Authors: Robert Erdely, Thomas Kerle, Brian Levine (University of Massachusetts Amherst), Marc Liberatore (University of Massachusetts Amherst), Clay Shields (Georgetown University)



The investigation of peer-to-peer (p2p) file-sharing networks is now of critical interest to law enforcement. P2P networks are extensively used for the sharing and distribution of contraband. We detail the functionality of two p2p protocols, Gnutella and BitTorrent, and describe the legal issues pertaining to investigating such networks. We present an analysis of the protocols focused on the items of particular interest to investigators, such as the value of evidence given its provenance on the network. We also report our development of RoundUp, a tool for Gnutella investigations that follows the principles and techniques we detail for networking investigations. RoundUp has experienced rapid acceptance and deployment: it is currently used by 52 Internet Crimes Against Children (ICAC) Task Forces, who each share data from investigations in a central database. Using RoundUp, since October 2009, over 300,000 unique installations of Gnutella have been observed by law enforcement sharing knew contraband in the U.S. Using leads and evidence from RoundUp, a total of 558 search warrants have been issued and executed during that time.