Hi am carrying out a requirements elicitation for my project, the project is to carry out a forensically sound investigation on the BitTorrent client uTorrent.
I am looking for requirements a forensic investigator would need when carrying out this type of investigation.
so my questions are
What would a Forensic investigator want to know about the BitTorrent client uTorrent?
What locations would the artefacts be created when downloading files using a torrent in uTorrent?
Any answers would be much appreciated and it would help me move forward in my project for my computer forensics course
Thank you
What are your own thoughts on the first question? What research have you done to answer the second?
What locations would the artefacts be created when downloading files using a torrent in uTorrent?
That's one of the basic questions a FE would like to have answered, yes. It's a question that needs to be answered completely, though taking product releases, user configuration and perhaps even platform localization into account. (You, on the other hand, may need to consider only one platform or a small subset of releases to keep the work from ballooning out of control.)
But I would expect you to fill in many of the missing questions yourself, as they are more or less standard questions for just about any software product
Is there or has there been a uTorrent client installed or otherwise present on the equipment examined? (i.e. what unique footprint does the software leave?)
When was it installed/downloaded/etc?
When was it used? By whom?
How was it used – downloads as well as uploads? Or perhaps neither?
What transactions (downloads/uploads/other) can be traced? Can any transferred data be identified? Where is/was the files stored?
Are there any secondary footprints that appear during use, and may be left after removal? (In this area is client-specific malware – are there any particular vulnerabilities associated with uTorrent clients? Are there any known exploits? Can successful exploits be identified? While interesting, it's not of primary importance, though)
(You may also want to cast an eye at uTorrent servers for the same platform, as to ensure that you don't mistakenly identify a uTorrent server installation for a client.)
Some of those questions may be best answered by non-uTorrent artifacts – prefetch records, etc. Those would probably be of secondary interest for your work.
There also may be additional uTorrent-specific questions that are of forensic interest., of course.
Thanks for the reply
I did some user stories to identify what a user goes through to download and upload torrent files and I discovered some requirements, however I wanted the opinions of other people and forensic specialists to widen the range of my experiments.
Also thanks to the post by athulin i will look into more specific approach to uTorrent such as the dates and times of installation and any artifacts that indicate if the program was uninstalled after use.