2010-07-30 LimeWire Made Me Do It

LimeWire Made Me Do It

Frederick S. [email protected]

www.ComputerForensicsDigest.com

Federal Public Defender of Middle Tennessee andFederal Defender Services of Eastern Tennessee, Inc.

30 July 2010

www.FrederickLane.com

And Other Digital Follies


Seminar Overview – Part I

• Introduction

• Basics of P2P Software

• Evidence of Intent

• Law Enforcement Initiatives

• P2P in the Courtswww.FrederickLane.com www.ComputerForensicsDigest.com

Seminar Overview – Part II

• Basics of File Storage and Web Browser Caches

• “Every Breath You Take …”

• Cookie Crumbs

• Caches in the Courts

www.FrederickLane.com www.ComputerForensicsDigest.com

Seminar Logistics

• Ask ‘em If You’ve Got ‘em

• Download a PDF of slides:

bit.ly/a9wgM6

Survey/Feedback:

bit.ly/cfDZCY

• Email Me: [email protected] www.ComputerForensicsDigest.com

Personal Background• Computer

Forensics Expert



Forensics Expert

• Author of 5 Books



Forensics Expert


• Chair, Burlington (VT) School Board



Forensics Expert



• Attorney & Lecturer



Forensics Expert



• Attorney & Lecturer

• Privacy Expert


Computer Forensics Experience

• A Decade of Computer Forensics Experience -- United States v. Dean (1999)

• Civil and Criminal Cases

• Emphasis on Obscenity and Child Pornography

• Training in X-Ways Forensics

• ComputerForensicsDigest.com & Digital Dirt Blawg


• Sneakernets


“And File Sharing Begat P2P…”

• Sneakernets

• 1999 – Napster



• Sneakernets


• DMCA = #epicfail



• Sneakernets



• 2000 - Gnutella



• Sneakernets



• 2000 – Gnutella

• 2009 – P2P the largest source of network traffic



Popular Peer-to-Peer Networks

• Gnutella, Gnutella2

• BitTorrent

• FastTrack

• KaZaA

• eDonkey

• Mininova

• Skype


Popular Peer-to-Peer Clients

• LimeWire

• FrostWire

• BitComet

• Vuze

• µTorrent

• MP3 Rocket

• BitTorrent

• Morpheus

• LimeWire Pro

• Ares Galaxy


Typical Operation of P2P Software

• Users Download Client Software and Register for an Account

• Users Search for Specific Types of Content

• Users Click on a Search Result to Initiate Download

• P2P Software Typically Downloads to a “Shared” Directory

• Content Can Be Made Instantly Available to Other Users of P2P Software


Core Issue: Extent of User Control

• Nature and Name of Downloaded Contents

• Evidence Downloaded Files Were “Previewed” During Download Process

• Search Terms Used

• Are Client Settings Default or Specialized? Directories, Sharing, etc.

• Evidence of Degree of Sophistication


Example: LimeWire Setup


Federal Anti-CP Programs

• FBI Cyber Crimes Program

• Innocent Images National Initiative

• Internet Crimes Against Children (ICAC)

• National Center for Missing and Exploited Children

• Myriad Task Forces

• Operation Fairplay (Wyoming/TLO)


Typical P2P Investigation

• Law Enforcement Officer Uses P2P Client to Search for Contraband – Keywords & Hashes

• Download of Possible Contraband Initiated

• P2P Client Shows IP Address of Source

• List of Files at That Source Can Be Viewed

• IP Address Is Traced to Physical Address

• Warrant Obtained for Search and Seizure of Computer Equipment at That Address


P2P In the Courts

• An area of increasing interest for courts: roughly 300 federal decisions involving P2P software – only 25 or so state decisions

• Does law enforcement use of P2P client constitute “search” of suspect’s computer?

• Questions of control and distribution by suspect

• Enhancements under sentencing guidelines


Recent P2P Decisions

• Comcast v. F.C.C., 08-1291 (D.C. Cir. April 6, 2010) – rejecting F.C.C.’s ability to regulate network traffic

• U.S. v. Dodd, 09-1946 (8th Cir. 2010) – P2P supports sentencing enhancement

• U.S. v. Dyer, 589 F.3d 520 (1st Cir. 2009) – P2P can enhance sentence for distribution

• U.S. v. Borowy, 595 F.3d 1045 (9th Cir. 2010) --No 4th Amend. violation in LimeWireinvestigation


What’s That Doing on My Hard Drive?

• Web Browser Overview• Web Browser Caches & Cookies• “Every Breath You Take …”• File Storage, Deletion, and

Recovery• Caches in the Courts


Multiple Browsers, Multiple Caches

• First There Was Netscape …• Internet Explorer, Mozilla,

Opera, Google Chrome• Safari and Mac variants• Extract cache files or analyze

diskwww.FrederickLane.com www.ComputerForensicsDigest.com

Cache Value

• Small Hard Drives & Dial-Up

• Hidden Files

• Organized by User

• Thumbnails

• Is “Private Mode” Really Private?


Other Types of Web History

• Cookies

• Directory Listings

• Email

• Network Logs

• Internet Service Providerswww.FrederickLane.com www.ComputerForensicsDigest.com

Distressingly Durable Data

• A Quick Overview of Computer Forensics

• The Hardware of Data Storage– Drives, Disks, RAM, ROM,

Flash, etc.

• Directories & Files• I Never Metadata …


The Great Delete Myth


• Of DOS and Disks




• Sneakernets




• Sneakernets

• “Information Wants to Be Free”




• Sneakernets


• “Intriguing but vague”




• Sneakernets


• “Intriguing but vague”

• Whole Earth Duplication

Some Common File Questions …

• File Timestamps – Created, Last Modified, Last Accessed?

• Is It Possible to Determine Length of Time an Image or Video Was Viewed?

• Files Lost in Space: Allocated, Unallocated, Slack, Other Partitions

• All Thumbs.db


Cache in the Courts

• U.S. v. Vosburgh, 08-4702 (3d Cir. April 20, 2010) [pro-Gov.] – Thumbs.db

• U.S. v. Kain, 589 F.3d 945 (8th Cir. 2009) [pro-Gov.]

• U.S. v. Miller, 527 F.3d 54 (3rd Cir. 2008) [even]

• U.S. v. Kuchinski, 469 F.3d 853 (9th Cir. 2006); U.S. v. Romm, 455 F.3d 990 (9th Cir. 2006) [pro-defendant]

• U.S. v. Tucker, 305 F.3d 1193 (10th Cir. 2002) [pro-Gov.]


Survey/Feedback

http://bit.ly/cfDZCY

(survey open until

August 6, 2010 at 5:00 p.m.)


LimeWire Made Me Do It

Frederick S. [email protected]


Federal Public Defender of Middle Tennessee andFederal Defender Services of Eastern Tennessee, Inc.

30 July 2010


And Other Digital Follies
