P2P Marshal™ is a powerful investigative product that automates and greatly accelerates the tedious, time consuming process of finding P2P evidence on computers under investigation.
P2P Marshal automatically detects a roster of the most commonly-used P2P client programs, and automatically captures and organizes vital forensic information on each client it detects. P2P Marshal automatically reveals shared files, downloaded files, peer servers, and configuration and log information by each user on the computer being investigated. P2P Marshal performs these tasks in a forensically valid way, and presents the results in an easily readable form on-screen and in a format that can easily be incorporated into a report.
P2P Marshal follows forensic best practices and maintains a detailed log file of all activities it performs. It has extensive search capabilities, produces reports in CSV, RTF, PDF and HTML formats, and runs on common Windows platforms. P2P Marshal is available in two versions:
- Forensic Edition, a software product for the investigation of hard drive images; and
- Field Edition, which comes on a USB 2.0 flash drive, and can be used to investigate live systems as well as images. It is also readily portable from one computer to another, as the application runs from the flash drive and is not installed on the computer on which it is in use.
Forensic Edition is a software product which is installed and runs on an investigator’s workstation to analyze a disk image. P2P Marshal Forensic Edition is intended to be run on a forensic workstation and used to examine a read-only logical drive partition, such as a mounted disk image or a physical disk connected via a write blocker. The examined disk should be a Windows system drive – that is, should contain the Windows registry, installed applications, and user directories. P2P Marshal Forensic Edition should not be used to examine the drive containing the currently-running Windows system (the forensic workstation’s system drive).
Forensic Edition requires a unique serial number to be installed on a specific workstation; a different serial number is required to install Forensic Edition on a different workstation.
Field Edition is delivered on a USB 2.0 flash drive and requires no installation to run. Field Edition is different from Forensic Edition in two respects:
- Field Edition may be plugged into a USB port of a live target computer and used to conduct an investigation of that target computer’s hard drive (i.e. an image is not necessary);
- Field Edition may be moved from computer to computer – no installation is required, and thus it is portable.
Other than the ability to examine a live target and portability, the functionality of Field Edition is identical to that of Forensic Edition.
When using Field Edition to examine a live Windows system, the user connects the P2P Marshal USB drive to the system to be examined and runs the P2P Marshal application on that the target system. An external device for storing the acquired data is required; data acquired using Field Edition should not be stored on the target system or the Field Edition USB drive.
P2P Marshal Field Edition can also be run on a forensic workstation and used to examine a read only logical drive partition, such as a mounted disk image or a physical disk connected via a write blocker. The examined disk should be a Windows system drive – that is, should contain the Windows registry, installed applications, and user directories.
Features of Both Versions:
- Automatically discovers and analyzes peer-to-peer file sharing usage
- Supports analysis of Windows XP, Server 2003, Vista, Server 2008 and Windows 7 systems (English and
non-English versions, 32- and 64-bit)
- Performs full analysis for Ares, BitTorrent, FrostWire, LimeWire, uTorrent, eMule and Azereus Vuze; detects and shows default download locations for Kazaa
- Performs all actions in a forensically sound manner
- Automatically maintains a detailed log, hashed to insure forensic integrity
- Provides extensive search capabilities
- Produces customizable reports in CSV, HTML, PDF and RTF formats
- Runs on 32 and 64 bit Windows XP or later, both English and non-English systems.
Phases of Operation of P2P Marshal
P2P Marshal operates on a mounted disk image or, in the case of Field Edition, a live target. An investigator invokes P2P Marshal, creates an inquiry, and starts the analysis. There are three phases to the investigation: discovery, acquisition, and analysis, plus report generation at the end. Figure 1 shows the phases and the information each phase passes to the next.
Figure 1. The P2P Marshal investigation process
In the discovery phase, P2P Marshal examines the target hard drive and determines what peer-to-peer clients are currently, or were previously, installed. To perform this check, P2P Marshal looks for the presence of files, directories, and registry keys and values. Configuration files specify the artifacts that indicate if a particular client was installed. In some cases, the programs may have been deleted, but the data directory remains. Registry keys for user preferences may also persist after the user uninstalls the P2P client, or reside in backup versions of the registry generated when the operating system creates a system restore (check) point. Files are specified by a pathname. In addition, they can be specified by a hash (currently MD5). Registry entries can include the (sub) keys, values, and their data.
In the acquisition phase, P2P Marshal gathers user-specific usage information for each specific P2P client. For each user, P2P Marshal gathers configuration and log information, including peer or bootstrap servers contacted, files downloaded and shared, and other forensically-relevant data maintained by the specific P2P client. Again, the specific files are defined in the configuration file. The configuration file lists the Java modules (classes) to be used for parsing; new parsers will be created as needed using a straightforward API.
In the analysis phase, P2P Marshal displays the information gathered and allows an investigator to view details (such as the contents of files) and to sort data by various fields (IP address, date last contacted, etc.), as well as to conduct searches. Investigators can view downloaded files by launching an appropriate viewer (e.g., Acrobat for PDF, Firefox for HTML and Photoshop for an image).
P2P Marshal enables the investigator to search for various usage-specific items (see Figure 2). This includes IP addresses and DNS names of peer servers, names of files, and file hashes (MD5, SHA-1, etc.). For instance, if an investigator wants to trace all contacts with a particular sever, the search function would return all contacts regardless of the P2P client or clients used.
Figure 2. The P2P Marshal search interface
The P2P Marshal user interface, shown in Figure 3, presents information about each P2P client it detects. The figure shows an example in which a number of P2P clients were used to download legal content from public sites. Within each tab (one tab per client), it presents information specific to each user account in the disk image that has evidence relating to using that client. In the example, six client tabs are shown (Azereus Vuze, LimeWire, Google Hello, Ares, uTorrent, and BitTorrent), with the Azereus Vuze tab selected.
Figure 3. The P2P Marshal user interface
The installation information provides details about where the client was installed, what version, and whether it is a full or partial installation. Partial installation indicates that a P2P client has been on the system but has been (at least) partially removed. In addition, a web page link provides more information about the client when clicked.
The usage section describes how that client was used by specific users. A pull-down menu allows the investigator to select individual users or “All users combined” to view all P2P activity on the disk image. At the bottom of the window, three tables provide summary information on peer servers, shared files, and log entries.
Logging and report generation
P2P Marshal logs all operations it performs. The log file provides very detailed, low-level information on what actions were performed, thus maintaining the forensic integrity of the investigation. The log file provides details on how the back-end tool was invoked, as well as any return or error codes. The audit log is not intended to be easily readable by humans, but rather it allows investigators to verify exactly what actions were taken (and by the same token, what was not done) during an investigation, and would be appropriate to be included as an appendix in a report.
P2P Marshal generates a summary report of the findings in a format that can be included in an investigators report. Supported formats include HTML, PDF, and RTF, so that a P2P Marshal report can be easily inserted into a larger forensics report.
P2P Marshal provides contextual help. All windows have a question mark icon. Clicking on the icon brings up a help window within the main P2P Marshal window. The help text is specific to the current window, such as specific P2P clients (LimeWire, Ares, etc.) or supported output formats when generating a report.
An example of contextual help is shown below.
Figure 4. Contextual help
P2P Marshal provides an enhanced built-in image viewer that included a thumbnail viewer. There are two ways to open the viewer. The first way is to select Show all files in thumbnail browser from the Tools menu. The second way is to select one or more files in the Shared/Downloaded Files window and then press the right mouse button and select Show in Image Thumbnail Browser. The image browser window has two modes, thumbnails and single image.
Because the thumbnail viewer is designed for rapidly viewing a large number of images, it opens in a separate, full-screen window. Each thumbnail image is 100×100 pixels. Approximately 70 thumbnails fit on a standard 1280×1024 monitor, and more fit on ones with higher resolution.
An example of the thumbnail window is shown below.
Figure 5. Thumbnail window
The main thumbnail viewer window has two sections. An information block is on the left side of the window and the thumbnail images are on the right side of the window.
Information block: The information block provides details about the currently selected file, which is indicated by a dashed rectangle around it (the fourth from the left and the sixth down from the top in the example above). Click the mouse on a thumbnail image to select it.
File info displays the location and size of the file.
Embedded metadata displays available metadata. Exif data, such as Date/Time, location, is displayed, if available. Basic image data, such as height, width, and color depth, is always displayed.
Thumbnails: The images are displayed as a grid of thumbnails. Above the thumbnails is the current and total number of pages of thumbnails (e.g., “Page 1/71”). The page can be advanced with the PageDown key (go backwards with the PageUp key) or moving the scroll bar. Thumbnail images are loaded asynchronously, so that page advancement occurs as rapidly as possible. To the right of the scrollbar is a region that indicates what pages are currently cached. Light indicates cached, dark indicates not currently cached. If multiple images are selected, multiple information blocks will stack on top of each other, with only one block visible at a time.
Any file that is not in a supported image format will be indicated with a box containing the message “Error. File is corrupted or isn’t an image.” Supported image formats are gif, jpeg, png, bmp, and some TIFF formats.
By clicking the mouse on a single image, a new tab is created that displays a single image. Hitting the Enter key does the same thing to the currently selected image.
Single image viewer
When the investigator either double-clicks on a thumbnail image or selects enter on a selected image, a new tab will display the single image. The user can zoom in and out on that image. Clicking on additional images from the thumbnail browser will open additional tabs with those images. Clicking on the tab at the top will navigate between different open images and the thumbnail browser. Each single image tab can be closed by clicking on the “X” on the right side of its tab.
An example of a single image in the thumbnail viewer is shown below.