ICAC Peer-to-Peer Training Understanding the Gnutella (P2P) DAY ONE Network Training Objectives • IP Addresses, Ports, Netstat, & IPConfig (Overview) • Provide a general understanding of Gnutella and other Peer to Peer (P2P) file sharing networks and clients; • Provide a general understanding of the RoundUp tool and techniques used by ICAC to investigate P2P file sharing networks; and • Some of the technical implications associated with P2P file sharing. Internet Protocol (IP) Addresses What Are They? • IP addresses are unique identifiers for every device connected to the internet – Similar to a Phone Number • A typical IP address looks like this: 68.112.233.208 Connecting to the Internet Source: 67.45.23.35 Destination: 65.12.25.1 Source: 65.12.25.1 Destination: 67.45.23.35 Internet 67.45.23.35 ISP 65.12.25.1 Dynamic Host Configuration Protocol (DHCP) Server Special/Private IP Addresses • Not globally routable. • Cannot connect directly to the Internet with them. • Cannot address information to a private IP address and send it across the Internet. • Private Addresses – 10.0.0.0 through 10.255.255.255 – 172.16.0.0 through 172.31.255.255 – 192.168.0.0 through 192.168.255.255 – 127.0.0.1 (Loopback) Connecting to the Internet Behind a Router Source: 67.45.23.35 Destination: 65.12.25.1 Internet •Source: 65.12.25.1 Destination: 67.45.23.35 Source: 67.45.23.35 192.168.1.102 65.12.25.1 Destination: 192.168.1.101 External Interface 67.45.23.35 IP Address ISP 192.168.1.101 Source: 192.168.1.101 Destination: 67.45.23.35 MAC 192.168.1.1 Internal Interface 192.168.1.100 Dynamic Host Configuration (DHCP) Network Address Translation (NAT) DHCP Ports • Data is transferred through the Internet in Packets • Packets contain: – Source and destination IP addresses – Source and destination port numbers • Because of this, you can have packets that are destine for the same computer but for completely different applications • Like doors to a business Ports Common Ports: – Port 21 ------- FTP – Port 23 ------- Telnet – Port 25 ------- SMTP – Port 53 ------- Name Server – Port 80 ------- HTTP/WEB – 65,536 available port numbers – More info on Ports: www.iana.org/assignments/port-numbers IP Addresses & Ports • Gnutella Network also uses IP Addresses & Ports to communicate • IP & Port P2P Syntax: 74.234.21.132:6346 • Port Numbers are not always the same or static • Dependent on the Gnutella Client • Can change automatically or manually • Gnutella Client may use more than one port Using Ports to communicate with P2P File Sharing Program Packet(s) – File Request Source IP: 132.177.48.63 Destination IP: 216.109.118.76 Source Port: 6346 Destination Port: 15324 IP: 132.177.48.63 IP: 216.109.118.76 Port: 6346 Port: 15324 Packet(s) – File Transfer Source IP: 216.109.118.76 Destination IP: 132.177.48.63 Source Port: 15324 Destination Port: 6346 10 Netstat (Overview) • Netstat is an internal Windows program that displays the current network connections – Click the “Start” Button – Click “Run” (Windows XP only. Vista/Win7 just type in the “Search programs and files” box) – Type: cmd – Type: netstat -n • Gives us the ability to show that the suspect computer was directly connected to our computer Ipconfig (Overview) • Ipconfig is an internal Windows program that displays the assigned IP address for your computer – Click the “Start” Button – Click “Run” (Windows XP only. Vista/Win7 just type in the “Search programs and files” box) – Type: cmd – Type: ipconfig (ipconfig /all) • May show a public or private IP address assigned by a router Any Questions? • IP Addresses? • Ports? • Netstat? • Ipconfig? P2P File Sharing Programs What is Peer to Peer file sharing?? Peer to Peer (P2P) file sharing programs are a standard way to transfer files from one computer system to another while connected to a network, usually the Internet. What is the Gnutella Network?? An Open Source file sharing network. Why Investigate P2P? • Peer to peer (P2P) file sharing networks, including the Gnutella network, are frequently used to obtain and trade digital files of child pornography. • These files include both image and movie files. • These files range from commercially produced to homemade. • Easy to identify Computers sharing these files Operation RoundUp • Investigative effort into the dissemination of child pornography by the Gnutella file sharing network. • This operation has led to the issuance and execution of search warrants resulting in numerous arrests & convictions for possession and distribution of child pornography. • Additionally, numerous contact offenders & live victims have been located and identified. • RoundUp – PA/MA State Police & UMass/Georgetown RoundUp Investigative Tool • Enhanced from publicly available Gnutella Client (Phex) • Open access to download and candidate details including Hash value, IP address, & GUID • Integrated Geo Location & Files of Interest • Support for high number of Ultra-Peers - Increases search results • Allows separation of downloads / uploads • Multiple, Single Source, or Never Ending Downloads • Collaborative Effort!!!! With RoundUp Four Investigative Obstacles are Overcome: • 1) P2P Clients are Geographically Indiscriminate – they gather candidates and files throughout the world – Regionalize investigations with IP Geo Mapping • 2) File names may be misleading or inaccurate – Uses hash values to identify prosecutable files • 3) Files transferred from multiple sources – Allows either multiple or single source downloads • 4) Dynamic IP Addresses – Ability to track offenders via the GUID What is the GUID? • GUID • Globally Unique Identifier • Example: 09D62EA7D03F677BF252C451ADC83A00 • http://en.wikipedia.org/wiki/Globally_Unique_Identifier • Most Gnutella Clients generate a unique GUID per User Account • When target’s IP changes, GUID stays the same • Allows Investigator to track suspect when IP changes or identify computer/user on-scene • May change with client upgrade or randomly • Can be spoofed Geographic IP Mapping Go to IPChicken.com & Maxmind.com http://www.maxmind.com/ Geographic IP Mapping • IP trace returns city, state, & country • Can’t serve a search warrant based on the IP trace, it is only to show which IP addresses are most likely to be in your jurisdiction. • IP tracing minimizes the amount of effort spent working leads that end up outside your jurisdiction. • Subpoena or Court Order is needed to get the exact location and subscriber of an IP address. P2P File Sharing Programs • Peer-to-Peer file sharing programs allow groups of computers using the same file sharing network (i.e. Gnutella) and protocols to connect directly to each other to share files. Why P2P file sharing networks are so “efficient”? •Fault Tolerance is built in… • If the connection with one peer fails, you will be connected to another •Load Balancing • If a peer becomes too busy you will be connected to another one P2P File Sharing Programs Why P2P file sharing networks are so “efficient”? •Redundancy • There is more then one source for the same file •File Swarming • You get a file from multiple sources depending on your settings and you will continually try to find more sources for that file P2P File Sharing Programs Investigative Bonus: •IP addresses – • Identifies the computers that have the files •File Hashing • SHA-1 or the “Gnutella Hash” uniquely identifies the target file Some client programs display the IP address & SHA-1 hash value of target. Hash Functions • A hash function, also known as a message digest, digital fingerprint, or compression function, is a mathematical function that takes a variable-length input string and converts it into a fixed-length value. • A hash function is designed in such a way that it is impossible to reverse the process, that is, to find a string that hashes to a given value. Common Hash Functions • MD5 (Message Digest) hash takes up 16 bytes, which is 128 bits, and can be expressed as 32 hexadecimal characters. • SHA1 (Secure Hash Algorithm) hash takes up 20 bytes, which is 160 bits, and can be expressed as 40 hexadecimal characters or as 32 characters (Base32). • http://www.itl.nist.gov/fipspubs/fip180-1.htm to learn more about the Secure Hash Standard. Comparison Method Odds of a Match DNA (RFLP analysis) One in 100,000,000,0001 (Billion) MD5 (128 bit) One in 340,282,366,920,938,000,000,000,000,000, 000,000,000 SHA1 (160 bit) One in 1,461,501,637,330,900,000,000,000,000,00 0,000,000,000,000,000,000 1 Excluding monozygotic twins, which are 0.2% of the human population Hash Functions • A "collision" occurs when two different data streams generate the same hash value. – No known “collision” outside a lab environment. – No known SHA-1 collision • “Avalanche Effect” - a slight change in an input string will cause the hash value to change drastically. Even if 1 bit is changed in the input string, often at least half of the bits in the hash value will change as a result. SHA1 - Demonstration JQTPDSTHWKMNDT2VLIE3H7EVLMPH6QNO S33EBO3O5SKAHKKHVATJWSXYSZFQJ5NF Hashing Demonstration • Cyohash (Found on ICACCops Website) SHA-1 – Secure Hash Algorithm v1 Training Point • SHA-1 is used for computing a condensed representation of a message or a data file. SHA-1 produces a secure 160-bit output called a message digest. • It is secure because it is computationally infeasible (2^160th) to find two different files that produce the same SHA-1 value. • The Secure Hash Algorithm (SHA) was developed by the National Institute of standards and Technology (NIST), along with the National Security Agency (NSA), for use with the Digital Signature Standard (DSS) as specified within the Secure Hash Standard (SHS). P2P Networks Free Net Gnutella ed2k Gnutella Network •Open source •Typically free •UltraPeer (Multiple) •True SHA1 (Base32) •160 bit •Clients may display SHA1 and IP address •Cross Platform •Windows, Mac, Linux/Unix • Descriptive File names 12y walking (upskirt) white thong PTHC,ls magazine, little models, PEDO.jpg Gnutella Operation Two types of computers on the Gnutella Network • UltraPeer – indexing servers • Does not contain the actual file • Peer (aka Host or Leaf) - Connects to Ultrapeers • Contains the actual file Who can be an Ultrapeer? • • • • A peer who has agreed in the settings; Must be online a minimum of six hours; Must have spare bandwidth; Must be able to receive UDP/TCP/UPnP connections; • Not behind a firewall or router that hasn’t been configured to allow incoming connections; • Dependant upon network need; and • Can’t be running Mac Classic or Windows 98. Who can be an Ultrapeer? • User chooses to be an Ultrapeer – Options Tab Ultrapeer/Peer Practical 1. You will need a piece of paper and a pen/pencil 2. Write down two picture names from the next slide and your IP Address. 3. Give the piece of paper to the person on the end of your row (at the center of the aisle). 4. YOU are a Peer on our “Gnutella” network 5. The person with all the papers from your row is an Ultrapeer on our “Gnutella” network 6. The name of the file on the piece of paper is NOT the picture file, only a note telling the Ultrapeer what file you are sharing. 7. The Peer (or you) has the picture on your computer. PENCIL BICYCLE CAR AAIGRGUERNWK2LNOVFYDZ7 ZBJ6UA2ZQA S6OTFEMMEKBZOUTBGPQ XMQQCUC2DYGJV CYSV6LGXLNBMO5N6N43KHP4ANYYBLGO5 BRIDGE OSVD6AKWSIR4YONJNOEX6WLHAQMUHQI4 COMPUTER ZXBNTQMIHPTPJXGJLHJ6EQDM2POHCTHC Gnutella P2P Network Training Point Gnutella is an open source file-sharing network. Most computers that are part of this network are referred to as peers, hosts or leaves. A peer can simultaneously provide files (upload) to other peers while getting files (download) from other peers. Peers may be elevated to temporary indexing servers referred to as an “ultrapeer.” Ultrapeers increase the efficiency of the Gnutella network by maintaining an index of the contents of network peers. Gnutella users query ultrapeers for files and are directed to one or more peers sharing that file. There are many ultrapeers on the network, if one shuts down the network continues to operate. The “Push” • If two computers on the Gnutella network are behind a firewall/router, direct communication between the two computers CANNOT occur • If only one computer is behind firewall/router, the common UltraPeer acts as the Push Proxy • Your computer needs to be connected to the same UltraPeer as your target for the “Push” to occur Ultra Peer 68.112.233.208 Ultra Peer Ultra Peer Push Proxy Target’s GUID 09D62EA7D03F677BF 69.114.23.24 U/C Computer Target Computer 0.0.0.0 72.128.122.14 Gnutella P2P Clients Phex P2P Clients in Cases Limewire Frostwire 31% Bearshare 2% Bearshare Shareaza Other Other 2% Shareaza 65% Source Data from RoundUp as of 01/07/2012 Searching for Files • Gnutella clients allow a user to search for pictures, movies and other files by entering descriptive text as a search term. • These terms are typically processed by Ultrapeers based upon the information about terms found in filenames that had been sent by individual peers. Search Terms for CP • PJK • BABY J • PTHC • Vicky Compilation Many Others Searching in Roundup Type search term here Gnutella Operation – Search (Roundup) Search Tab Search Results Gnutella Operation – Search Results With Roundup File Name File Type File Size Source IP • Search Results are reported to User from: – Clients through UltraPeers (Hearsay) – Clients themselves (out of band searching) • No Ultrapeer middle man on the response – Results are complete files (not partial) Hash Value Additional Search Results With RoundUp Vendor • • Files of Interest Location GUID Push Required Files of interest are highlighted in red and submitted to ICACCOPS database REMEMBER: Results are reported either directly from a client or from a client through Ultrapeers – Possible Issue: Hearsay if going through Ultrapeers – Investigator’s responsibility to remove Hearsay issue Eliminate the Issue of Hearsay • Establish a Direct Connection to the source computer. – Download a file or partial file - The download of data from an IP address removes hearsay issues. – Browse Host - This is a “get” command that can usually be completed even if the target’s slots are full • Direct Connect establishes that the target computer was on-line on a specific date and time. – Allows you to get a subpoena, court order or search warrant Gnutella Network – Downloading a File Peer Peer Ultra Peer Ultra Peer Ultra Peer Ultra Peer Send Data Peer Peer File is obtained from Multiple Peer(s) called Swarming Peer Quick/Swarming Download of a File pthc Search Results Quick/Swarming Download of a File File being Downloaded Download Candidates Swarming Download “Locate Candidates” Download of a File pthc Search Results Generates Candidates without Downloading File “Locate Candidate” Download of a File File Generating Candidates Download Candidates Never Ending Download Gnutella Operation – Browsing a Host Peer Peer Ultra Peer Ultra Peer Search Results Ultra Peer Ultra Peer Peer Peer Peer - File List is obtained from a selected Peer - Direct Connect to the Peer Must Occur!!! Browsing a Host with RoundUp Attempt to Browse IP #71.167.48.184 from Hicksville, NY Browsing a Host Results with RoundUp Successful Browse of IP #71.167.48.184 Push Proxy Browse Target’s GUID Target’s Ultrapeers How the Gnutella Network Shares Files Packet I have it Packet Leaf Sender 24.21.23.215 Recipient 68.15.23.25 Leaf Packet I have it Leaf Packet Leaf Packet Packet YOU Search Term Ultrapeer I have it Leaf Packet Leaf Packet I have it Packet Leaf Leaf Packet I have it Leaf Packet Packet 63 Packets are Reassembled To Make Identical Copy of File Packet Packet Packet Packet Packet Packet Packet Packet Packet Packet Packet Packet Packet Packet Packet 64 Single Source Downloading Single Source Download of File Starting with SHA1 Value: 3IIG2EII Single Source Download Download Tab Confirmed Single Source Download Target is the only Candidate Source Client & GUID of Target Also Displayed Why you may be unable to get the Download • Their upload slots are full • Their Bandwidth is maxed out or they turned bandwidth down to zero • They set the number of downloads per user to zero • They aren’t sharing • They are no longer on the network – Are you able to browse?? Why is this important? Static IP vs. Dynamic IP • Cable vs. Dial Up • Hearsay issue • You don’t want to hit the wrong house • By obtaining a browse, file download, or partial file download, then the target MUST be on-line at that time • Check NETSTAT artifact file Gnutella Configurations/Options • The Gnutella network is accessed by sources running different client programs. • These programs share common protocols for network access and file sharing. • HOWEVER, the user interface, features and configuration may vary between clients and versions of the same client. • Many Options can be configured • Know the default configurations/settings Gnutella Configurations/Options Training Point • Some P2P file sharing networks are designed to allow users to download files and frequently provide enhanced capabilities to reward the sharing of files by providing reduced wait periods, higher user ratings, or other benefits. • In some instances, users are not allowed to download files if they are not sharing files. • Typically, settings within these programs control sharing thresholds. Questions??