Forensic Studies in BitTorrent Optimising file downloads is a dream for some; for others it raises challenging piracy issues. BY JAMIE ACORN AND JOHN AUSTIN Produced by the Information Security Group at Royal Holloway, University of London in conjunction with TechTarget. Copyright © 2008 TechTarget. All rights reserved. Royal Holloway series Forensic studies in BitTorrent INTRODUCTION Given the volumes of recorded and transmitted data in today’s computerised environ- ment, the collection and processing of digital evidence is an even more delicate and com- plex business than in years past. Bram Cohen’s creation of BitTorrent in 2001 enables Jamie Acorn and optimises the downloading of files, any size and any type, to remote computers. Information Security Group, Royal Now available for all common operating systems, its popularity is soaring and is available Holloway, University of London, Egham, Surrey, U.K. in many browsers including Mozilla Firefox. For some it is a dream; for others, including those trying to combat the unauthorised downloading or ‘pirating’ of copyright material, it John Austin poses yet another significant problem. Information Security Group, Royal Holloway, University of London, Egham, Surrey, U.K Forensic Studies in BitTorrent Given the ever-growing use of BitTorrent BitTorrent client, facilitating the connection as a means of file sharing, and the associat- to remote computers and the downloading ed costs to media-based industries and of files (of any size and type). legal issues, the need for a forensic under- The diagrams shown (next page) are This article was prepared by students and staff involved with the award-winning M.Sc. standing of this system of file sharing is taken from and depict how the BitTorrent in Information Security offered by the becoming increasingly important. To date, protocol works. Firstly, an individual creates Information Security Group at Royal Holloway, University of London. The student was judged there are no (known) published studies a torrent using either a BitTorrent client or to have produced an outstanding M.Sc. thesis investigating the forensic aspects of BitTor- torrent-making application, and publishes on a business-related topic. The full thesis rent. This study is a preliminary investigation it on a website or forum. This individual is is available as a technical report on the Royal Holloway website into the forensic artefacts created by BitTor- known as the ‘initial seeder’. Figure 1 shows http://www.ma.rhul.ac.uk/tech. rent use. the ‘initial seeder’ distributing fragments of a ‘BitTorrent’ is a peer-to-peer application file to different machines connected using a For more information about the Information Security Group at Royal Holloway or on the that uses metadata files known as torrents. BitTorrent client. It is usual for the shared file M.Sc. in Information Security, please visit The metadata provides instructions to a to be virtually split into many smaller chunks http://www.isg.rhul.ac.uk. • FILE SHARING • BitTorrent Clients • CACHE FILES • REGISTRY FILES 2 Royal Holloway series Forensic studies in BitTorrent Figures 1 – 4: The BitTorrent file sharing process of data of equal size to aid file transfer (it is not always possible to divide the file equally and therefore the last chunk may be truncated). The connected individuals are collectively known as a ‘swarm’. Figures 2 and 3 show the swarm sharing data chunks between each other as well as the ‘initial seeder’. Figure 4 shows the point where the ‘ini- tial seeder’ has shared all the small data chunks and now no longer needs to seed these files. The individuals that form the swarm now pos- sess the sum of all parts of the file being shared. The swarm will continue to share data with each Figure 1 Figure 2 other and any newly connected individuals. The beauty of this protocol is that an ‘initial seeder’ only needs to share each data chunk once in order for the file to be shared with many individ- uals and this means the initial seeder’s band- width is not being constantly depleted by the people they are sharing files with. The instruction information contained in tor- rent files are essentially: the name of the file to be shared, the size of each piece and the num- ber of pieces that make up the file, and the Uni- form Resource Locater (URL) of a tracker. A ‘tracker’ is a dedicated server that links all the peers (remotely connected computers) associ- Figure 3 Figure 4 SOURCE: Wikimedia Foundation, Inc. (September, 2007): BitTorrent, http://en.wikipedia.org/wiki/BitTorrent • FILE SHARING • BitTorrent Clients • CACHE FILES • REGISTRY FILES 3 Royal Holloway series Forensic studies in BitTorrent ated with a particular torrent file. Remote shared, during the test phase. individuals download the torrent from the 4. To identify whether any of the torrents website. When the .torrent file is opened had been created and seeded by the user. within a BitTorrent client, it points the client to the ‘initial seeder’ using the tracker URL. Five BitTorrent clients (ABC, Azureus, The effectiveness of the protocol relies Bitcomet, BitTornado, and uTorrent) were It is possible to on every individual sharing pieces of the file selected for testing as these were deter- prevent seeding they are downloading; hence, while an indi- mined to be the most ‘popular’ at the time of by changing vidual is downloading pieces of the file, they this study. A number of torrents were select- preferences within are also uploading or seeding the pieces of ed for download and then different scenar- the file they already have. It is possible to ios created to emulate normal usage, such the BitTorrent prevent seeding by changing preferences as stopping a torrent during the download, client but trackers within the BitTorrent client but trackers and removing a torrent from the client during and individuals individuals will ban these users or limit their download, completing a full download and will ban these download speed. Thus, it is the general rule letting the torrent seed). Torrent files were users or limit their that, by using BitTorrent to download files, also created by each client (except BitTorna- download speed. the user is also sharing files. do), linked to a public tracker and left to The specific aims of the study were seed until the files seeded were completely as follows: uploaded. Each client was then analysed 1. To identify forensic artefacts pro- using forensic software on generated image duced by BitTorrent file sharing, and to files and also in situ. establish whether the artefacts lead to iden- All the clients tested have a ‘settings or tification of the downloaded or shared files. preferences’ function where the user can 2. To identify any settings that within tweak operation configurations. Analysis of client configuration files which may be useful the clients showed that they vary in complexity to aid forensic examination. and operability and thus varied in the 3. To identify any artefacts that deter- amount of useful forensic information stored mine IP addresses of remote computers in the settings. However, investigating the from which data was downloaded, or settings of a client is key to understanding • FILE SHARING • BitTorrent Clients • CACHE FILES • REGISTRY FILES 4 Royal Holloway series Forensic studies in BitTorrent how it has been used, as the settings can that torrent files may arrive on a computer. determine information such as: A user can create a torrent, and save it any- • where downloads will be stored, where on the system. A user can open a tor- • if default settings have been altered, rent from a website; this causes the torrent • where torrents will be stored, deletion file to be saved in the ‘Temporary Internet settings, File’ folder (if Internet Explorer is used as a Torrent files • if logging is enabled, web browser). It is also possible a user contain informa- • if a password has been set, might save a torrent from a website, email, tion such as the • the version of the client used, IRC, external storage device, to any location names and sizes • the ports used, on the system. With the exception of BitTor- • the last time the client was used, nado, all clients analysed create a backup of of files that are • the seeding settings etc. torrent files (these are stored in application downloaded or specific directories) when they are opened. shared. Thus analysis of the various settings The backups are direct copies of the torrent can be used to form a profile of a user and files opened. Azureus, uTorrent and ABC to distinguish a zealous user from a recre- store all backup torrent files within their des- ational user. ignated directories where they remain stored even after torrents are removed from the TORRENT FILES GUI. The backup torrent files for these Torrent files are a fundamental component clients can be deleted by the user using the of the BitTorrent file sharing procedure. They GUI, but not by using the main removal tab. are, in effect, pointers to the target files that The BitComet client does not continue stor- are to be shared–meaning that there is no ing the torrent backups once they are difference between a torrent file that is used removed from the GUI; hence only backup to share or download a file. The only way to torrent files currently loaded in the GUI are determine what a torrent file has been used stored. for (i.e. to download or share a file) is to Torrent files contain information such as investigate artefacts produced by the BitTor- the names and sizes of files that are down- rent client used. There are different ways loaded or shared. This information can be • FILE SHARING • BitTorrent Clients • CACHE FILES • REGISTRY FILES 5 Royal Holloway series Forensic studies in BitTorrent used as a guide to determine which files downloaded/seeding, or stopped) may have been downloaded or shared but the presence of a torrent file alone is not evi- These ‘cache’ files, thus, provide evidence dence of file downloading/sharing; further for the downloading or seeding of specific evidence would have to be gathered show- files.