P2P Investigation

1. P2P Investigation Pedro Gallegos

2. Topics • Overview of P2P • Direct vs Hearsay • Investigation Steps • Analysis Gnutella Protocol • RoundUp

3. Overview of P2P • P2P stands for Peer-to-Peer • Way to distribute files • Gnutella • Supports queries • Peers inform each other of files • BitTorrent • Uses torrent files • Trackers inform client of peers

4. Direct VS Hearsay • Direct • When an investigator has a direct connection, that is,a TCP connection to a process on a remote computer, and receives information about that specific computer, that information is direct • Hearsay • When a process on one remote machine relays information for or about another,different machine.

5. Investigation Steps • Determine Files of Interest (FOIs) • Use P2P to find candidates • Narrow down the candidates • Attempt to verify possession or distribution

6. Investigation Steps Cont. • A subpoena to the ISP is obtained • On basis of evidence, obtain search warrant • Perform search

7. Analysis Gnutella Protocol Overview • Before warrant is obtained, it is important to only gather data that is in public domain through: • Queries • Swarming Information • Browsing Host • File download

8. RoundUp • RoundUp is a tool for forensically valid investigations of the Gnuetella network

9. Questions?

10. Sources: • Forensic Investigation of Peer-to-Peer File Sharing Network. Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay Shields.    http://www.dfrws.org/2010/proceedings/2010-311.pdf