Is there anyone out there who has a deep knowledge of Peer 2 Peer and the science behind it? If so, please post some of your knowledge here.

Simon

Might as well create a list of p2p/download programs:

BitTorrent clients
Limewire
Kazaa
eMule
WinMX
IRC
Newsgroup clients
Picture sharing sites/software
Shareaza
Gnutella

If people add what they know below I will update this list and add in information relating to each one.

nice idea red,

add to the list
shareaza
gtk-gnutella

im familiar more with linux based apps, and have a good working knowledge of gnutella from the client perspective.

Thanks kern. I suppose the next step is start thinking about how to recover artifacts for each of the programs.

yes, agreed.

one particular scenario that concerns me is that its too easy to be looking for stuff on p2p and d/l some image with an innocuous name only to stumble upon private illicit content.

Then theres the potential that remote control has been enabled, or that your client is being used as a node.

Without thorough working knowledge of each individual client the entire p2p forensic game is holier than a box of swiss cheese housing a mischief of mice

kern

This is not a definitive guide but I'm quite sure that most, if not all torrent clients hold upload and download information relating to torrent files.

This information will be held in a log file normally in Docs & Settings / Users area and will be in the following format:

downloaded1024
uploaded1024

the numbers present are the number of bytes. I think this information may be lost when the torrent file is removed from the client but some searches in unallocated may provide something useful.

yes, theres quite a lot of data stored in torrent clients too.

torrents tend to be major films / media etc, and iirc, you cant search torrents directly. you need another source, such as a website, to describe the torrent download you seek.

in P2P you just enter a search term.
Theres a wealth of information in P2P log files stored. key words search data. sha1/md5 sums .
IP locations kept for partial files, servers used etc etc.depends what your tryna find.

Many other applications used indirectly with P2P programs will also yield corroborative evidence.

This is where you hit gold. The miscreant may only try to remove direct content in an attempt to evade detection. whatever else he used to aid the process also keeps traces.

Again, thorough working knowledge pays dividends. Software can only go so far in detection.
Human engineering goes hand in hand with software eng.

kern

Yes, quite true kern. MD5/SHA1 hashes are held, as are names of files. This is great information to have. The BitTorrent clients generally do need to be used in conjunction with torrent websites - look for search terms on these too.

Next up, ermm, Kazaa or eMule:)

Theres probably a quick "Help" file associated with each of the progs, that would give file storage locations.

But to use each and every client sufficiently, and on different OS's , to make any sort of working practice for them would take more time than i can properly spare.

Maybe useful to keep this thread open for specific questions though, for those who have used certain packages or networks, to respond.

Kern

Hi!!

I've created a forum for LAE regarding filesharing and forensic examination of these programs.

Find it at http://www.fileshareforensics.org

Register at the site using your official LAE e-mail

Regards

Soren Christensen
Denmark

PS: Hope it's ok that I've posted this advertisement here :o

hi schris,

not sure really what to say. If you are targeting LEA only as members, then it may be outside the realm of many on this forum.

Having visited your site, I realise I can proceed no further.

I for one am very interested in, and have analysed the workings of, p2p fileshare programs.
Unfortunately, i am not a Law Enforcement Agent, although I have worked privately for customers seeking to "find out" about certain activity on their PC's.

My background is mainly Linux oriented these days, but I am more than willing to contribute in the arena of p2p/filesharing to help to bring miscreants to justice even if in an indirect way by means of shared knowledge.

Kern

Indirectly related, but it may be worth having a P2P application as part of your software arsenal.
I read in a book (I'll get a ref when i remember it) that a company wanted to find out why its internal network was lightening fast, but their internet connection was like walking through syrup.
The security analyst scanned the ports from inside the network looking for traffic, and found that ports 6346/7 (Limewire.. bearshare.. and a few others) were taking most of the connection, after scanning the data, the fragment where sound files and.. shall we say.. videos showing a bit more than needed...
Instead of blocking the port she launched limewire and did a search for users this side of the firewall and found something like 150 odd clients running.
obviously she gave the internal IP's to the bosses, whom i imagine werent best pleased (although it wouldnt surprise me if they were using it..)