Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 2 ? Log Files artefacts), (Wed, Jul 5th)

[This is a second guest diary by Dr. this post discusses evidencethat can be extracted from related log files of BitTorrent Sync version 2.0 on Windows 8.1, Mac OS X Mavericks 10.9.5, and Ubuntu 14.04.1 LTS.

BitTorrent Sync storeslogs in the application folder and the filename of which is displayed as sync.log border:solid windowtext 1.0pt">

		</p><p><strong>Relevance</strong></p>
		
		
		<p><strong>Examples of log entries obtained in our research</strong></p>
		
	
	
		
		<p>Enables a practitioner to identify the BitTorrent Sync version installed on the device under investigation.</p>
		
		
		<ul>
			<li>platform: Windows workstation 6.3.0 x86</li>
		</ul>

		<p>version: 2.0.93</p>
		
	
	
		
		<p>Assist the practitioner in determining the non-encoded peer ID of the device under investigation.</p>
		
		
		<ul>
			<li>[2015-04-03 16:18:32] My PeerID: 103B760A3674FE44C4A512B4EF802D452F633F99</li>
		</ul>
		
	
	
		
		<p>A master folder will only be created during identity creation. This potentially allows the practitioner to determine when BitTorrent Sync was first used on a device.</p>
		
		
		<ul>
			<li>[2015-04-03 16:19:50] MD[init]: Master Folder: create</li>
		</ul>
		
	
	
		
		<p>May assist the practitioner in determining the IP addresses used by the device under investigation.</p>
		
		
		<ul>
			<li>[2015-04-03 16:18:30] Using IP address 192.168.220.176</li>
			<li>[2015-04-03 16:31:03] Changing IP address from 192.168.220.176 to 192.168.220.143</li>
		</ul>
		
	
	
		
		<p>Informs the practitioner the IP addresses used by the peer devices.</p>
		
		
		<ul>
			<li>[2015-04-04 09:05:32] Incoming connection from 192.168.220.176:49734</li>
			<li>[2015-04-03 16:51:58] SD[BBAD]: Peer 1: local IP 192.168.220.176:20566</li>
			<li>[2015-04-03 16:51:47] SD[BBAD]: Got ping (broadcast: 1) from peer 192.168.220.176:20566 (10DEC8109E524439D9454ABE2BB1475BF7D5A2B5)</li>
			<li>Peer 1: 60.50.83.170:49449 10DEC8109E524439D9454ABE2BB1475BF7D5A2B5</li>
			<li>[2015-04-05 08:23:56] SF[1F7E] [A2B5]: Found peer 10DEC8109E524439D9454ABE2BB1475BF7D5A2B5 192.168.220.176:49759 direct:1 transport:1 version: 2.0.93</li>
		</ul>
		
	
	
		
		<p>Allows a practitioner to identify the device names of the peer devices.</p>
		
		
		<ul>
			<li>[2015-04-05 09:05:32] SF[B5E2] [A2B5]: Got id message from peer <strong>WIN-KMM6MUN4701</strong> (10DEC8109E524439D9454ABE2BB1475BF7D5A2B5) 2.0.93</li>
			<li>[2015-04-17 12:51:19] MD[A965]: new device found <strong>WIN-KMM6MUN4701</strong> (CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV)</li>
		</ul>
		
	
	
		
		<p>Since most peer IDs are stored in base32 format in the metadata and configuration files, these log entries would provide a potential method for identification of the actual (non-encoded) peer IDs from the device names. </p>
		
		
		<ul>
			<li>[2015-04-05 09:05:32] SF[B5E2] [A2B5]: Got id message from peer WIN-KMM6MUN4701 (<strong>10DEC8109E524439D9454ABE2BB1475BF7D5A2B5</strong>) 2.0.93</li>
			<li>[2015-04-15 12:30:31] SD[4F11]: Got ping (broadcast: 1) from peer 192.168.220.146:50523 (<strong>107C1CFB546B565559FE2929E7B7C8804E7302F0</strong>) </li>
			<li>[2015-04-17 12:51:19] MD[A965]: new device found WIN-KMM6MUN4701 (<strong>CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV</strong>)</li>
			<li>[2015-04-17 12:51:19] API: callback id=19, value={ value: {peerid:<strong>CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV</strong>}}, can_deferred=0, _delegate=0x1c57d48</li>
		</ul>
		
	
	
		
		<p>May assist the practitioner in determining the share IDs for the shared folders added.</p>
		
		
		<ul>
			<li>[2015-04-05 11:37:54] SSLEH[0x15fa28b0]: hello packet { <strong>share:6C25389E651AC160F91ECAF3D9A249C58F6BED15</strong> } has been sent</li>
			<li>[2015-04-05 11:37:54] SSLEH[0x08e849e8]: received hello packet, { <strong>share:6C25389E651AC160F91ECAF3D9A249C58F6BED15</strong> }</li>
			<li>[2015-04-05 11:47:58] Requesting peers from tracker 52.1.1.135:3000 for share <strong>6C25389E651AC160F91ECAF3D9A249C58F6BED15</strong></li>
		</ul>
		
	
	
		
		<p>Enables identification of the shared folder names/IDs created on the device under investigation.</p>
		
		
		<ul>
			<li>[2015-04-04 20:36:45] FC[B5E2]: started periodic scan for <strong>\\?\C:\Sync</strong></li>
			<li>[2015-04-05 11:37:57] MD[A965]: [apply] Processing folder <strong>Sync (-2775350472753142605)</strong></li>
		</ul>
		
	
	
		
		<p>Assists the practitioner in determining the synced filenames or folder names as well as the addition/creation times.</p>
		
		
		<ul>
			<li>[2015-04-05 08:24:17] JOURNAL[22F5]: new torrent created for file Enron3111.txt mt:1418488391 9603FC44BB0F59A822FA3331A1802F880ABA583B</li>
		</ul>

		<p>[2015-04-05 08:24:17] JOURNAL[22F5]: setting time for file \\?\C:\Sync\Enron3111.txt to 1428193457</p>

		<p>[2015-04-05 08:24:17] JOURNAL[22F5]: insert file \\?\C:\Sync\Enron3111.txt = 131072:22982</p>

		<p></p>
		
	
	
		
		<p>Informs the practitioner folder names for the deleted folders as well as the deletion times. </p>
		
		
		<ul>
			<li>[2015-06-28 23:41:17] Folder being removed from this device and the files at \\?\C:\Sync are being removed.</li>
		</ul>
		
	
	
		
		<p>Allows the practitioner to determine the local identitys disconnection time.</p>
		
		
		<ul>
			<li>[2015-04-05 09:12:01] Master Folder Controller: disconnect master folder</li>
		</ul>

Table 2: Records of BitTorrent Sync border:solid windowtext 1.0pt">

		</p><p><strong>Relevance</strong></p>
		
		
		<p><strong>Examples of log entries obtained in our research</strong></p>
		
	
	
		
		<p>Provides the practitioner details about the device under investigation such as the peer ID, device name, last online time, last sync completed time, and folder IDs for the shared folders created/added.</p>
		
		
		<ul>
			<li>[2015-04-05 09:11:53] API: -- getmfdevices({ status: 200, value: [{ aod: false, devicename: WIN-KMM6MUN4701, folders: [ { added: true, id: -7338009380596345790, mode: 1 }, { added: true, id: 3964779361527927184, mode: 1 }, { added: true, id: 4780923171276619705, mode: 1 }, { added: true, id: 5471258729987051831, mode: 1 } ], id: CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV, lastseen: 1428196287, lastsynccompleted: 1428196287, name: WIN-KMM6MUN4701, online: true, self: false, syncerr: 0, syncerrmsg: , userid:  } ] })</li>
		</ul>
		
	
	
		
		<p>Assists the practitioner in determining the pending user requests sent to the device under investigation including the folder IDs (if any), the times when the requests were sent, access permissions, as well as the requesters IP addresses and certificate fingerprints. </p>
		
		
		<ul>
			<li>[2015-04-03 16:51:48] API: -- getpendingrequests({ status: 200, value: [ { access_level: 3, id: 5471258729987051831, ip: 192.168.220.176, license: false, readwrite: true, time: 1428051108, user_identity: { devicename: device, fingerprint: 2UMI566O3XAE7BB2V3N3YWWECJ3TCGJHMRGZTVLN2SZY276QI4AQ, username: Guest } } ] })</li>
		</ul>
		
	
	
		
		<p>May assist a practitioner in determining the folder names, folder IDs, storage paths, folder sizes, timestamp information, as well as peer device names, peer IDs, and fingerprints associated with the shared folders added by or downloaded to the device under investigation.</p>
		
		
		<ul>
			<li>[2015-04-05 09:05:37] API: -- getsyncfolders({ folders: [ { access: 4, archive: C:\\Sync\\.sync\\Archive, archive_files: 3, archive_size: 153187, date_added: 1428049323, down_eta: 0, down_speed: 0, down_status: 100, error: 0, files: 3, folderid: 5471258729987051831, has_key: true, indexing: false, ismanaged: true, iswritable: true, last_modified: 1428053450, name: Sync, path: C:\\Sync, paused: false, peers: [ { direct: true, downdiff: 0, id: 10DEC8109E524439D9454ABE2BB1475BF7D5A2B5, isonline: true, lastreceivedtime: 0, lastsenttime: 1428051120, lastsynctime: 1428051129, name: WIN-KMM6MUN4701, updiff: 0, userid: UQO52P4G5O2QU6OOGX3AS7R6RUAU22JBBWJ4H2CYNXHRO3KIRVBQ }], size: 321638, status: 314.0 kB in 3 files, stopped: false, synclevel: 2, up_eta: 0, up_speed: 0, up_status: 100, users: [{ access: 3, id: 2UMI566O3XAE7BB2V3N3YWWECJ3TCGJHMRGZTVLN2SZY276QI4AQ, name: Guest } ] }, </li>
		</ul>

		<p></p>
		
	
	
		
		<p>Informs the practitioner the storage path for the device under investigation.</p>
		
		
		<ul>
			<li>[2015-04-03 16:43:13] API: -- getfoldersstoragepath({ status: 200, value: C:\\Users\\anonymous\\BitTorrent Sync })</li>
			<li>[2015-04-05 09:05:33] API: -- setfoldersstoragepath({ path: C:\\Users\\anonymous\\BitTorrent Sync, status: 200 })</li>
		</ul>
		
	
	
		
		<p>Allows the practitioner to identify the folder name, path, and timestamp references for the shared folders added by the device under investigation.</p>
		
		
		<ul>
			<li>[2015-04-04 20:27:22] API: -- addsyncfolder(path=C%3A%5CSyncselectivesync=falset=1428150442927)</li>
		</ul>
		
	
	
		
		<p>Contains copy of history.dat file (see section 4.1) at the time of request.</p>
		
		
		<ul>
			<li>[2015-04-05 08:33:06] API: -- history({ status: 200, value: [{ id: 39, msg: WIN-KMM6MUN4701 updated file Enron3111.zip, time: 1428193777 }, { id: 38, msg: WIN-KMM6MUN4701 updated file Enron3111.txt, time: 1428193777 }, { id: 37, msg: Remote peer removed file Enron3111.rtf, time: 1428193777 }, { id: 13, msg: Added file Enron3111.docx, time: 1428153859 }</li>
		</ul>

The next post discuss about BitTorrentSync v.2 evidenceretrievable from physical memory.

© SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Article Link: https://isc.sans.edu/diary/rss/22582