Abstract
BitTorrent is a peer to peer file sharing protocol used to exchange files over the internet, and is used for both legal and illegal activity. Newer BitTorrent client programs are using proprietary UDP based protocols as well as TCP to transmit traffic, and also have the option of encrypting the traffic. This network forensic research examined a number of packet analysis programs to determine whether they could detect such traffic from a packet captures of a complete file transmitted using one of four protocol options. The four states examined were: TCP without encryption, TCP with encryption, μTP without encryption and μTP with encryption, and the six programs investigated were: Network Miner, Tcpxtract, Honeysnap, OpenDPI, Netwitness Investigator and SPID. Of the six programs investigated, none of them were fully able to fully reconstruct a file, with most not even able to detect that the traffic related to BitTorrent usage. The Netwitness Investigator program was able to extract the announce and scrape files. The signature based SPID was able to partly match TCP based torrent traffic, but could not identify μTP traffic. The conclusion is that until new tools are developed, forensic investigators must continue to rely on artifacts created by the BitTorrent clients themselves in order to locate evidence in the event that a crime has been alleged.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
