File Marshal: Automatic extraction of peer-to-peer data
Abstract
Digital forensic investigators often find peer-to-peer, or file sharing,
software present on the computers, or the images of the disks, that they
examine. Investigators must first determine what P2P software is present
and where the associated information is stored, retrieve the information
from the appropriate directories, and then analyze the results.
File Marshal is a tool that will automatically detect and analyze
peer-to-peer client use on a disk. The tool automates what is currently
a manual and labor intensive process. It will determine what clients
currently are or have been installed on a machine, and then extracts
per-user usage information, specifically a list of peer servers contacted,
and files that were shared and downloaded. The tool was designed to
perform its actions in a forensically sound way, including maintaining a
detailed audit trail of all actions performed. File Marshal is extensible,
using a configuration file to specify details about specific peerto-peer
clients (e.g., location of log files and registry keys indicating
installation). This paper describes the general design and features of
File Marshal, its current status, and the plans for continued development
and release. When complete, File Marshal, a National Institute of
Justice funded effort, will be disseminated to law enforcement at no cost.
Keywords: Peer-to-peer, P2P, Forensics, LimeWire, File Sharing
Return to the Publication list.
This page last modified Jun 28, 2009.
Home
feed
![[Title Bar]](/images/header.gif)