Robert Erdely Pennsylvania State Police (Retired) Indiana County Detectives Bureau Ares - aresgalaxy.sourceforge.net/ Bittorrent - www.bittorrent.com/ eMule Freenet – www.freenetproject.org/ Gigatribe - www.gigatribe.com Gnutella - www.shareaza.com/ Gnutella2 - www.shareaza.com/ IRC – www.mirc.com Peer to peer (P2P) file sharing networks, are frequently used to obtain and trade digital files of child pornography. These files include both image and movie files. These files range from commercially produced to homemade. Easy to identify Computers sharing files These investigation often lead to the identification of offenders actively abusing children………. P2P File Sharing Programs What is Peer to Peer file sharing?? Peer to Peer (P2P) file sharing programs are a standard way to transfer files from one computer system to another while connected to a network, usually the Internet. Many P2P file sharing programs are Open Source. Peer-to-Peer file sharing programs allow groups of computers using the same file sharing network (i.e. Ares, Bittorrent, etc.) and protocols to connect directly to each other to share files. Why P2P file sharing networks are so “efficient”: •Fault Tolerance is built in… If the connection with one source fails, you will be connected to another •Load Balancing If a source becomes too busy you will be connected to another one •Redundancy There is more then one source for the same file P2P File Sharing Programs •File Swarming • You get a file from multiple sources and you will continually try to find more sources for that file •IP addresses • Identifies the computers that have the files and the ones that want the files •File Hashing • SHA-1 / MD4 hash uniquely identifies the target file, the exact file that one is looking for 1) P2P Clients are Geographically Indiscriminate – they gather candidates and files throughout the world ◦ Regionalize investigations with Maxmind/Icaccops website 2) File names may be misleading or inaccurate ◦ Uses hash values to identify prosecutable files 3) Files transferred from multiple sources ◦ RoundUp Investigative Tools are restricted to single source downloads 4) Ip addresses/Hash values not displayed in the typical clients ◦ Roundup Tools displays important information in the user interface A hash function, also known as a message digest, digital fingerprint, or compression function, is a mathematical function that takes a variable-length input string and converts it into a fixed-length value. A hash function is designed in such a way that it is impossible to reverse the process, that is, to find a string that hashes to a given value. MD4 (Message Digest) hash takes up 16 bytes, which is 128 bits, and can be expressed as 32 hexadecimal characters SHA1 (Secure Hash Algorithm) hash takes up 20 bytes, which is 160 bits, and can be expressed as 40 hexadecimal characters or as 32 characters (Base32). http://www.itl.nist.gov/fipspubs/fip180-1.htm to learn more about the Secure Hash Standard. MD5 ◦ 4928F86198AAE657859CFA7DF73A588F Sha1 ◦ LV4UPCZLORG5TWROSRWDIZNIW7SS2345 ◦ 5D79478B2B744DD9DA268BA5119EC3465A8B MD4 ◦ 16DEB62F7D9D711321A40DF0233DC96A (all of the above are taken from the same file) What are the Odds? Method Odds of a Match DNA (RFLP analysis) One in 100 billion1 100,000,000,000 MD5 (128 bit) One in 340 undecillion 340,282,366,920,938,000,000,000,000,000,000,000, 000 SHA1 (160 bit) One in a quindecillion 1,461,501,637,330,900,000,000,000,000,000,000,00 0,000,000,000,000 1 Excluding monozygotic (fraternal) twins, which are 0.2% of the human population 2 hours of activity 2 hours of activity 2 hours of activity 2 hours of activity 2 hours of activity 2 hours of activity 2 hours of activity 2 hours of activity Training Availability Each P2P File sharing network has a Law Enforcement investigative tool available. Training is required to use the investigative tool. The National Criminal Justice Training Center delivers training throughout the United States and can provide training on these tools as well as many other investigative areas www.ncjtc.org. Law Enforcement can request an account at: www.icaccops.com/users Robert Erdely robert.erdely@ic.fbi.gov +1 (484) 727-8283 Thank you Thomas Kerle kerlet@fvtc.edu