Hi!
We have a user who previously have used BitTorrent to download copyrighted material to our company’s computer.
He got a warning in November. Our logs show new downloads during January and there are .torrent-files created in January on the computer.
The user denies having downloaded anything since the warning. He says “maybe I started the downloads before and they restarted when I connected the computer to internet”. What I understand the .torrent-file is the first thing downloaded. Doesn’t the January dates indicate that the user initiated the downloads after he received the warning?
Is there any other possible explanation?
Thanks in advance!
What I understand the .torrent-file is the first thing downloaded.
Your question suggests that you haven't used torrent clients very much, or that you may not have much experience with them. If that's a correct guess, try it out - and in particular the client this user was using (BitTorrent?). Different clients behave in different ways.
Doesn’t the January dates indicate that the user initiated the downloads after he received the warning?
It's a possibility, of course.
I often find .torrent files in my Downloads that I have not wittingly downloaded. They seem to come from web links to torrent files, which my web browser will download when I follow them … but as I don't have any torrent automation active, i.e. my browser does not know what to do with .torrent file, they're just downloaded. (I find that happens a lot when a new Ubuntu or Centos release has been published … I follow the download link, but it takes me to a torrent, not the HTTP/FTP download that I want.)
If My Downloads (or any other such directory) is used for other clients, then download through those is a possibility. So you need to figure out if anything else uses that target directory for downloads. And figure out how those clients download stuff.
Downloaded files often, but not always, have an ADS called 'Zone.Identifier'. (See https://
Torrent clients may separate not-yet-fully-downloaded files with completed-downloads, and keep one in one directory and when the download is finished, move them elsewhere, including the .torrent file. That has the technical possibility of changing timestamps. So you need to know how this particular client was configured, and exactly what happens when a download was completed. (Which basically means you need to try it out … unless you can find authoritative information about its behaviour by other means.)
(However, the proposed explanation also requires the torrent client to be rpesent and running on the users computer. you should be able to figure out if it was. If it was uninstalled … some other explanation is needed. So … timeline time. What actually happened on this computer during the relevant time?)
Is there any other possible explanation?
Almost certainly. But 'possible' branches out very quickly, and just about anything is generally possible.
Are there other ways of answering your question? Again, almost certainly. What happened in this particular case? Do you have a timeline of activity on the computer? Can you see the download in browser history? Or see browser activity at the time it is suspected of being downloaded? Was the computer even turned on at the time? (If not, something else or something more happened.)
What info does the bittorrent client give any relevant logs of downloads? Any information about when it was started and stopped? Or does it run as a service/daemon so that it's always on? And you may want to ensure that you are looking at a BitTorrent client, and not also a torrent server.
Thank you for a very informative reply! I got some leads to follow up.
Note that using torrents is perfectly safe if you share only non-copyrighted material. Remember, using BitTorrent or other torrent application doesn't grant you anonymity. Unless you use VPN your IP-address remains visible and you can easily be tracked by copyright watchdogs.