Forensic Investigation of P2P Cloud Storage: BitTorrent Sync as a Case Study

TL;DR

This paper investigates forensic artefacts from BitTorrent Sync v2.0 across multiple devices and OSes, providing insights into data remnants relevant for IoT forensic investigations.

Contribution

It offers a comprehensive analysis of artefacts from BitTorrent Sync v2.0 and proposes a forensic investigation methodology for this P2P cloud storage service.

Findings

Artefacts related to installation, uninstallation, login, logout, and file sync can be recovered.

Data remnants are consistent across various devices and operating systems.

The study enhances forensic understanding of P2P cloud storage services.

Abstract

Cloud computing has been regarded as the technology enabler for the Internet of Things (IoT). To ensure the most effective collection of IoT-based evidence, it is vital for forensic practitioners to possess a contemporary understanding of the artefacts from different cloud services. In this paper, we seek to determine the data remnants from the use of BitTorrent Sync version 2.0. Findings from our research using mobile and computer devices running Windows 8.1, Mac OS X Mavericks 10.9.5, Ubuntu 14.04.1 LTS, iOS 7.1.2, and Android KitKat 4.4.4 suggested that artefacts relating to the installation, uninstallation, log-in, log-off, and file synchronisation could be recovered, which are potential sources of IoT forensics. We also present a forensically sound investigation methodology for BitTorrent Sync.