Abstract

Peer to Peer(P2P) file sharing networks are amongst the best free sources of information on the internet. Voluntary participation and lack of control makes them a very attractive option to share data anonymously. However a small group of people take advantage of the freedom provided by these networks and share content that is prohibited by law. Apart from copyrighted content, there are cases where people share les related to Child Pornography which is a criminal offense. Law enforcement attempts to track down these offenders by obtaining a court order for search and seizure of computers at a suspect location. These seized computers are forensically examined using storage and memory-forensics tools. However before the search warrant is issued strong evidence must be presented to provide a reason for suspiscion. Deficient investigation in the intial stages might lead to mis-identification of the source and steer the investigation in a wrong direction.

Initial evidence collection on peer to peer le sharing networks is a challenge due to the lack of a central point of control and highly dynamic nature of the networks. The goal of this work is to create a working prototype of an initial evidence collection tool for forensics in P2P networks. The prototype is based on the idea that P2P networks could be monitored by introducing modified peer nodes onto the network for a certain time period and recording relevant information about nodes that possess criminally offensive content. Logging information sent by a suspicious node along with timestamps and unique identication information would provide a strong, verfiiable initial evidence. This work presents one such working prototype in alignment with the goals stated above.