ICACCops.com / RoundUp Investigative Tools

Robert ErdelyPennsylvania State Police (Retired)Indiana County Detectives Bureau

P2P Networks

P2P Networks

Ares - aresgalaxy.sourceforge.net/Bittorrent - www.bittorrent.com/eMuleFreenet – www.freenetproject.org/Gigatribe - www.gigatribe.comGnutella - www.shareaza.com/Gnutella2 - www.shareaza.com/IRC – www.mirc.com

Peer to peer (P2P) file sharing networks, are frequently used to obtain and trade digital files of child pornography.

These files include both image and movie files. These files range from commercially produced

to homemade.

Easy to identify Computers sharing files These investigation often lead to the

identification of offenders actively abusing children……….

Why Investigate P2P?

What is Peer to Peer file sharing??

Peer to Peer (P2P) file sharing programs are a standard way to transfer files from one computer system to another while connected to a network, usually the Internet.

Many P2P file sharing programs are Open Source.

P2P File Sharing Programs

Peer-to-Peer file sharing programs allow groups of computers using the same file sharing network (i.e. Ares, Bittorrent, etc.) and protocols to connect directly to each other to share files. Why P2P file sharing networks are so “efficient”:

•Fault Tolerance is built in… If the connection with one source fails, you will be connected to another

•Load Balancing If a source becomes too busy you will be connected to another one

•Redundancy There is more then one source for the same file

P2P File Sharing Programs

• File Swarming • You get a file from multiple sources and you

will continually try to find more sources for that file

• IP addresses • Identifies the computers that have the files

and the ones that want the files

• File Hashing• SHA-1 / MD4 hash uniquely identifies the

target file, the exact file that one is looking for

P2P File Sharing Programs

1) P2P Clients are Geographically Indiscriminate – they gather candidates and files throughout the world◦ Regionalize investigations with Maxmind/Icaccops website

2) File names may be misleading or inaccurate◦ Uses hash values to identify prosecutable files

3) Files transferred from multiple sources◦ RoundUp Investigative Tools are restricted to single source

downloads

4) Ip addresses/Hash values not displayed in the typical clients◦ Roundup Tools displays important information in the user

interface

Four Investigative Obstacles to Overcome:

A hash function, also known as a message digest, digital fingerprint, or compression function, is a mathematical function that takes a variable-length input string and converts it into a fixed-length value.

A hash function is designed in such a way that it is impossible to reverse the process, that is, to find a string that hashes to a given value.

Hash Algorithms

MD4 (Message Digest) hash takes up 16 bytes, which is 128 bits, and can be expressed as 32 hexadecimal characters

SHA1 (Secure Hash Algorithm) hash takes up 20 bytes, which is 160 bits, and can be expressed as 40 hexadecimal characters or as 32 characters (Base32).

http://www.itl.nist.gov/fipspubs/fip180-1.htm to learn more about the Secure Hash Standard.

Commonly Used Hash Functions

MD5◦ 4928F86198AAE657859CFA7DF73A588F

Sha1◦ LV4UPCZLORG5TWROSRWDIZNIW7SS2345◦ 5D79478B2B744DD9DA268BA5119EC3465A8B

MD4◦ 16DEB62F7D9D711321A40DF0233DC96A(all of the above are taken from the same file)

Hash Algorithms

1 Excluding monozygotic (fraternal) twins, which are 0.2% of the human population

Odds that 2 DIFFERENT files will have the same hash valueMethod Odds of a Match

DNA (RFLP analysis) One in 100 billion1

100,000,000,000

MD5 (128 bit) One in 340 undecillion 340,282,366,920,938,000,000,000,000,000,000,000,000

SHA1 (160 bit) One in a quindecillion1,461,501,637,330,900,000,000,000,000,000,000,000,000,000,000,000

What are the Odds?

2 hours of activity

2 hours of activity

2 hours of activity

2 hours of activity

2 hours of activity

2 hours of activity

2 hours of activity

2 hours of activity

Training Availability

Each P2P File sharing network has a Law Enforcement investigative tool available.

Training is required to use the investigative tool.

The National Criminal Justice Training Center delivers training throughout the United States and can provide training on these tools as well as many other investigative areas

www.ncjtc.org.

Thank you

Law Enforcement can request an account at:

www.icaccops.com/users

Robert Erdely robert.erdely@ic.fbi.gov

+1 (484) 727-8283

Thomas Kerlekerlet@fvtc.edu