Can current packet analysis software detect BitTorrent activity or extract files from BTP and μTP traffic streams?

Authors

William Pung, Edith Cowan University
Andrew Woodward, Edith Cowan University

Document Type

Conference Proceeding

Publisher

Secau

Editor(s)

Dr Andrew Woodward and Professor Craig Valli

Faculty

Faculty of Computing, Health and Science

School

School of Computer and Security Science / Security Research Centre (secAU)

RAS ID

13311

Comments

Pung, W. , & Woodward, A. J. (2011, NULLMONTH). Can Current Packet Analysis Software Detect BitTORRENT Activity or Extract Files From BTP and uTP Traffic Streams?. Paper presented at the The 9th Australian Digital Forensics Conference. NULLCONFORGANISER. Citigate Hotel, Perth, Western Australia. NULLSTATE. Available here

Abstract

BitTorrent is a peer to peer file sharing protocol used to exchange files over the internet, and is used for both legal and illegal activity. Newer BitTorrent client programs are using proprietary UDP based protocols as well as TCP to transmit traffic, and also have the option of encrypting the traffic. This network forensic research examined a number of packet analysis programs to determine whether they could detect such traffic from a packet captures of a complete file transmitted using one of four protocol options. The four states examined were: TCP without encryption, TCP with encryption, μTP without encryption and μTP with encryption, and the six programs investigated were: Network Miner, Tcpxtract, Honeysnap, OpenDPI, Netwitness Investigator and SPID. Of the six programs investigated, none of them were fully able to fully reconstruct a file, with most not even able to detect that the traffic related to BitTorrent usage. The Netwitness Investigator program was able to extract the announce and scrape files. The signature based SPID was able to partly match TCP based torrent traffic, but could not identify μTP traffic. The conclusion is that until new tools are developed, forensic investigators must continue to rely on artifacts created by the BitTorrent clients themselves in order to locate evidence in the event that a crime has been alleged.

DOI

10.4225/75/57b2c14440cf0

Access Rights

free_to_read