The use of BitTorrent technology to exchange illegal files over the internet is of concern, especially given the large volume of data exchanged. Law enforcement need solid evidence, as well as investigative intelligence if they are to reduce this trade in illegal material. This paper builds on previous work in this area and used Windows 7 as a base to examine four of the most popular BitTorrent clients to determine what information they write to a hard drive that is of use to a forensic investigator. The analysis was limited to that which could be determined using topical analysis, and examined the registry and other user areas within Windows, such as the local data area. The clients examined were BitComet, BitTornado, Vuze, and μTorrent. It was found that all clients produced forensic data which could be located with a topical search. It was also found that all clients provided the same data as a function of their operation. This data could be used by a forensic investigator to locate information about a downloaded file where the file had been erased, or stored in a remote location.
[1]
Sean J. Geoghegan,et al.
PHAT: a P2P history analysis tool
,
2009
.
[2]
Andrew Woodward.
The effectiveness of commercial erasure programs on BitTorrent activity
,
2005,
Australian Computer, Network & Information Forensics Conference.
[3]
Paul Turner,et al.
Computer Incident Investigations: e-forensic Insights on Evidence Acquisition
,
2004
.
[4]
R. Bolla,et al.
Characterizing the network behavior of P2P traffic
,
2008,
2008 4th International Telecommunication Networking Workshop on QoS in Multiservice IP Networks.
[5]
Andrew Woodward.
What Artifacts do Current BitTorrent Clients Leave Behind?
,
2008,
Security and Management.