Difference between pages "Prefetch" and "Main Page"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m
 
Line 1: Line 1:
{{Expand}}
+
<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;">
Windows Prefetch files, introduced in [[Windows|Windows XP]], are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in [[Windows|Windows Vista]], where it has been augmented with [[SuperFetch]], [[ReadyBoot]], and [[ReadyBoost]]. For SSD drives Prefetch is disabled by default [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx].
+
This is the '''Forensics Wiki''', a [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons]-licensed [http://en.wikipedia.org/wiki/Wiki wiki] devoted to information about [[digital forensics]] (also known as computer forensics). We currently list a total of [[Special:Allpages|{{NUMBEROFARTICLES}}]] pages.
 +
 
 +
Much of [[computer forensics]] is focused on the [[tools]] and [[techniques]] used by [[investigator]]s, but there are also a number of important [[papers]], [[people]], and [[organizations]] involved. Many of those organizations sponsor [[Upcoming_events|conferences]] throughout the year and around the world. You may also wish to examine the popular [[journals]] and some special [[reports]].
 +
</div> 
  
The Prefetch files are stored in the directory:
 
<pre>
 
%SystemRoot%\Prefetch
 
</pre>
 
  
The following files can be found in the Prefetch directory:
+
==WIKI NEWS==
* <tt>*.pf</tt>, Prefetch files;
+
2013-05-15: You can now subscribe to Forensics Wiki Recent Changes with the [[ForensicsWiki FeedBurner Feed]]
* <tt>Ag*.db</tt>, [[SuperFetch]] files;
+
* <tt>Ag*.db.trx</tt>
+
* <tt>Layout.ini</tt>;
+
* <tt>PfPre_*.db</tt>;
+
* <tt>PfSvPerfStats.bin</tt>
+
  
A Prefetch file contains the name of the application, a dash, and then an eight character hash of the location from which that application was run, and a <tt>.pf</tt> extension. The filenames should be all uppercase except for the extension. E.g. a filename for [[md5deep]] would look like: <tt>MD5DEEP.EXE-4F89AB0C.pf</tt>. If an application is run from two different locations on the drive (i.e. the user runs <tt>C:\md5deep.exe</tt> and then <tt>C:\Apps\Hashing\md5deep.exe</tt>), there will be two different prefetch files in the Prefetch folder. According to MSDN up to 128 Prefetch files can be stored in the Prefetch directory [http://blogs.msdn.com/ryanmy/archive/2005/05/25/421882.aspx].
+
{| width="100%"
 +
|-
 +
| width="60%" style="vertical-align:top" |
 +
<!-- Selected Forensics Research -->  
 +
<div style="margin-top:0.5em; border:2px solid #ff0000; padding:0.5em 0.5em 0.5em 0.5em; background-color:#ffff99; align:center; border:1px solid #ddccff;">
 +
<h2 style="margin:0; background-color:#ffff33; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;"> Featured Forensic Research </h2>
  
== File format ==
+
<small>May 2014</small>
Each Prefetch file has a 4-byte signature (at offset 4) "SCCA" (or in hexadecimal notation 0x53 0x43 0x43 0x41). The signature is assumed to be preceded by a 4-byte format version indicator:
+
<bibtex>
* 17 (0x00000011) for [[Windows XP]] and [[Windows 2003]]
+
@inproceedings{Hurley:2013:MAC:2488388.2488444,
* 23 (0x00000017) for [[Windows Vista]], [[Windows 2008]], [[Windows 7]] and [[Windows 2012]] (note Windows 2012 has not been confirmed)
+
author = {Hurley, Ryan and Prusty, Swagatika and Soroush, Hamed and Walls, Robert J. and Albrecht, Jeannie and Cecchet, Emmanuel and Levine, Brian Neil and Liberatore, Marc and Lynn, Brian and Wolak, Janis},
* 26 (0x0000001a) for [[Windows 8|Windows 8.1]] (note this could be Windows 8 as well but has not been confirmed)
+
title = {Measurement and Analysis of Child Pornography Trafficking on P2P Networks},
 +
booktitle = {Proceedings of the 22Nd International Conference on World Wide Web},
 +
series = {WWW '13},
 +
year = {2013},
 +
isbn = {978-1-4503-2035-1},
 +
location = {Rio de Janeiro, Brazil},
 +
pages = {631--642},
 +
numpages = {12},
 +
url = {http://dl.acm.org/citation.cfm?id=2488388.2488444},
 +
acmid = {2488444},
 +
publisher = {International World Wide Web Conferences Steering Committee},
 +
address = {Republic and Canton of Geneva, Switzerland},
 +
keywords = {digital forensics, forensic triage},
 +
}
 +
</bibtex>
 +
Peer-to-peer networks are the most popular mechanism for the criminal acquisition and distribution of child pornography (CP). In this paper, we examine observations of peers sharing known CP on the eMule and Gnutella networks, which were collected by law enforcement using forensic tools that we developed. We characterize a year's worth of network activity and evaluate different strategies for prioritizing investigators' limited resources. The highest impact research in criminal forensics works within, and is evaluated under, the constraints and goals of investigations. We follow that principle, rather than presenting a set of isolated, exploratory characterizations of users.
  
For more information about the file format see: [[Windows Prefetch File Format]]
+
First, we focus on strategies for reducing the number of CP files available on the network by removing a minimal number of peers. We present a metric for peer removal that is more effective than simply selecting peers with the largest libraries or the most days online. Second, we characterize six aggressive peer subgroups, including: peers using Tor, peers that bridge multiple p2p networks, and the top 10% of peers contributing to file availability. We find that these subgroups are more active in their trafficking, having more known CP and more uptime, than the average peer. Finally, while in theory Tor presents a challenge to investigators, we observe that in practice offenders use Tor inconsistently. Over 90% of regular Tor users send traffic from a non-Tor IP at least once after first using Tor.
 +
(See also [[Past Selected Articles]])
  
== Metadata ==
+
| width="40%" style="vertical-align:top" |
The Prefetch file contains various metadata.
+
* The executable's name, up to 29 characters.
+
* The run count, or number of times the application has been run.
+
* Volume related information, like volume path and volume serial number.
+
* The size of the Prefetch file (sometimes referred to as end of file (EOF)).
+
* The files and directories that were used doing the application's start-up.
+
  
=== Timestamps ===
+
<div style="margin-top:0.5em; border:2px solid #00ff00; padding:0.5em 0.5em 0.5em 0.5em; background-color:#ffeeff; align:center; border:1px solid #ffccff;">
The Prefetch file contains 2 types of timestamps
+
<h2 style="margin:0; background-color:#ffff33; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">  Featured Article </h2>
* The time when the application was last ran (executed). Version 26 of the Prefetch format maintains 7 previous last run times.
+
;[[Forensic Linux Live CD issues]]
* The volume creation time (part of the volume information) of the volume the Prefetch file was created on.
+
:Forensic Linux Live CD distributions are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions state that their Linux do not modify the contents of hard drives or employ "write protection." Testing indicates that this may not always be the case. [[Forensic Linux Live CD issues|Read More...]]
  
The file system creation time of the Prefetch file indicates the first time the application was executed. Both the file system modification time of the Prefetch file and the embedded last run time indicate the last time the application was executed.
+
|}
  
== Prefetch hash ==
 
There are multiple known hashing functions to be used for prefetch file filename hashing, namely:
 
* SCCA XP hash function; used on Windows XP and Windows 2003
 
* SCCA Vista hash function; used on Windows Vista
 
* SCCA 2008 hash function; used on Windows 2008, Windows 7, (possibly: Windows 2012) and Windows 8 (including 8.1)
 
  
=== SCCA XP hash function ===
+
<!-- This begins the two-column section -->
A Python implementation of the SCCA XP hash function:
+
  
<pre>
+
{| width="100%"
def ssca_xp_hash_function(filename):
+
|-
    hash_value = 0
+
| width="60%" style="vertical-align:top" |
    for character in filename:
+
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
+
        hash_value = (hash_value * 314159269) % 0x100000000
+
        if hash_value > 0x80000000:
+
            hash_value = 0x100000000 - hash_value
+
  
    return (abs(hash_value) % 1000000007) % 0x100000000
+
<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#eeeeff; align:right; border:1px solid #ddccff;">
</pre>
+
  
=== SCCA Vista hash function ===
+
<h2 style="margin:0; background-color:#ccccff; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">Topics</h2>
A Python implementation of the SCCA Vista hash function:
+
  
<pre>
+
* '''[[File Analysis]]''':
def ssca_vista_hash_function(filename):
+
** '''[[:Category:File Formats|File Formats]]''': [[PDF]], [[DOC]], [[DOCX]], [[JPEG]], [[GIF]], [[BMP]], [[LNK]], [[MP3]], [[AAC]], [[Thumbs.db]], ...
    hash_value = 314159
+
** '''[[Forensic file formats]]''': [[AFF]], [[gfzip]], [[sgzip]], ...
    for character in filename:
+
* '''[[File Systems]]''': [[FAT]], [[NTFS]], [[ext2]]/[[ext3]], [[ufs]], [[ffs]], [[reiserfs]], ...
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
+
** '''[[File Systems#Cryptographic_File_Systems|Cryptographic File Systems]]''': [[File Vault]], [[EFS]], [[CFS]], [[NCryptfs]], [[TCFS]], [[SFS]], ...
    return hash_value
+
* '''[[Hardware]]''':
</pre>
+
** '''[[Bus]]ses''': [[IDE]], [[SCSI]], [[Firewire]], [[USB]], ...
 +
** '''[[Data storage media|Media]]''': [[RAM]], [[Hard Drive]]s, [[Memory Card]]s, [[SmartCard]]s, [[RFID]] Tags...
 +
** '''[[Personal Digital Devices]]''': [[PDAs]], [[Cellphones]], [[SmartPhones]], [[Audio Devices]], ...
 +
** '''[[Other Devices]]''': [[Printers]], [[Scanners]], ...
 +
** '''[[Write Blockers]]''': ...
 +
* '''Recovering data''': [[Recovering bad data|bad data]], [[Recovering deleted data|deleted data]], [[Recovering Overwritten Data|overwritten data]], [[Sanitization Standards]]
 +
* [[Encryption]]
 +
* [[GPS]]
 +
* [[Forensic_corpora|Forensic Corpora]]
 +
* [[Network forensics]]: [[OS fingerprinting]], [[Hidden channels]], [[Proxy server|Proxy servers]]
 +
* [[Steganography]], [[Steganalysis]]
 +
* '''[[Metadata]]:''' [[MAC times]], [[ACLs]], [[Email Headers]], [[Exif]], [[ID3]], [[OLE-2]], ...
 +
* '''[[Legal issues]]:''' [[Caselaw|Case law]]
 +
* '''Further information:''' [[Books]], [[Papers]], [[Reports]], [[Journals]], [[Websites]], [[Blogs]], [[Mailing lists]], [[Organizations]], [[Vendors]], [[Conferences]]
 +
</div>
  
=== SCCA 2008 hash function ===
 
A Python implementation of the SCCA 2008 hash function:
 
  
<pre>
 
def ssca_2008_hash_function(filename):
 
    hash_value = 314159
 
    filename_index = 0
 
    filename_length = len(filename)
 
    while filename_index + 8 < filename_length:
 
        character_value = ord(filename[filename_index + 1]) * 37
 
        character_value += ord(filename[filename_index + 2])
 
        character_value *= 37
 
        character_value += ord(filename[filename_index + 3])
 
        character_value *= 37
 
        character_value += ord(filename[filename_index + 4])
 
        character_value *= 37
 
        character_value += ord(filename[filename_index + 5])
 
        character_value *= 37
 
        character_value += ord(filename[filename_index + 6])
 
        character_value *= 37
 
        character_value += ord(filename[filename_index]) * 442596621
 
        character_value += ord(filename[filename_index + 7])
 
        hash_value = ((character_value - (hash_value * 803794207)) % 0x100000000)
 
        filename_index += 8
 
  
    while filename_index < filename_length:
+
| width="40%" style="vertical-align:top" |
      hash_value = (((37 * hash_value) + ord(filename[filename_index])) % 0x100000000)
+
      filename_index += 1
+
  
    return hash_value
+
<!-- Tools -->
</pre>
+
<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#e0ffe0; align:right; border:1px solid #ddccff;">
  
== Registry Keys ==
+
<h2 style="margin:0; background-color:#ccffcc; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">[[Tools]]</h2>
<pre>
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
+
</pre>
+
  
The EnablePrefetcher Registry value can be used to disable prefetch.
+
* '''[[:Category:Disk Imaging|Disk Imaging]]''': [[dd]], [[dc3dd]], [[dcfldd]], [[dd_rescue]], [[sdd]], [[aimage]], [[Blackbag]], ...
 +
* '''[[Tools:Data Recovery|Data Recovery]]''': ...
 +
* '''[[Tools#Disk_Analysis_Tools|Disk Analysis]]''': [[EnCase]], [[SMART]], [[Sleuthkit]], [[foremost]], [[Scalpel]], [[frag_find]]...
 +
* '''[[Tools#Forensics_Live_CDs|Live CDs]]''': [[DEFT Linux]], [[Helix]] ([[Helix3 Pro|Pro]]), [[FCCU Gnu/Linux Boot CD]], [[Knoppix STD]], ...
 +
* '''[[Tools:Document Metadata Extraction|Metadata Extraction]]''': [[wvWare]], [[jhead]], [[Hachoir | hachoir-metadata]], [[Photo Investigator]]...
 +
* '''[[Tools:File Analysis|File Analysis]]''': [[file]], [[ldd]], [[ltrace]], [[strace]], [[strings]], ...
 +
* '''[[Tools:Network_Forensics|Network Forensics]]''': [[Snort]],  [[Wireshark]], [[Kismet]],  [[NetworkMiner]]...
 +
* '''[[:Category:Anti-forensics tools|Anti-Forensics]]''': [[Slacker]], [[Timestomp]], [[wipe]], [[shred]], ...
 +
* '''[[Tools#Other_Tools|Other Tools]]''': [[biew]], [[hexdump]], ...
 +
</div>
  
== See Also ==
+
<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#c0ffff; align:right; border:1px solid #ddccff;">
* [[Prefetch XML]]
+
* [[ReadyBoot]]
+
* [[SuperFetch]]
+
* [[Windows]]
+
* [[Windows Prefetch File Format]]
+
  
== External Links ==
+
<h2 style="margin:0; background-color:#99ffff; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">[[:Category:Top-Level|Categories]]</h2>
* [http://msdn.microsoft.com/msdnmag/issues/01/12/XPKernel/default.aspx More detail from Microsoft]
+
* [http://en.wikipedia.org/wiki/Prefetcher Wikipedia Prefetcher]
+
* [http://msdn.microsoft.com/en-us/library/ms940847(v=winembedded.5).aspx MSDN: Disabling Prefetch]
+
* [http://www.microsoft.com/whdc/driver/kernel/XP_kernel.mspx Kernel Enhancements for Windows XP], by [[Microsoft]], January 13, 2003 (Microsoft's description of Prefetch when Windows XP was introduced)
+
* [http://blogs.msdn.com/b/ryanmy/archive/2005/05/25/421882.aspx Misinformation and the The Prefetch Flag], MSDN Blogs, May 25, 2005
+
* [http://windowsir.blogspot.ch/2005/07/prefetch-file-metadata.html Prefetch file metadata], by [[Harlan Carvey]], July 13, 2005
+
* [http://windowsir.blogspot.ch/2006/04/prefetch-files-revisited.html Prefetch files, revisited], by [[Harlan Carvey]], April 13, 2006
+
* [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx Support and Q&A for Solid-State Drives], by Steven Sinofsky, May 5, 2009
+
* [http://computer-forensics.sans.org/blog/2009/08/05/de-mystifying-defrag-identifying-when-defrag-has-been-used-for-anti-forensics-part-1-windows-xp/ De-mystifying Defrag: Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 - Windows XP)], by [[Chad Tilbury]], August 5, 2009
+
* [http://www.swiftforensics.com/2010/04/the-windows-prefetchfile.html Windows Prefetch File (old blog entry from 42 LLC)], by [[Yogesh Khatri]], April 14, 2010
+
* [http://www.dfinews.com/articles/2010/12/decoding-prefetch-files-forensic-purposes-part-1 Decoding Prefetch Files for Forensic Purposes: Part 1], by [[Mark Wade]], December 8, 2010
+
* [http://crucialsecurityblog.harris.com/2011/04/11/prefetch-files-at-face-value/ Prefetch Files at Face Value], by [[Mark Wade]], April 11, 2011
+
* [http://kitrap08.blogspot.hk/2011/07/windows-logical-prefetcher.html Windows Logical Prefetcher], TTS blog, July 30, 2011 (article is in Russian)
+
* [http://labit.in/pliki-prefetch-w-windows/ Prefetch i niedokładny licznik] by Paweł Hałdrzyński, August 20, 2011 (article in Polish; uncertain about the year of publication)
+
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisited.html Prefetch Analysis, Revisited], by [[Harlan Carvey]], March 8, 2012
+
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisitedagain.html Prefetch Analysis, Revisited...Again...], by [[Harlan Carvey]], March 15, 2012
+
* [http://www.hexacorn.com/blog/2012/06/13/prefetch-hash-calculator-a-hash-lookup-table-xpvistaw7w2k3w2k8/ Prefetch Hash Calculator + a hash lookup table xp/vista/w7/w2k3/w2k8], Hexacorn blog, June 13, 2012
+
* [http://www.hexacorn.com/blog/2012/10/29/prefetch-file-names-and-unc-paths/ Prefetch file names and UNC paths], Hexacorn blog, October 29, 2012
+
* [http://journeyintoir.blogspot.ch/2012/12/ntosboot-prefetch-file.html NTOSBOOT Prefetch File], by [[Corey Harrell]], December 5, 2012
+
* [http://www.invoke-ir.com/2013/09/whats-new-in-prefetch-for-windows-8.html What's New in the Prefetch for Windows 8??], by Jared Atkinson, September 21, 2013
+
* [http://www.swiftforensics.com/2013/10/windows-prefetch-pf-files.html?m=1 Windows Prefetch (.PF) files], by [[Yogesh Khatri]], October 21, 2013
+
* [http://resources.infosecinstitute.com/windows-systems-artifacts-digital-forensics-part-iii-prefetch-files/ Windows Systems and Artifacts in Digital Forensics: Part III: Prefetch Files], by Ivan Dimov, November 21, 2013
+
* [http://i.imgur.com/riuljsK.jpg Prefetch 101 -  a Windows 8 Prefetch file walkthrough], by Jared Atkinson, 2014
+
  
== Tools ==
+
The contents of this wiki are organized into various [[:Category:Top-Level|categories]]:
  
=== Commercial ===
+
* [[:Category:Tools|Tools]]
 +
* [[:Category:Disk file systems|Disk file systems]]
 +
* [[:Category:File Formats|File Formats]]
 +
* [[:Category:Howtos|Howtos]]
 +
* [[:Category:Licenses|Licenses]]
 +
* [[:Category:Operating systems|Operating systems]]
 +
* [[:Category:People|People]]
 +
* [[:Category:Bibliographies|Bibliographies]]
  
=== Free - Non Open Source ===
+
</div>
* [http://www.woanware.co.uk/forensics/prefetchforensics.html PrefetchForensics], PrefetchForensics is an application to extract information from Windows Prefetch files
+
 
* [http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55 Prefetch-Parser], Parse the prefetch files and display information
+
* [http://www.mitec.cz/wfa.html Windows File Analyzer] - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin
+
* [http://www.tzworks.net/prototype_page.php?proto_id=1 Windows Prefetch Parser (pf)], Free tool that can be run on Windows, Linux or Mac OS-X
+
  
=== Open Source ===
+
|}
* [https://code.google.com/p/prefetch-tool/ prefetch-tool], Script to extract information from windows prefetch folder
+
* [http://bitbucket.cassidiancybersecurity.com/prefetch-parser prefetch-parser], Standalone Python tools that parses Windows prefetch files and extracts all known and forensically relevant artefacts contained.
+
  
[[Category:Windows]]
+
<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;">
 +
'''You can help!'''  We have a list of [[:Category:Articles_that_need_to_be_expanded|articles that need to be expanded]]. If you know anything about any of these topics, please feel free to chip in.
 +
</div>
 +
 +
 
 +
 
 +
 
 +
__NOTOC__

Revision as of 12:13, 21 April 2014

This is the Forensics Wiki, a Creative Commons-licensed wiki devoted to information about digital forensics (also known as computer forensics). We currently list a total of 725 pages.

Much of computer forensics is focused on the tools and techniques used by investigators, but there are also a number of important papers, people, and organizations involved. Many of those organizations sponsor conferences throughout the year and around the world. You may also wish to examine the popular journals and some special reports.


WIKI NEWS

2013-05-15: You can now subscribe to Forensics Wiki Recent Changes with the ForensicsWiki FeedBurner Feed

Featured Forensic Research

May 2014

Hurley, Ryan, Prusty, Swagatika, Soroush, Hamed, Walls, Robert J., Albrecht, Jeannie, Cecchet, Emmanuel, Levine, Brian Neil, Liberatore, Marc, Lynn, Brian, Wolak, Janis - Measurement and Analysis of Child Pornography Trafficking on P2P Networks
Proceedings of the 22Nd International Conference on World Wide Web pp. 631--642, Republic and Canton of Geneva, Switzerland,2013
http://dl.acm.org/citation.cfm?id=2488388.2488444
Bibtex
Author : Hurley, Ryan, Prusty, Swagatika, Soroush, Hamed, Walls, Robert J., Albrecht, Jeannie, Cecchet, Emmanuel, Levine, Brian Neil, Liberatore, Marc, Lynn, Brian, Wolak, Janis
Title : Measurement and Analysis of Child Pornography Trafficking on P2P Networks
In : Proceedings of the 22Nd International Conference on World Wide Web -
Address : Republic and Canton of Geneva, Switzerland
Date : 2013

Peer-to-peer networks are the most popular mechanism for the criminal acquisition and distribution of child pornography (CP). In this paper, we examine observations of peers sharing known CP on the eMule and Gnutella networks, which were collected by law enforcement using forensic tools that we developed. We characterize a year's worth of network activity and evaluate different strategies for prioritizing investigators' limited resources. The highest impact research in criminal forensics works within, and is evaluated under, the constraints and goals of investigations. We follow that principle, rather than presenting a set of isolated, exploratory characterizations of users.

First, we focus on strategies for reducing the number of CP files available on the network by removing a minimal number of peers. We present a metric for peer removal that is more effective than simply selecting peers with the largest libraries or the most days online. Second, we characterize six aggressive peer subgroups, including: peers using Tor, peers that bridge multiple p2p networks, and the top 10% of peers contributing to file availability. We find that these subgroups are more active in their trafficking, having more known CP and more uptime, than the average peer. Finally, while in theory Tor presents a challenge to investigators, we observe that in practice offenders use Tor inconsistently. Over 90% of regular Tor users send traffic from a non-Tor IP at least once after first using Tor. (See also Past Selected Articles)

Featured Article

Forensic Linux Live CD issues
Forensic Linux Live CD distributions are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions state that their Linux do not modify the contents of hard drives or employ "write protection." Testing indicates that this may not always be the case. Read More...


Topics



You can help! We have a list of articles that need to be expanded. If you know anything about any of these topics, please feel free to chip in.