Embed Size (px)
Citation preview
P2P Investigation
PEDRO GALLEGOS
Topics
Overview of P2PDirect vs HearsayInvestigation StepsAnalysis Gnutella ProtocolRoundUp
Overview of P2P
P2P stands for Peer-to-Peer Way to distribute files Gnutella
Supports queriesPeers inform each other of files
BitTorrentUses torrent filesTrackers inform client of peers
Direct VS Hearsay
Direct When an investigator has a direct connection, that
is,a TCP connection to a process on a remote computer, and receives information about that specific computer, that information is direct
Hearsay
When a process on one remote machine relays information for or about another,different machine.
Investigation Steps
Determine Files of Interest (FOIs)Use P2P to find candidatesNarrow down the candidatesAttempt to verify possession or
distribution
Investigation Steps Cont.
A subpoena to the ISP is obtainedOn basis of evidence, obtain search
warrantPerform search
Analysis Gnutella Protocol Overview
Before warrant is obtained, it is important to only gather data that is in public domain through:QueriesSwarming InformationBrowsing HostFile download
RoundUp
RoundUp is a tool for forensically valid investigations of the Gnuetella network
Questions?
Sources:
Forensic Investigation of Peer-to-Peer File Sharing Network. Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay Shields. http://www.dfrws.org/2010/proceedings/2010-311.pdf
