As internet connection speeds continue to increase, sharing information via the internet has become commonplace. For small files, email is often the most practical medium via which to send and receive information, but for those wishing to share large files such as audio and video on a mass scale, peer to peer (P2P) file sharing has become a popular choice.
Peer to peer networks provide a method of sharing data that does not require a central host or server. Instead, the data is shared among whoever is connected to the network, which could amount to tens of millions of users in the case of popular P2P software such as Kazaa or eMule. Users of such software are able to download popular files very quickly because the network allows connection to multiple users, each simultaneously uploading a small chunk of the same file for the user to download.
When a user installs a piece of P2P software, they typically select a download directory, where they wish their downloaded files to be saved, and an upload directory, where any files they are happy to share should be stored. Often, the path chosen for both is the same directory by default, meaning that a file can be shared with others as soon as it has been downloaded.
In cases where possession of indecent images of children is suspected, evidence of P2P activity can be extremely fruitful. At the beginning of a criminal investigation, computer forensic experts are typically called in to analyse the suspect’s hard drive for evidence that can be used by the prosecution in a court of law.
If P2P software is found to be present on a suspect’s computer, there are a number of avenues a computer forensic expert can take to find evidence that illegal images have been downloaded and/or shared. First, the registry entries for the P2P software can be analysed. This can often reveal details such as the names and creation dates of files and such entries may even remain present after the P2P software itself has been uninstalled and the files themselves deleted.
In addition, evidence of precisely what users have been searching for may be present in the registry. This is because users locate files by searching for keywords and such searches are often logged by the software. This evidence can be particularly useful in cases where intent must be proven, for example, where the accused utilises the Trojan horse defence to claim the files were downloaded without his or her knowledge after infection by malicious software.
Criminal investigators may also be able to recover information from the suspect. As Internet Service Provider (ISP), which in many cases will hold detailed information about the nature of files shared over its network. However, because P2P sharing is now widely employed in the illegal downloading of music and films, there is great demand for software which masks this activity from ISPs. For this reason, this information is not always available, making the recovery of computer based evidence all the more vital.
With over 15 P2P programs currently in common usage the main challenge to computer forensic experts investigating their use is keeping up with the fast paced development of the technology, but with the financial support of large music labels and film studios behind the effort to crack down on P2P file sharing, it seems unlikely that it will ever be a war that criminals will win.