Article
Network Investigation Methodology for BitTorrent Sync: A Peer-to-Peer Based File Synchronisation Service
Contribution Summary
This paper presents a network investigation methodology for BitTorrent Sync, a peer-to-peer file synchronization service, to aid in the control of data flow across security perimeters. The authors propose a suggested methodology for the investigation of BitTorrent Sync, including recommendations for the analysis of network traffic and the development of feature-based detection rules for Network Intrusion Detection Systems (NIDS) or firewall appliances. The methodology is designed to facilitate both post-mortem traffic analysis and the detection of potential security threats. The paper also documents the observed packets sent and received during regular operation of BitTorrent Sync and presents results from two digital forensic investigations of the service. The authors' aim is to provide a reference for digital investigators and security personnel to detect and control the use of BitTorrent Sync within their perimeter.
Keywords: BitTorrent Sync; Distributed Storage; Peer-to-Peer; Network Traffic Analysis; Remote Evidence Acquisition; Digital Forensics; Cybersecurity; Network Investigation
Abstract
High availability is no longer just a business continuity concern. Users are increasingly dependant on devices that consume and produce data in ever increasing volumes. A popular solution is to have a central repository which each device accesses after centrally managed authentication. This model of use is facilitated by cloud based file synchronisation services such as Dropbox, OneDrive, Google Drive and Apple iCloud. Cloud architecture allows the provisioning of storage space with “always-on” access. Recent concerns over unauthorised access to third party systems and large scale exposure of private data have made an alternative solution desirable. These events have caused users to assess their own security practices and the level of trust placed in third party storage services. One option is BitTorrent Sync, a cloudless synchronisation utility provides data availability and redundancy. This utility replicates files stored in shares to remote peers with access controlled by keys and permissions. While lacking the economies brought about by scale, complete control over data access has made this a popular solution. The ability to replicate data without oversight introduces risk of abuse by users as well as difficulties for forensic investigators. This paper suggests a methodology for investigation and analysis of the protocol to assist in the control of data flow across security perimeters.
BibTeX
@article{scanlon2015network,
title = "Network Investigation Methodology for BitTorrent Sync: A Peer-to-Peer Based File Synchronisation Service",
journal = "Computers \& Security",
volume = "54",
pages = "27 - 43",
year = 2015,
month = 10,
issn = "0167-4048",
doi = "http://dx.doi.org/10.1016/j.cose.2015.05.003",
url = "http://www.sciencedirect.com/science/article/pii/S016740481500067X",
author = "Mark Scanlon and Jason Farina and M-Tahar Kechadi",
keywords = "BitTorrent Sync",
keywords = "Distributed Storage",
keywords = "Peer-to-Peer",
keywords = "Network Traffic Analysis",
keywords = "Remote Evidence Acquisition",
abstract = "High availability is no longer just a business continuity concern. Users are increasingly dependant on devices that consume and produce data in ever increasing volumes. A popular solution is to have a central repository which each device accesses after centrally managed authentication. This model of use is facilitated by cloud based file synchronisation services such as Dropbox, OneDrive, Google Drive and Apple iCloud. Cloud architecture allows the provisioning of storage space with ``always-on'' access. Recent concerns over unauthorised access to third party systems and large scale exposure of private data have made an alternative solution desirable. These events have caused users to assess their own security practices and the level of trust placed in third party storage services. One option is BitTorrent Sync, a cloudless synchronisation utility provides data availability and redundancy. This utility replicates files stored in shares to remote peers with access controlled by keys and permissions. While lacking the economies brought about by scale, complete control over data access has made this a popular solution. The ability to replicate data without oversight introduces risk of abuse by users as well as difficulties for forensic investigators. This paper suggests a methodology for investigation and analysis of the protocol to assist in the control of data flow across security perimeters."
}