Digital Evidence Analysis: Peer-to-Peer Analysis

On this page, find:

What Is a Peer-to-Peer (P2P) Network?

A P2P network allows individual computers to communicate and share files directly with other computers. There is no need for any intermediate servers or network hosts. Every computer on a P2P network both supplies and consumes files or other resources. Files stored on an individual's computer can be directly downloaded by any other peer on the network. There is no central storage for all of the files.

P2P file sharing is faster than other forms of transmission and can decrease the cost of storing, maintaining and retrieving files. Peers on this type of network can share a wide variety of files, including text documents, images, audio and video files and software programs.

How Do Criminals Use Peer-to-Peer Networks?

Although P2P file sharing itself is not illegal, criminals take advantage of its speedier transmission and direct communication to:

  • Share pornographic materials (it is a federal offense to knowingly transmit child pornography, and many state laws forbid distribution of adult pornography to minors).
  • Share copyrighted material such as songs and movies.
  • Commit identity theft.
  • Commit credit card fraud.
  • Access private data stored on computers.

Tools for Finding Evidence of Illegal P2P File Sharing

When a target computer is seized, a digital forensic examiner needs to rapidly identify the kind and number of files that have been shared through P2P technology. Manually searching computer hard drives for evidence of P2P file sharing could take many hours, perhaps days, often creating a backlog. An NIJ-supported tool, P2P Marshal, automates the process of P2P network evidence collection, substantially reducing the amount of time and training required of investigators. The tool was developed by ATC-NY, a subsidiary of Architecture Technology Corporation.

P2P Marshal discovers peer-to-peer (file sharing) programs that are installed on a target computer and then, for each discovered client, presents information, such as downloaded files, shared files and peer servers that were contacted. P2P Marshal can help an investigator prove links between individuals, allowing departments to expand investigations.

P2P Marshal is available at no cost to law enforcement professionals. There are two versions of P2P Marshal. The forensic edition automatically analyzes P2P usage on disk images while the field edition detects P2P usage on live systems.

P2P Marshal performs all actions in a forensically sound manner, maintaining a detailed log file of all activities it performs. The tool, which runs on Windows-based operating systems, has extensive search capabilities and produces reports in CSV, HTML, PDF and RTF formats.

ATC-NY is currently preparing a new version of P2P Marshal, which is expected to launch as early as 2011.

Date Created: November 5, 2010