BitTorrent Sync: First Impressions and Digital Forensic Implications

TL;DR

This paper examines BitTorrent Sync's architecture, network traffic, and forensic artifacts to understand its privacy implications and assist digital investigations, highlighting its decentralization and encryption features.

Contribution

It provides the first detailed analysis of BitTorrent Sync's client, network behavior, and forensic artifacts, informing law enforcement and forensic practices.

Findings

Identified network traffic patterns of BitTorrent Sync

Documented digital artifacts useful for forensic investigations

Highlighted privacy and security considerations of the service

Abstract

With professional and home Internet users becoming increasingly concerned with data protection and privacy, the privacy afforded by popular cloud file synchronisation services, such as Dropbox, OneDrive and Google Drive, is coming under scrutiny in the press. A number of these services have recently been reported as sharing information with governmental security agencies without warrants. BitTorrent Sync is seen as an alternative by many and has gathered over two million users by December 2013 (doubling since the previous month). The service is completely decentralised, offers much of the same synchronisation functionality of cloud powered services and utilises encryption for data transmission (and optionally for remote storage). The importance of understanding BitTorrent Sync and its resulting digital investigative implications for law enforcement and forensic investigators will be paramount to future investigations. This paper outlines the client application, its detected network traffic and identifies artefacts that may be of value as evidence for future digital investigations.