Inproceedings
BitTorrent Sync: Network Investigation Methodology
Contribution Summary
This paper outlines a network investigation methodology for BitTorrent Sync, a decentralized file replication utility that allows users to synchronize files between machines without relying on cloud storage. The authors propose a framework for digital investigators to retrieve digital evidence from the network, including a step-by-step guide for investigating various scenarios where BitTorrent Sync may be used for illicit activities. The paper also documents the observed packets sent and received during regular operation of BitTorrent Sync and presents results from a proof-of-concept digital forensic investigation. The methodology and results provide valuable insights for digital investigators and researchers working in the field of digital forensics.
Keywords: BitTorrent Sync; Decentralized file replication; Digital forensics; Network investigation; Digital evidence; Cybercrime; File synchronization; Peer-to-Peer (P2P) protocol
Abstract
The volume of personal information and data most Internet users find themselves amassing is ever increasing and the fast pace of the modern world results in most requiring instant access to their files. Millions of these users turn to cloud based file synchronisation services, such as Dropbox, Microsoft Skydrive, Apple iCloud and Google Drive, to enable “always-on” access to their most up-to-date data from any computer or mobile device with an Internet connection. The prevalence of recent articles covering various invasion of privacy issues and data protection breaches in the media has caused many to review their online security practices with their personal information. To provide an alternative to cloud based file backup and synchronisation, BitTorrent Inc. released an alternative cloudless file backup and synchronisation service, named BitTorrent Sync to alpha testers in April 2013. BitTorrent Sync's popularity rose dramatically throughout 2013, reaching over two million active users by the end of the year. This paper outlines a number of scenarios where the network investigation of the service may prove invaluable as part of a digital forensic investigation. An investigation methodology is proposed outlining the required steps involved in retrieving digital evidence from the network and the results from a proof of concept investigation are presented.
BibTeX
@inproceedings{scanlon2014btsyncmethodology,
author={Scanlon, Mark and Farina, Jason and Kechadi, M-Tahar},
title="{BitTorrent Sync: Network Investigation Methodology}",
booktitle="{Proceedings of 9th International Conference on Availability, Reliability and Security (ARES 2014)}",
year=2014,
month=09,
pages="21-29",
address="Fribourg, Switzerland",
publisher={IEEE},
abstract="The volume of personal information and data most Internet users find themselves amassing is ever increasing and the fast pace of the modern world results in most requiring instant access to their files. Millions of these users turn to cloud based file synchronisation services, such as Dropbox, Microsoft Skydrive, Apple iCloud and Google Drive, to enable ``always-on'' access to their most up-to-date data from any computer or mobile device with an Internet connection. The prevalence of recent articles covering various invasion of privacy issues and data protection breaches in the media has caused many to review their online security practices with their personal information. To provide an alternative to cloud based file backup and synchronisation, BitTorrent Inc. released an alternative cloudless file backup and synchronisation service, named BitTorrent Sync to alpha testers in April 2013. BitTorrent Sync's popularity rose dramatically throughout 2013, reaching over two million active users by the end of the year. This paper outlines a number of scenarios where the network investigation of the service may prove invaluable as part of a digital forensic investigation. An investigation methodology is proposed outlining the required steps involved in retrieving digital evidence from the network and the results from a proof of concept investigation are presented.",
doi={10.1109/ARES.2014.11},
}