Beruflich Dokumente
Kultur Dokumente
Digital Investigation
journal homepage: www.elsevier.com/locate/diin
a b s t r a c t
Keywords: With professional and home Internet users becoming increasingly concerned with data
BitTorrent protection and privacy, the privacy afforded by popular cloud le synchronisation services,
Sync such as Dropbox, OneDrive and Google Drive, is coming under scrutiny in the press. A
Peer-to-Peer
number of these services have recently been reported as sharing information with
Synchronisation
governmental security agencies without warrants. BitTorrent Sync is seen as an alternative
Privacy
Digital forensics by many and has gathered over two million users by December 2013 (doubling since the
previous month). The service is completely decentralised, offers much of the same syn-
chronisation functionality of cloud powered services and utilises encryption for data
transmission (and optionally for remote storage). The importance of understanding Bit-
Torrent Sync and its resulting digital investigative implications for law enforcement and
forensic investigators will be paramount to future investigations. This paper outlines the
client application, its detected network trafc and identies artefacts that may be of value
as evidence for future digital investigations.
2014 The Authors. Published by Elsevier Ltd on behalf of DFRWS. This is an open access
article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/3.0/).
http://dx.doi.org/10.1016/j.diin.2014.03.010
1742-2876/ 2014 The Authors. Published by Elsevier Ltd on behalf of DFRWS. This is an open access article under the CC BY-NC-ND license (http://
creativecommons.org/licenses/by-nc-nd/3.0/).
S78 J. Farina et al. / Digital Investigation 11 (2014) S77S86
governmental agencies without the need of a warrant or infringement, sharing of child exploitation material, mali-
even just cause. As a result, BitTorrent Sync (also referred to cious software distribution, etc.
as BTSync, BitSync or BSync), which provides much of the
same functionality without the cloud storage aspect is seen Contribution of this work
by many as a real alternative. The service has numerous
desirable attributes for any Internet user (BitTorrent Inc, The contribution of this work includes a forensic anal-
2013a): ysis of the BTSync client application, its behaviour, artefacts
created during installation and use, and remnants left
Compatibility and Availability Clients are built for behind after uninstallation. An analysis of the sequence of
most common desktop and mobile operating systems, network trafc and le I/O interactions used as part of the
e.g., Windows, Mac OS, Linux, BSD, Android and iOS. synchronisation process are also provided. This informa-
Synchronisation Options Users can choose whether to tion should prove useful to digital forensic investigators
sync their content over a local network or over the when BTSync is found to be installed on a machine under
Internet to remote machines. investigation. Gaining an understanding of how BTSync
No Limitations or Cost Most cloud synchronisation operates could aid in directing the focus of a digital inves-
services provide a free tier offering a small amount of tigation to additional remote machines where any perti-
storage and subsequently charge when the user out- nent data is replicated. Depending on the crime under
grows the available space. BTSync eliminates these investigation, these remote machines may be owned and
limitations and costs. The only limitation to the volume operated by a single suspect or by a group sharing a com-
of storage and speed of the service is down to the lim- mon goal. While an initial analysis of the network protocol
itations of the synchronised users machines. and its operation is included below, comprehensive
Automated Backup Like most competing products, network analysis is beyond the scope of this paper.
once the initial install and conguration is complete, the
data contained within specied folders is automatically Background
synchronised between machines.
Decentralised Technology All data transmission and In order to understand how BTSync operates, its
synchronisation takes place solely in a Peer-to-Peer important to rst understand the technologies its based
(P2P) fashion, based on the BitTorrent le sharing upon and how a number of similar technologies operate.
protocol. This section provides some of the required background
Encrypted Data Transmission While synchronising information.
data between computers on different LANs (the option
exists to apply encryption for internal LAN trans- BitTorrent le sharing protocol
mission), the data is encrypted using RSA encryption.
Under the BTSync API (BitTorrent Inc, 2013b), de- The BitTorrent protocol was designed with the aim of
velopers can also enable remote le storage encryption. facilitating one-to-many and many-to-many le transfers
This could result in users storing their data on untrusted as efciently as possible. The protocol is described in Bit-
remote locations for the purposes of redundancy and Torrent Enhancement Proposal (BEP) No. 3 (Cohen,
secure remote backup. February 2014). The main strength of the protocol is the
Proprietary Technology The precise protocol and usage of le parts, each of which can be manipulated and
operation of the technology is not openly documented managed separately. While one part of a le downloads,
by the developer resulting in an element of perceived another, already downloaded part can be uploaded to a
security through obscurity. Of course, this requires a different peer. In this way, peers can start trading parts
signicant degree trust on behalf of users that the de- even before they have downloaded the entire le them-
velopers security has been implemented and tested selves. This has the benet of not only speeding up distri-
correctly. bution as each peer can nd useful information on a broad
range of potential peers but it also helps alleviate the issues
As a result of the above, the BTSync application has of churn (Stutzbach and Rejaie, 2006) Data Leeching
become a very popular choice for le replication and syn- and free riding (Karakaya et al., 2009) experienced with
chronisation. The technology had grown to over one older protocols such as Gnutella and eDonkey. Data leech-
million users by November 2013 and doubled to over two ing is where a user downloads an entire le in one go and
million users by December 2013 (BitTorrent Inc, 2013c). The then removes the share to avoid uploading. Data churn is
service will be of interest to both law enforcement and the natural expansion and retraction of the network hori-
digital forensics investigators in future investigations. Like zon as peers leave and join the swarm freely resulting in a
any other le distribution technology, this interest may be large variance in the availability of full versions of a le
centred around recovering evidence of the data itself, of the being available from individual sources.
modication of the data or of where the data is synchron- The overall BitTorrent network can be seen as being sub-
ised to. While the legitimate usage of the system, e.g., divided into BitTorrent swarms. Each swarm consists of a
backup and synchronisation, teamwork, data transfer be- collection of peers involved in the sharing of the same le.
tween systems, etc., may be of interest to an investigation, The central commonality of a swarm is a unique identier
the technology may also be a desirable one for a number of created from a SHA-1 hash of the le(s) references in the
potential crimes including industrial espionage, copyright metadata. A peer can be a member of multiple swarms as
J. Farina et al. / Digital Investigation 11 (2014) S77S86 S79
Table 2 there are three main distinct settings determining the re-
BitTorrent sync default application les. sources used for peer discovery and the paths available for
File Purpose trafc transmission. BTSync uses similar peer discovery
$Volume$\Program Files\BitTorrent Main Executable methods to the regular BitTorrent protocol. These methods
Sync\BTSync.exe are outlined below:
$Volume$\Documents and Private Key
Settings\[User]\Application
Data\Microsoft\Crypto\<user SID>
1. LAN Discovery If the option Search LAN is
$Volume$\Documents and Application folder enabled the client application will start sending peer
Settings\[User]\Application discovery packets across the LAN utilising the multicast
Data\Bittorrent Sync address IP 239.192.0.0 Port: 3838. These packets,
$Volume$\Documents and Conguration Settings
as displayed in Fig. 3, are sent at a frequency of one every
Settings\[User]\Application
Data\Bittorrent Sync\settings.dat 10 seconds for each share utilising this method.
$Volume$\Documents and Log of Synchronisation
Settings\[User]\Application Activity The local peer discovery packet has a BSYNC header and
Data\Bittorrent Sync\sync.log
a message type of ping and includes the sending hosts IP
$Volume$\Documents and Language File
Settings\[User]\Application address, port and the 20 byte ShareID of the share being
Data\Bittorrent Sync\sync.lng advertised. Hosts on the LAN receiving the packet will drop
$Volume$\Documents and Settings\All Application Shortcut it if the ShareID is not of interest to them. Any host that has
Users\Desktop\BitTorrent Sync.lnk an interest will respond with a UDP packet to the port
$Volume$\Documents and Settings\All Application Shortcut
Users\Start Menu\BitTorrent
advertised. The response does not have a BSYNC header
Sync.lnk present and the data eld only contains the PeerID of the
$Volume$\Documents and Settings\All Application Shortcut responding peer. This discovery is restricted to Path A in
Users\Quick Start\BitTorrent Fig. 2.
Sync.lnk
any peer will register its details in the form of SHA- Fig. 5. BTSync tracker response packet.
Table 3
Component elds for request packet.
Key Explanation
d: [The Entire Dictionary]
la: [IP:Port in Network-Byte Order]
m: [Message Type Header, e.g., get_peers]
peer: [Local Peer ID]
share: [Local Share ID]
e: [End]
Fig. 6. BTSync relay request packet.
J. Farina et al. / Digital Investigation 11 (2014) S77S86 S83
Table 4 Table 6
Sample contents of BitSync log le. Created BTSync registry keys during installation.
[2013-12-01 12:41:33] Loading cong le version 1.1.82 HKCR \Applications BTSync.exe \shell \open \command
[2013-12-01 12:41:33] Loaded folder \\?\wUser\BTSync HKCU \Software \Classes \Applications \BTSync.exe \shell \open
[2013-12-01 12:41:33] Loaded folder \\?\wUser\Desktop\sharefolder \command
[2013-12-01 12:41:33] Loaded folder \\?\wUser\Desktop\sf2 HKCU \Software Microsoft \Windows \CurrentVersion \Run
[2013-12-01 12:43:44] Got ping (broadcast: 1) from peer HKCU \Software \Microsoft Windows \ShellNoRoam \MUICache
192.168.0.11:27900 HKLM \SOFTWARE \Microsoft \ESENT \Process \BTSync \DEBUG
(00DC0AC2F0F91921AE29FC5E8F2273828BBAC747) for share <if debug log enabled
35F762999B1275C0F894F3D5FBAC7059F76783ED HKLM SOFTWARE \Microsoft \Windows \CurrentVersion \Uninstall
[2013-12-01 12:43:44] Found peer for folder BitTorrent Sync
\\?\wUser\Desktop\sharefolder HKLM \SYSTEM \ControlSet001 Services \SharedAccess \Parameters
00DC0AC2F0F91921AE29FC5E8F2273828BBAC747 \FirewallPolicy \StandardProle \AuthorizedApplications \List
192.168.0.11:27900 direct:1 value: (C: \Program Files \BitTorrent Sync
[2013-12-01 12:43:45] Sending broadcast ping for share \BTSync.exe:*:Enabled:BitTorrent Sync)
55045F90CA4C1A42DDB78DCD132F3ACC33E946EC HKU S-1-5-21.-1003 \Software Classes \Applications \BTSync.exe
[2013-12-01 12:43:45] Requesting peers from server HKU \S-1-5-21.-1003 \Software \Classes \Applications \BTSync.exe
[2013-12-01 12:43:45] Sending broadcast ping for share shell \open \command
35F762999B1275C0F894F3D5FBAC7059F76783ED HKU \S-1-5-21.-1003 \Software \Microsoft Windows \Current
Version \Run
HKU \S-1-5-21.-1003 \Software \Microsoft \Windows \ShellNo
Roam \MUICache
.SyncID le.The database les are created in the User HKU \S-1-5-21.-1003_Classes \Applications \BTSync.exe \shell \
application data folder. The lenames used for these data- open \command
C: \Program Files \BitTorrent Sync \BTSync.exe
base les are the same as the ShareID stored in the C: \Documents and Settings \All Users \Desktop \BTSync.lnk
.SyncID le. .SyncIgnore is created in the share folder
and 822bytes are written to it. The data written are the
explanation of the les purpose and usage as well as a completely. While the le had been removed completely
short list of les usually generated by an Operating System. from the original host, on the local host it was instead
Next the synchronization process starts with the crea- moved from the main folder to a hidden subfolder
tion of sync.dat.new which will be renamed to (.SyncArchive) and not moved to the recycle bin. It is
sync.dat and eventually sync.dat.old as subsequent unknown at this time if there is any trigger or ag set that
synchronisations take place. The <ShareID>.db-wal le would result in this hidden le being deleted completely off
is created to act as a holding area for data to be written to the system. If not, then a remote host could theoretically
the SQLite database le of the same name. Next the data is constantly add and remove les to a synchronisation folder
received and written to a synchronisation delta le in in order to deliberately occupy space on the local host with
preparation for merging into a fully synchronized text le. hidden les and so perform a form of low-tech denial of
File data waiting merger can be identied by the extension service attack by lling local storage.
!sync and !sync(X). BTSync does not come with any uninstaller of its own
The registry keys outlined in Table 6 were found after and must be removed from the Control panel. After unin-
installation. stall the system was rebooted to ensure that the service had
Next a le was deleted from the remote host and 10 min stopped running and any post uninstall clean-up had been
were given to ensure the local host had synchronised performed, le locks cleared etc. A number of associated
registry keys were still present, as outlined in Table 7.
In addition to this, all shared le folders used in syn-
Table 5
Example le I/O during the Clients synchronisation procedure. chronisations were still present as well as the default
BTSync share created at install. The application folder was
Action File I/o Path
also still present in the $Volume$\Documents and Set-
Create .SyncID 20B Share tings\[User]\Application Data folder but the syn-
Create <ShareID>.db AppData
Create <ShareID>.db-journal AppData
c.log le had been emptied.
Write <ShareID>.db-journal 512B AppData As well as registry keys BTSync creates several other
Write <ShareID>.db 3KB AppData les that may be of interest to the forensic investigator.
Delete <ShareID>.db-journal AppData These les are located in the directory $Volume$\Docu-
Create .SyncIgnore 822B Share
ments and Settings\[User]\Application Data\-
Create sync.dat.new 822B AppData
Rename sync.dat to 450B AppData Bittorrent Sync\. The contents of each le is outlined
sync.dat.old below:
Rename sync.dat.new to 822B AppData
sync.dat
<40 character share ID number>[.db, .db-shm,
Create <ShareID>.db-wal AppData
Create sample3.txt.!sinc 33B Share .db-wal] These les contribute to a SQLite3 data-
Rename sample3.txt.!sinc to 33B Share base. The database describes the contents of the share
sample3.txt.!sinc. directory corresponding to the share ID. It contains l-
Write sample3.txt.sync.sync1 33B Share enames, transfer piece registers and hash values for
Rename sample3.txt.sync.sync1 Share
to:sample3.txt
each individual le and its constituent pieces. While the
.db le stores information on the schema of the database
J. Farina et al. / Digital Investigation 11 (2014) S77S86 S85
merely requires any user wishing to join a particular being recoverable from other remote hosts. Due to Bit-
synchronised folder to have the key, an investigator could Torrents reliance on regular hashing for le distribu-
also join the shared folder to download the data having tion, the resultant hashes of remotely gathered les may
recovered the corresponding les through hard drive be resolvable to the suspects machine.
analysis. Subsequent monitoring of the network commu-
nications using common tools, e.g., WireShark, tcpdump or
References
libpcap, can aid in the identication of other nodes syncing
the same content. In a number of investigative scenarios, BitTorrent Inc. BitTorrent Sync User Manual [Online; accessed February
this may focus the investigation in a benecial direction 2014], http://www.bittorrent.com/help/manual/; 2013a.
resulting in the discovery of additional pertinent evidence BitTorrent Inc. BitTorrent Sync Developer API [Online; accessed February
2014], http://www.bittorrent.com/sync/developers/api; 2013b.
or additional suspects. BitTorrent Inc. BitTorrent Sync Article [Online; accessed February 2014],
http://blog.bittorrent.com/2013/12/05/bittorrent-sync-hits-2-
Future work million-user-mark/; 2013c.
Chung H, Park J, Lee S, Kang C. Digital forensic investigation of cloud
storage services. Digit Investig 2012;9(2):8195.
From this initial analysis of the BTSync system, much Cohen B. Incentives build robustness in bittorrent. In Proceedings of the
further work needs to be done. The following list amounts Workshop on Economics of Peer-to-Peer systems, Vol. 6; 2003.
pp. 6872.
to the list of areas for future investigation:
Cohen B. The BitTorrent Protocol Specication and Enhancement Pro-
posals [Online; accessed February 2014], http://www.bittorrent.org/
Network Analysis Identication of BTSync trafc and beps/bep_0000.html; 2014.
Drago I, Mellia M, Munafo MM, Sperotto A, Sadre R, Pras A. Inside
subsequent analysis to determine differentiation from
dropbox: understanding personal cloud storage services. In: Pro-
standard BitTorrent trafc. ceedings of the 2012 ACM Conference on Internet Measurement
Investigation Utility A standalone application to Conference. IMC 12. New York, NY, USA: ACM; 2012, ISBN 978-1-
4503-1705-4. pp. 48194.
extract relevant information from a suspect live or
Karakaya M, Korpeoglu I, Ulusoy O. Free riding in peer-to-peer networks.
imaged machine running BTSync. Internet Comput IEEE 2009;13(2):928. http://dx.doi.org/10.1109/
Automated Share Detection Identifying BTSync shares MIC.2009.33.
advertised by BTSync clients and detecting network Quick D, Choo KKR. Forensic collection of cloud storage data: does the act
of collection result in changes to the data or its metadata? Digital
activity to or from known locations. Investigation 2013a;10(3):26677.
Crawling To systematically follow connections to or Quick D, Choo KKR. Google drive: forensic analysis of data remnants.
from a share and identify new connections as they are Journal of Network and Computer Applications 2013b;40:17993.
Quick D, Choo KKR. Digital Droplets: microsoft SkyDrive forensic data
discovered. remnants. Future Generation Computer Systems 2013c;29(6):1378
Enumeration Identifying individual shares and all 94.
active swarm members by the participating IP addresses Reddit. BTSecrets [Online; accessed February 2014], http://www.reddit.
com/r/btsecrets; 2013.
and peer identiers. Scanlon M, Kechadi MT. Digital evidence bag selection for P2P network
Geolocation Geolocating identied IP addresses may investigation. In: Future information technology. Springer; 2014.
prove pertinent to recovering additional evidence pp. 30714.
Scanlon M, Hannaway A, Kechadi MT. A week in the life of the Most
regarding the suspect or may aid in the identication of Popular BitTorrent Swarms. In: 5th Annual Symposium on Informa-
others involved. tion Assurance (ASIA10); 2010.
API Analysis Testing the provisioned API to determine Stutzbach D, Rejaie R. Understanding churn in peer-to-peer networks. In:
Proceedings of the 6th ACM SIGCOMM Conference on Internet
what features can be leveraged to assist in forensic
Measurement. IMC 06. New York, NY, USA: ACM; 2006, ISBN 1-
investigations. 59593-561-4. pp. 189202. http://dx.doi.org/10.1145/1177080.
Recovery of Deleted Shares In the scenario where a 1177105.
suspect has securely deleted any incriminating evidence Wang H, Shea R, Wang F, Liu J. On the impact of virtualization on
dropbox-like cloud le storage/synchronization services. In: Pro-
from the local machine, the identication of trace in- ceedings of the 2012 IEEE 20th international workshop on quality of
formation on the machine may result in the evidence service, vol. 11. IEEE Press; 2012. pp. 19.