You’re probably aware by now that peer-to-peer (P2P) networks are a pretty successful and popular method of distributing data over the internet. It’s easy to see why; the client software that the end user installs can be very small, simple to use, and more often than not works like a charm. It’ll usually download a file from multiple locations ensuring high download speeds, will immediately make the file available for upload to others, will deal with missing chunks of data and dropped connections and when it’s finished downloading every piece of the file it’ll make a contiguous usable file from all the data chunks, all without any centralised management system. Brilliant. Which makes me wonder why P2P appears to be used almost exclusively to distribute contraband material and hardly ever as way to distribute legitimate files.

Due to the way they work, P2P clients by necessity create a lot of information about what they’ve been requested to download, where the download originated from and when. It’s a goldmine for forensic investigators and bad news for the subject of the investigation as in most legislatures distribution of contraband material is punished more severely than mere possession.

Findings

With the above in mind Alexander Kuiper through his company Kuiper Forensics developed an application that would quickly scan for P2P-applications, web disks and UseNet-clients and once the presence of such applications is detected can then evaluate the databases of the following:

· eMule (known.met)
· Kazaa (data256.dbb, data1024.dbb)
· Google Hello (*.chatlog, *.filmstrip)
· BitTorrent (*.torrent)
· LimeWire (library.dat, library5.dat, fileurns.cache)

Being a little old-fashioned in some respects I enjoyed receiving this product in a physical format through the post. Probably done through necessity as the software requires the presence of a USB dongle, it was still nice to get a disc with the software on it in a DVD case. The case design is quite plain and could be charitably described as minimalist while the Kuiper Forensics company logo is that old computer forensic favourite of a magnifying glass over a fingerprint/binary code.

Although I’m no fan of USB dongles - USB ports are limited, and it can be awkward to keep taking dongles out and putting them back in again - the dongle supplied with PeerLab is of the Human Interface Device (HID) variety, and so needs no installation routine or specialist drivers. Nice and easy.

The USB dongle in place, I inserted the CD and nothing; no auto-start routine which I think may suit some people. Clicking on the executable on the CD I began the install process. The install process is very basic and quick – choose install location, start install, close install. PeerLab is a 32-bit program and its installed size is an impressively tiny 718KB. No option is provided to install a desktop shortcut, or to open the program or open the read-me or manual which I think the application could benefit from and the developer should consider including in future releases. It didn't appear in my Windows 7 Start List or in the 'All Programs' list so I needed to visit C:/Program Files (x86)/PeerLab/ to find the PeerLab executable and create a short cut to it on my desktop. I noted that there is no uninstaller; PeerLab does not appear as an item in the Windows 7 'Uninstall or change a program' list and there is no specific uninstaller either. I imagine writing an uninstall routine is the least glamorous part of making software and the developer wouldn’t really want people to be removing their program, but still, it’s a necessary item that all applications should incorporate.

Next the PeerLab license agreement. Not something worth covering in a review you say? Think again. Apart from being unnecessarily written in all capitals, this particular license agreement was actually short enough to read in a minute or so, which makes a pleasant change - after all how many of us can hand-on-heart say we read the whole licensing agreement of EnCase or FTK before we dive in? Having said this, forensic investigators really should be familiar with the licensing agreements of the tools they use. I especially liked the last line of this license agreement 'Never forget - PeerLab is a tool to assist you in your daily work. You are the professional!’ A great reminder.

The next screen is the configuration screen which is quite self-explanatory:

Figure 1: the PeerLab configuration screen

All straightforward so far. At this point, I should mention the PDF manual which is supplied on the CD is detailed, helpful and very clearly written, and serves as an excellent complement to the program. As you see from the screen-shots the application is laid out very well and it doesn’t take long at all for the user to become very familiar with it without needing to access the manual. Next, let’s create a case:

Figure 2: creating and opening a new case

And then fill in the case details:

Figure 3: changing the case properties