P2P File Sharing Programs

advertisement
Robert Erdely
Pennsylvania State Police (Retired)
Indiana County Detectives Bureau
Ares - aresgalaxy.sourceforge.net/
Bittorrent - www.bittorrent.com/
eMule
Freenet – www.freenetproject.org/
Gigatribe - www.gigatribe.com
Gnutella - www.shareaza.com/
Gnutella2 - www.shareaza.com/
IRC – www.mirc.com

Peer to peer (P2P) file sharing networks, are
frequently used to obtain and trade digital files
of child pornography.

These files include both image and movie files.
These files range from commercially produced to
homemade.



Easy to identify Computers sharing files
These investigation often lead to the identification
of offenders actively abusing children……….
P2P File
Sharing Programs
What is Peer to Peer file sharing??
Peer to Peer (P2P) file sharing programs are
a standard way to transfer files from one
computer system to another while connected
to a network, usually the Internet.
Many P2P file sharing programs are Open
Source.
Peer-to-Peer file sharing programs allow groups of
computers using the same file sharing network (i.e. Ares,
Bittorrent, etc.) and protocols to connect directly to each
other to share files.

Why P2P file sharing networks are so “efficient”:
•Fault Tolerance is built in…
 If the connection with one source fails, you will be connected to
another
•Load Balancing
 If a source becomes too busy you will be connected to another
one
•Redundancy
 There is more then one source for the same file
P2P File
Sharing Programs
•File Swarming
• You get a file from multiple sources and you will
continually try to find more sources for that file
•IP addresses
• Identifies the computers that have the files and the
ones that want the files
•File Hashing
• SHA-1 / MD4 hash uniquely identifies the target file,
the exact file that one is looking for

1) P2P Clients are Geographically Indiscriminate – they gather
candidates and files throughout the world
◦ Regionalize investigations with Maxmind/Icaccops website

2) File names may be misleading or inaccurate
◦ Uses hash values to identify prosecutable files

3) Files transferred from multiple sources
◦ RoundUp Investigative Tools are restricted to single source downloads

4) Ip addresses/Hash values not displayed in the typical clients
◦ Roundup Tools displays important information in the user interface


A hash function, also known as a message
digest, digital fingerprint, or compression
function, is a mathematical function that
takes a variable-length input string and
converts it into a fixed-length value.
A hash function is designed in such a way that
it is impossible to reverse the process, that is,
to find a string that hashes to a given value.



MD4 (Message Digest) hash takes up 16 bytes,
which is 128 bits, and can be expressed as 32
hexadecimal characters
SHA1 (Secure Hash Algorithm) hash takes up 20
bytes, which is 160 bits, and can be expressed as
40 hexadecimal characters or as 32 characters
(Base32).
http://www.itl.nist.gov/fipspubs/fip180-1.htm to learn
more about the Secure Hash Standard.

MD5
◦ 4928F86198AAE657859CFA7DF73A588F

Sha1
◦ LV4UPCZLORG5TWROSRWDIZNIW7SS2345
◦ 5D79478B2B744DD9DA268BA5119EC3465A8B

MD4
◦ 16DEB62F7D9D711321A40DF0233DC96A
(all of the above are taken from the same file)
What are the Odds?
Method
Odds of a Match
DNA (RFLP analysis)
One in 100 billion1
100,000,000,000
MD5 (128 bit)
One in 340 undecillion
340,282,366,920,938,000,000,000,000,000,000,000,
000
SHA1 (160 bit)
One in a quindecillion
1,461,501,637,330,900,000,000,000,000,000,000,00
0,000,000,000,000
1 Excluding monozygotic (fraternal) twins, which are 0.2%
of the human population
2 hours of activity
2 hours of activity
2 hours of activity
2 hours of activity
2 hours of activity
2 hours of activity
2 hours of activity
2 hours of activity
Training Availability
Each P2P File sharing network has a Law
Enforcement investigative tool available.
Training is required to use the investigative tool.
The National Criminal Justice Training Center
delivers training throughout the United States and
can provide training on these tools as well as
many other investigative areas

www.ncjtc.org.
Law Enforcement can request an account at:
www.icaccops.com/users
Robert Erdely
robert.erdely@ic.fbi.gov
+1 (484) 727-8283
Thank you
Thomas Kerle
kerlet@fvtc.edu
Download