U.S. flag

An official website of the United States government, Department of Justice.

Dot gov

The .gov means it’s official.
Federal government websites always use a .gov or .mil domain. Before sharing sensitive information online, make sure you’re on a .gov or .mil site by inspecting your browser’s address (or “location”) bar.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

File Marshal: Automatic Extraction of Peer-to-Peer Data

NCJ Number
241126
Date Published
Author(s)
Frank Adelstein, Robert A. Joyce
Annotation
This article describes the general design and features of a software (“File Marshal”) that assists investigators in determining what peer-to-peer (P2P) software is present on a computer and where the associated information is stored, followed by retrieval of the information and analysis of results.
Abstract
Often P2P file sharing networks are used in crimes such as the illegal penetration of business and government computer systems, trafficking in child pornography, enticing children from the safety of their homes and attacking critical infrastructure such as computer networks and power grids. Consequently, computers involved in these crimes are significant sources of information. Of particular interest to investigators are the configuration parameters (user name, password, and peers/servers used); times of use, time of installation, log files of any transaction, and the downloaded (or shared) files themselves. Currently, an investigator must collect, categorize, and analyze all of this information manually. File Marshal is a digital forensic tool that automates the tedious and time-consuming process of looking for evidence of P2P usage. File Marshal performs these tasks in a forensically valid way and presents them in a readable form on-screen and in a format that can easily be incorporated into a report. This article describes the overall operation and capabilities of File Marshal, including the three models of operation, logging and report generation, and a description of search capabilities. The article also describes the registry library, along with the user interface and the back-end configuration. At the time this article was written, File Marshal was a work-in-progress being developed through a grant from the National Institute of Justice. An initial prototype has demonstrated its capabilities. A beta-release was planned for the end of summer 2007. In early 2008 the File Marshal was scheduled to be made available to law enforcement at no cost. 4 figures
Date Created: December 30, 2007