My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 2 ? Log Files artefacts)

Published: 2017-07-05. Last Updated: 2017-07-06 07:44:15 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

[This is a second guest diary by Dr. Ali Dehghantanha. You can find his first diary here. If you would like to propose a guest diary, please let us know]

Continuing the earlier post on the investigation of BitTorrent Sync version 2.0; this post discusses evidence that can be extracted from related log files of BitTorrent Sync version 2.0 on Windows 8.1, Mac OS X Mavericks 10.9.5, and Ubuntu 14.04.1 LTS.

BitTorrent Sync stores logs in the application folder and the filename of which is displayed as ‘sync.log’. The default log size is 100MB and can be modified by the user. When the maximum size is reached, the log file is renamed to sync.log.old, and a new sync.log file will be created. As BitTorrent Sync does not implement an encryption algorithm to secure its logs, the logs could be easily accessible using a text editor. The log file is important as it would aid in identifying BitTorrent Sync events around a specific time of the incident. Table 1 and Table 2 below summarize a list of notable log entries forensic interest from sync.log.

Table 1: Log entries of forensic interest from sync.log.

Relevance

Examples of log entries obtained in our research

Enables a practitioner to identify the BitTorrent Sync version installed on the device under investigation.
  • platform: Windows workstation 6.3.0 x86

version: 2.0.93

Assist the practitioner in determining the non-encoded peer ID of the device under investigation.
  • [2015-04-03 16:18:32] My PeerID: 103B760A3674FE44C4A512B4EF802D452F633F99

A master folder will only be created during identity creation. This potentially allows the practitioner to determine when BitTorrent Sync was first used on a device.
  • [2015-04-03 16:19:50] MD[init]: Master Folder: create

May assist the practitioner in determining the IP addresses used by the device under investigation.
  • [2015-04-03 16:18:30] Using IP address 192.168.220.176
  • [2015-04-03 16:31:03] Changing IP address from 192.168.220.176 to 192.168.220.143

Informs the practitioner the IP addresses used by the peer devices.
  • [2015-04-04 09:05:32] Incoming connection from 192.168.220.176:49734
  • [2015-04-03 16:51:58] SD[BBAD]: Peer 1: local IP 192.168.220.176:20566
  • [2015-04-03 16:51:47] SD[BBAD]: Got ping (broadcast: 1) from peer 192.168.220.176:20566 (10DEC8109E524439D9454ABE2BB1475BF7D5A2B5)
  • Peer 1: 60.50.83.170:49449 10DEC8109E524439D9454ABE2BB1475BF7D5A2B5
  • [2015-04-05 08:23:56] SF[1F7E] [A2B5]: Found peer 10DEC8109E524439D9454ABE2BB1475BF7D5A2B5 192.168.220.176:49759 direct:1 transport:1 version: 2.0.93

Allows a practitioner to identify the device names of the peer devices.
  • [2015-04-05 09:05:32] SF[B5E2] [A2B5]: Got id message from peer WIN-KMM6MUN4701 (10DEC8109E524439D9454ABE2BB1475BF7D5A2B5) 2.0.93
  • [2015-04-17 12:51:19] MD[A965]: new device found WIN-KMM6MUN4701 (CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV)

Since most peer IDs are stored in base32 format in the metadata and configuration files, these log entries would provide a potential method for identification of the actual (non-encoded) peer IDs from the device names.

  • [2015-04-05 09:05:32] SF[B5E2] [A2B5]: Got id message from peer WIN-KMM6MUN4701 (10DEC8109E524439D9454ABE2BB1475BF7D5A2B5) 2.0.93
  • [2015-04-15 12:30:31] SD[4F11]: Got ping (broadcast: 1) from peer 192.168.220.146:50523 (107C1CFB546B565559FE2929E7B7C8804E7302F0)
  • [2015-04-17 12:51:19] MD[A965]: new device found WIN-KMM6MUN4701 (CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV)
  • [2015-04-17 12:51:19] API: callback id=19, value="{ "value": {"peerid":"CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV"}}", can_deferred=0, _delegate=0x1c57d48…

May assist the practitioner in determining the share IDs for the shared folders added.
  • [2015-04-05 11:37:54] SSLEH[0x15fa28b0]: hello packet { share:6C25389E651AC160F91ECAF3D9A249C58F6BED15 } has been sent
  • [2015-04-05 11:37:54] SSLEH[0x08e849e8]: received hello packet, { share:6C25389E651AC160F91ECAF3D9A249C58F6BED15 }
  • [2015-04-05 11:47:58] Requesting peers from tracker 52.1.1.135:3000 for share 6C25389E651AC160F91ECAF3D9A249C58F6BED15

Enables identification of the shared folder names/IDs created on the device under investigation.
  • [2015-04-04 20:36:45] FC[B5E2]: started periodic scan for "\\?\C:\Sync"
  • [2015-04-05 11:37:57] MD[A965]: [apply] Processing folder "Sync" (-2775350472753142605)

Assists the practitioner in determining the synced filenames or folder names as well as the addition/creation times.
  • [2015-04-05 08:24:17] JOURNAL[22F5]: new torrent created for file Enron3111.txt mt:1418488391 9603FC44BB0F59A822FA3331A1802F880ABA583B

[2015-04-05 08:24:17] JOURNAL[22F5]: setting time for file "\\?\C:\Sync\Enron3111.txt" to 1428193457

[2015-04-05 08:24:17] JOURNAL[22F5]: insert file "\\?\C:\Sync\Enron3111.txt" = 131072:22982

Informs the practitioner folder names for the deleted folders as well as the deletion times.

  • [2015-06-28 23:41:17] Folder being removed from this device and the files at '\\?\C:\Sync' are being removed.

Allows the practitioner to determine the local identity’s disconnection time.
  • [2015-04-05 09:12:01] Master Folder Controller: disconnect master folder

Table 2: Records of BitTorrent Sync’s Application Programming Interface (API) response bodies (in JSON format) of forensic interest from sync.log.

Relevance

Examples of log entries obtained in our research

Provides the practitioner details about the device under investigation such as the peer ID, device name, last online time, last sync completed time, and folder IDs for the shared folders created/added.
  • [2015-04-05 09:11:53] API: <-- getmfdevices({ "status": 200, "value": [{ "aod": false, "devicename": "WIN-KMM6MUN4701", "folders": [ { "added": true, "id": -7338009380596345790, "mode": 1 }, { "added": true, "id": 3964779361527927184, "mode": 1 }, { "added": true, "id": 4780923171276619705, "mode": 1 }, { "added": true, "id": 5471258729987051831, "mode": 1 } ], "id": "CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV", "lastseen": 1428196287, "lastsynccompleted": 1428196287, "name": "WIN-KMM6MUN4701", "online": true, "self": false, "syncerr": 0, "syncerrmsg": "", "userid": "" } ] })…

Assists the practitioner in determining the pending user requests sent to the device under investigation including the folder IDs (if any), the times when the requests were sent, access permissions, as well as the requester’s IP addresses and certificate fingerprints.

  • [2015-04-03 16:51:48] API: <-- getpendingrequests({ "status": 200, "value": [ { "access_level": 3, "id": "5471258729987051831", "ip": "192.168.220.176", "license": false, "readwrite": true, "time": 1428051108, "user_identity": { "devicename": "device", "fingerprint": "2UMI566O3XAE7BB2V3N3YWWECJ3TCGJHMRGZTVLN2SZY276QI4AQ", "username": "Guest" } } ] })…

May assist a practitioner in determining the folder names, folder IDs, storage paths, folder sizes, timestamp information, as well as peer device names, peer IDs, and fingerprints associated with the shared folders added by or downloaded to the device under investigation.
  • [2015-04-05 09:05:37] API: <-- getsyncfolders({ "folders": [ { "access": 4, "archive": "C:\\Sync\\.sync\\Archive", "archive_files": 3, "archive_size": 153187, "date_added": 1428049323, "down_eta": 0, "down_speed": 0, "down_status": 100, "error": 0, "files": 3, "folderid": "5471258729987051831", "has_key": true, "indexing": false, "ismanaged": true, "iswritable": true, "last_modified": 1428053450, "name": "Sync", "path": "C:\\Sync", "paused": false, "peers": [ { "direct": true, "downdiff": 0, "id": "10DEC8109E524439D9454ABE2BB1475BF7D5A2B5", "isonline": true, "lastreceivedtime": 0, "lastsenttime": 1428051120, "lastsynctime": 1428051129, "name": "WIN-KMM6MUN4701", "updiff": 0, "userid": "UQO52P4G5O2QU6OOGX3AS7R6RUAU22JBBWJ4H2CYNXHRO3KIRVBQ" }], "size": 321638, "status": "314.0 kB in 3 files", "stopped": false, "synclevel": 2, "up_eta": 0, "up_speed": 0, "up_status": 100, "users": [{ "access": 3, "id": "2UMI566O3XAE7BB2V3N3YWWECJ3TCGJHMRGZTVLN2SZY276QI4AQ", "name": "Guest" } ] },

Informs the practitioner the storage path for the device under investigation.
  • [2015-04-03 16:43:13] API: <-- getfoldersstoragepath({ "status": 200, "value": "C:\\Users\\anonymous\\BitTorrent Sync" })
  • [2015-04-05 09:05:33] API: <-- setfoldersstoragepath({ "path": "C:\\Users\\anonymous\\BitTorrent Sync", "status": 200 })

Allows the practitioner to identify the folder name, path, and timestamp references for the shared folders added by the device under investigation.
  • [2015-04-04 20:27:22] API: --> addsyncfolder(path=C%3A%5CSync&selectivesync=false&t=1428150442927)

Contains copy of history.dat file (see section 4.1) at the time of request.
  • [2015-04-05 08:33:06] API: <-- history({ "status": 200, "value": [{ "id": 39, "msg": "WIN-KMM6MUN4701 updated file Enron3111.zip", "time": 1428193777 }, { "id": 38, "msg": "WIN-KMM6MUN4701 updated file Enron3111.txt", "time": 1428193777 }, { "id": 37, "msg": "Remote peer removed file Enron3111.rtf", "time": 1428193777 }, { "id": 13, "msg": "Added file Enron3111.docx", "time": 1428153859 }…

 

The next post discuss about BitTorrentSync v.2 evidence retrievable from physical memory.

 

Keywords:
0 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

Login here to join the discussion.


Top of page
Diary Archives