Hello everyone,
I am working a case where the computer is a Mac. He has been accused of distributing CP and voyeurism via tumblr.
Upon verification, we ended up on torrent files and alot of them seem to be hinting the contents are CP.
I'm looking at the Application Support folder of uTorrent for the targeted user.
I extracted all the data that was in it so i could fiddle manually with the config files like the resume.dat, the settings.dat, etc.
My understanding of the resume.dat is that
seedtime = time the torrent has been seeded
uploaded = amount of bytes that have been uploaded
However, when i look at some files, I see that the seedtime = 0, but the uploaded = 10000+
How is this possible ? I am not sure how to explain this. Was the file distributed or was it not?
What am I missing?
Also, on a similar subject, i know we have some free tools for analysis on p2p programs like emule, frostwire, limewire, etc.
We don't seem to have any tools for torrent config files analysis (which contain similar data on the settings / resume files). I was wondering if there was any program that could help me intelligently interpret and parse out the data for report creating (i used BEncode but it's not very… report friendly or court friendly).
ALSO, would there be any of these programs that would work on the mac environment? (not for a mac forensic computer, but for an analysis on a mac). Belkasoft can do Windows P2P, but not mac P2P (aside from actual torrent files).
Thank you very much guys =)
———–
Short and sweet version
1) Difference between seedtime vs uploaded ? (i have files that have 0 seedtime, but 10000+ uploaded)
2) Forensic programs for uTorrent activity analysis (parse out resume / settings etc, like LimeWire Investigator)
3) Any forensic programs like stated in #2, but that work for suspect computers that run the MAC Environement?
Don't take this as gospel, but when you are downloading a torrent people can still get bits from you so what I would guess is at the completion of the download the suspect was deleting the torrent or stopped it from seeding. Thus you would have some uploading while having no seedtime (I'm under the impression that seedtime does not begin until the file is completed).
I wrote up a python script that parses the resume.dat and outputs it to the screen separated by commas. I've never looked at the settings.dat, but I suspect could figure something out for it. With a little work I could probably create a gui and output to csv if that's something people would find useful. I wrote it for our Cyber Detectives and they seem to like it. Script runs anywhere that has Python3 + the modules required.
However, when i look at some files, I see that the seedtime = 0, but the uploaded = 10000+
How is this possible ? I am not sure how to explain this. Was the file distributed or was it not?
What am I missing?
Exact information on what seedtime really is. Don't assume you can deduce it from its name.
Is it a timestamp or a period of time? If it's a timestamp, is it the first or the last? Is it reset on disabling seeding? If a period of time, is it cumulative, or is it reset when seeding is re-enabled? Is it seeding in any context, or only general seeding? And even … is it while the client is seeding or when it is being seeded? (The 'cheat sheet' from Robert Pearson is useful only if you trust his research to apply to your situation. I wouldn't, myself.)
Uploaded – similar questions. But if you play around with some torrent clients you'll probably see that some peers connect to your torrent client but don't really download anything. Or some peers don't seem to get a solid connection, but try and try again and just fail after a few seconds (possibly being capped at the peer end). The administrative information sent to them still seems to count as uploaded information. (I suspect some may be investigative clients trying to see if I made any known copyright-infringing torrents available … - ) Does this happen also for uTorrent? All versions? (I can easily think of a way to test this, involving writing my own torrent client that does no downloads at all, but just handshakes and asks for administrative information. Then see if uploaded changes as I run it.)
Unfortunately, uTorrent is closed source, so it's a question of testing to find the answers. Unless you happen to find someone who has made an analysis … however, for that the actual client release is necessary – you need to stay fairly close in terms of release numbers. You also need to ensure that the configuration you are investigating conforms to any version tested by someone else. If the difference is too great, the risk that things have changed is correspondingly greater. And torrent clients tend to allow for some very detailed settings, that may affect interpretation.
It is not so complicated as it sounds and it has nothing to do with the torrent client being closed source or not.
Analyze the local temporary files (probably deleted or rotated) and the cache files. File system level analysis will lead you to the right informations.