitably risk aware such that the construction of a credible legally admissible , robust evidence trail does not expose investigators to undue operational or legal risk.
... The skeleton can cleverly emphasize the best procedure subject to the center of the examination bringing about an altogether assisted proof get-together process. Acorn Jamie; in his research entitled "Crime scene investigation of BitTorrent", [8] recognized scientific relics delivered by BitTorrent file offering, and particularly, to create if the remaining could prompt the IDs of the records downloaded or the files shared. The dissection showed that it was conceivable to distinguish files that were at present being downloaded and records presently being shared. ...
BitTorrent is the most extensively used protocol in peer-to-peer systems. Its clients are widely spread worldwide and account for a large fraction of today’s Internet traffic. This paper will discuss potential attack that exploits a certain vulnerability of BitTorrent based systems. Code injection refers to force a code – which may be malicious - to run inside another benign code, by inserting it into known process name or process ID. Operating systems supply API functions that can be used by third party to inject a few lines of malicious code inside the original running process, which can effectively damage or harm user resources. Ethernet is the most common internetwork layer for Local Area Networks; the shared medium of LAN enables all users on the same broadcasting domain to listen to all exchanged packets through the network (promiscuous mode), so any adversary can easily perform a simple packet sniffing process on the medium access layer of the network. By capturing and analyzing the sent packets from the P2P application, an adversary can use the revealed process ID by BitTorrent protocol to start the code injection action. So the adversary will be able to seize more machines from the network. Controlled machines can be used to perform many attacks. The study revealed that any adversary can exploit the vulnerability of the process communication model used in P2P by injecting any malicious process inside the BitTorrent application itself exposed by sniffing the exchanged BitTorrent packets through LAN.
Our submission offers a partial articulation of the threats and opportunities posed by the so-called “Dark Web” (DW); namely, the nature of risk(s) posed by criminal DW usage to a civil-society. We propose a DW Forensic route-map wherein there is a need to differentiate as early as possible in the investigative process between those suspected offences that are deemed not to be in the public-interest to pursue, from those suspected of involvement in “serious” crimes. Our model is designed to offer support in those cases wherein a criminal conviction is deemed to be in the public interest; namely to establish beyond any reasonable doubt the guilt or innocence of the accused. We therefore propose that any credible route-map should be both RIPA (2000) and PACE (1984) compliant. The suspected perpetrators typically act entirely in their own self-interest (e.g. illicit financial gain, terrorism, propagation of extremist views, extreme forms of racism, pornography, and politics; so-called ‘radicalisation’). DW investigators need to be suitably risk aware such that the construction of a credible (i.e. legally admissible), robust evidence trail, often comprising the key part of any criminal case, does not expose investigators to undue operational or legal risk.
Abstract Recent developments have seen the closure of P2P sites such as Kazaa and Napster due to legal action, and a subsequent rise in the use of alternative file-sharing software, namely BitTorrent. This research in progress aims to evaluate the effectiveness of commercial programs to erase traces of the use of such software. The erasure programs Privacy Suite, Window Washer and R-Clean and Wipe were used on a machine that had used the BitTorrent client Azureus to download two torrent files. The drive was imaged and examined forensically with Autopsy,a ndt he registryw as also examined on the sourcem achine. The program R-Clean and Wipe leftevi dence in both the registry and the image of the name and type of files that had been downloaded with this software. Of greater concern was that the software Window Washer and Privacy Suite claimed to erase evidence of P2P activity, but it did not remove evidence of torrent activity. Current erasure tools do not appear to be effective at removing traceso f BitTorrent activity. Keywords P2P, BitTorrent, file sharing, erasure software