Investigating Window Bittorrent
21/03/2023 Monday
BitTorrent is a peer-to-peer file sharing software that allows users to share large files such as movies, music and so on over the internet. It works by breaking down large files into smaller pieces and distributing them across a network of users, known as a swarm. When a user wants to download a file, they connect to the swarm and start downloading and uploading pieces of the file to and from other users. This means that as more users join the swarm, the download speed can increase making it a faster and more efficient way of sharing large files compared to traditional methods.
Digital Forensics Value of Bittorrent
BitTorrent can be useful in digital forensics investigations related to intellectual property theft, cybercrime, data leakage, and network intrusion. Tracing the sources and destinations of files and examining the metadata can help in providing evidence and identifying individuals or groups involved in illegal activity.
Location of Bittorrent Artifacts
Bittorrent artifacts are found in the following location:
%systempartititon%\%username%\AppData\Roaming\BitTorrent
Analyzing Bittorrent with ArtiFast
This section will discuss how to use ArtiFast to extract Bittorrent from Windows and what kind of digital forensics insights we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Bittorrent artifacts.
×
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Window Bittorrent artifacts in ArtiFast.
BitTorrent Added Torrents Artifact
- Date - The date and time when the torrent was added.
- Runtime - The ID of the user.
- Completed on - The date and time the download was completed on.
- Download Path - The path where the files were downloaded.
- Peers - The list of IPs and ports of the peers.
- Trackers - The list of trackers in the torrent.
- Was Moved - Indicates whether the torrent file was moved.
- Last Update Time - The date and time the torrent was last updated.
- Torrent File Name - The name of the torrent file.
- Downloaded Size - The size of the download.
- Caption - The title of the torrent.
BitTorrent Torrent Files Artifact
- Date - The date and time when the file was created.
- Files - The list of files on the torrent.
- Total Size - The total size of the torrent.
- Name - The name of the torrent.
BitTorrent Connections Information Artifact
- Peers IP - The list of IPs of the peers.
- User IP - The IP of the user.
BitTorrent Added Torrents Backup Artifact
- Date - The date and time when the torrent was added.
- Runtime - The ID of the user.
- Completed on - The date and time the download was completed on.
- Download Path - The path where the files were downloaded.
- Peers - The list of IPs and ports of the peers.
- Trackers - The list of trackers in the torrent.
- Was Moved - Indicates whether the torrent file was moved.
- Last Update Time - The date and time the torrent was last updated.
- Torrent File Name - The name of the torrent file.
- Downloaded Size - The size of the download.
- Caption - The title of the torrent.
For more information or suggestions please contact: amro.alshadfan@forensafe.com
