Study of Peer-to-Peer Network Based Cybercrime Investigation: Application on Botnet Technologies

TL;DR

This paper presents UP2PNIF, a framework and toolset for efficient investigation of P2P networks, demonstrated on BitTorrent, to aid cybercrime analysis and digital forensics.

Contribution

Introduction of UP2PNIF, a universal framework that accelerates and simplifies P2P network investigations using commonalities and a reference database.

Findings

Developed a proof of concept tool for BitTorrent investigation.

Framework enables faster, less labor-intensive P2P investigations.

Facilitates digital forensic analysis of various P2P applications.

Abstract

The scalable, low overhead attributes of Peer-to-Peer (P2P) Internet protocols and networks lend themselves well to being exploited by criminals to execute a large range of cybercrimes. The types of crimes aided by P2P technology include copyright infringement, sharing of illicit images of children, fraud, hacking/cracking, denial of service attacks and virus/malware propagation through the use of a variety of worms, botnets, malware, viruses and P2P file sharing. This project is focused on study of active P2P nodes along with the analysis of the undocumented communication methods employed in many of these large unstructured networks. This is achieved through the design and implementation of an efficient P2P monitoring and crawling toolset. The requirement for investigating P2P based systems is not limited to the more obvious cybercrimes listed above, as many legitimate P2P based applications may also be pertinent to a digital forensic investigation, e.g, voice over IP, instant messaging, etc. Investigating these networks has become increasingly difficult due to the broad range of network topologies and the ever increasing and evolving range of P2P based applications. In this work we introduce the Universal P2P Network Investigation Framework (UP2PNIF), a framework which enables significantly faster and less labour intensive investigation of newly discovered P2P networks through the exploitation of the commonalities in P2P network functionality. In combination with a reference database of known network characteristics, it is envisioned that any known P2P network can be instantly investigated using the framework, which can intelligently determine the best investigation methodology and greatly expedite the evidence gathering process. A proof of concept tool was developed for conducting investigations on the BitTorrent network.