Products

P2P Marshal™

To Purchase P2P Marshal Click Here
To Request an Evaluation Copy of P2P Marshal Click Here
US Law Enforcement Click Here

Introduction

P2P Marshal™ is a digital forensic tool for the automatic detection, extraction and analysis of data associated with peer-to-peer applications on a hard drive. It automates the tedious and time-consuming process of looking for P2P evidence. P2P Marshal automatically detects a roster of the most commonly-used P2P client programs and presents per-user information on those clients, including shared files, downloaded files, peer servers, and configuration and log information.

P2P Marshal performs these tasks in a forensically valid way and presents the results in an easily readable form on-screen and in a format that can easily be incorporated into a report.

P2P Marshal follows forensic best practices and maintains a detailed log file of all activities it performs. It has extensive search capabilities, produces reports in CSV, RTF, PDF and HTML formats, and runs on common Windows platforms.

P2P Marshal is available in a software-only version called Forensic Edition, and in a USB 2.0 flash drive version called Field Edition.

Forensic Edition




Forensic Edition is a software product which is installed and runs on an investigator's workstation to analyze a disk image. Forensic Edition requires a unique serial number to be installed on a specific workstation; a different serial number is required to install Forensic Edition on a different workstation.

Field Edition


Field Edition is available on a USB 2.0 flash drive only and requires no installation to run. The Field Edition is different from Forensic Edition in two respects:

1. Field Edition may be plugged into a USB port of a live target computer and used to conduct an investigation of that target computer’s hard drive (i.e. an image is not necessary);
2. Field Edition may be moved from computer to computer – no installation is required, and thus it is portable.

Other than the ability to examine a live target and portability, Field Edition is identical to Forensic Edition.

Field Edition requires no serial number for operation and is ideal for use in the field where investigators may have access to a live target system. Analysis of a target system may be performed without the requirement of performing a disk image.

Field Edition is also ideal for use in a forensic lab to examine disk images. It may be used on any available forensic workstation since it executes from the USB thumb drive.

Features of Both Versions:

• Automatically discovers and analyzes peer-to-peer file sharing usage
• Supports analysis of Windows 2000, 2003, XP, Vista, 2008 and Windows 7 systems (English and non-English versions, 32- and 64-bit)
• Performs full analysis for Ares, BitTorrent, FrostWire, LimeWire, uTorrent and Azereus Vuze; detects and shows default download locations for Kazaa
• Performs all actions in a forensically sound manner
• Automatically maintains a detailed log
• Provides extensive search capabilities
• Produces customizable reports in CSV, HTML, PDF and RTF formats
• Runs on 32- and 64-bit Windows 2000, 2003, XP, Vista, 2008, or Windows 7 systems (Field Edition requires XP, Vista, 2008, or Windows 7)

Phases of Operation

P2P Marshal operates on a mounted disk image or, in the case of Field Edition, a live target.. An investigator invokes P2P Marshal, creates an inquiry, and starts the analysis. There are three phases to the investigation: discovery, acquisition, and analysis, plus report generation at the end. Figure 1 shows the phases and the information each phase passes to the next.

Figure 1. The P2P Marshal investigation process

Discovery

In the discovery phase, P2P Marshal examines the target hard drive and determines what peer-to-peer clients are currently, or were previously, installed. To perform this check, P2P Marshal looks for the presence of files, directories, and registry keys and values. Configuration files specify the artifacts that indicate if a particular client was installed. In some cases the programs may have been deleted, but the data directory remains. Registry keys for user preferences may also persist after the user uninstalls the P2P client, or reside in backup versions of the registry generated when the operating system creates a system restore (check) point. Files are specified by a pathname. In addition, they can be specified by a hash (currently MD5). Registry entries can include the (sub) keys, values, and their data.

Acquisition

In the acquisition phase, P2P Marshal gathers user-specific usage information for specific P2P clients. For each user, P2P Marshal gathers configuration and log information, including peer or bootstrap servers contacted, files downloaded and shared, and other forensically-relevant data maintained by the specific P2P client. Again, the specific files are defined in the configuration file. The configuration file lists the Java modules (classes) to be used for parsing; new parsers will be created as needed using a straightforward API.

Analysis

In the analysis phase, P2P Marshal displays the information gathered and allows an investigator to view details (such as the contents of files) and to sort data by various fields (IP address, date last contacted, etc.). Investigators can view downloaded files by launching an appropriate viewer (e.g., Acrobat for PDF, Firefox for HTML and Photoshop for an image).

Logging and Report Generation

P2P Marshal logs all operations it performs. The log file provides very detailed, low-level information on what actions were performed, thus maintaining the forensic integrity of the investigation. The log file provides details on how the back-end tool was invoked, as well as any return or error codes. The audit log is not intended to be easily readable by humans, but rather it allows investigators to verify exactly what actions were taken (and by the same token, what was not done) during an investigation, and would be appropriate to be included as an appendix in a report.

P2P Marshal generates a summary report of the findings in a format that can be included in an investigator’s report. Supported formats include HTML, PDF, and RTF, so that a P2P Marshal report can be easily inserted into a larger forensics report.

Search function

P2P Marshal enables the investigator to search for various usage-specific items (see Figure 2). This includes IP addresses and DNS names of peer servers, names of files, and file hashes (MD5, SHA-1, etc.). For instance, if an investigator wants to trace all contacts with a particular sever, the search function would return all contacts regardless of the P2P client or clients used.

Figure 2. The P2P Marshal search interface. (Click to Enlarge)

User interface

The P2P Marshal user interface, shown in Figure 3 presents information about each P2P client it detects. The figure shows an example in which a number of P2P clients were used to download legal content from public sites. Within each tab (one tab per client), it presents information specific to each user account in the disk image that has evidence relating to using that client. In the example, six client tabs are shown (Azereus Vuze, LimeWire, Google Hello, Ares, uTorrent, and BitTorrent), with the Azereus Vuze tab selected.

Figure 3. The P2P Marshal user interface. (Click to Enlarge)

The installation information provides details about where the client was installed, what version, and whether it is a full or partial installation. Partial installation indicates that a P2P client has been on the system but has been (at least) partially removed. In addition, a web page link provides more information about the client when clicked.

The usage section describes how that client was used by specific users. A pull-down menu allows the investigator to select individual users or "All users combined" to view all P2P activity on the disk image. At the bottom of the window, three tables provide summary information on peer servers, shared files, and log entries.