Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
LimeWire Made
Me Do It
Frederick S. Lane
FSLane3@gmail.com
www.ComputerForensicsDigest.com
Federal Public Defender of Midd...
Seminar Overview – Part I
• Introduction
• Basics of P2P Software
• Evidence of Intent
• Law Enforcement Initiatives
• P2P...
Seminar Overview – Part II
• Basics of File Storage and
Web Browser Caches
• “Every Breath You Take …”
• Cookie Crumbs
• C...
Seminar Logistics
• Ask ‘em If You’ve Got ‘em
• Download a PDF of slides:
bit.ly/a9wgM6
Survey/Feedback:
bit.ly/cfDZCY
• E...
Personal Background
• Computer
Forensics Expert
www.FrederickLane.com www.ComputerForensicsDigest.com
Personal Background
• Computer
Forensics Expert
• Author of 5 Books
www.FrederickLane.com www.ComputerForensicsDigest.com
Personal Background
• Computer
Forensics Expert
• Author of 5 Books
• Chair, Burlington
(VT) School Board
www.FrederickLan...
Personal Background
• Computer
Forensics Expert
• Author of 5 Books
• Chair, Burlington
(VT) School Board
• Attorney &
Lec...
Personal Background
• Computer
Forensics Expert
• Author of 5 Books
• Chair, Burlington
(VT) School Board
• Attorney &
Lec...
Computer Forensics Experience
• A Decade of Computer Forensics
Experience -- United States v. Dean (1999)
• Civil and Crim...
• Sneakernets
www.FrederickLane.com www.ComputerForensicsDigest.com
“And File Sharing Begat P2P…”
• Sneakernets
• 1999 – Napster
www.FrederickLane.com www.ComputerForensicsDigest.com
“And File Sharing Begat P2P…”
• Sneakernets
• 1999 – Napster
• DMCA =
#epicfail
www.FrederickLane.com www.ComputerForensicsDigest.com
“And File Sharing ...
• Sneakernets
• 1999 – Napster
• DMCA =
#epicfail
• 2000 - Gnutella
www.FrederickLane.com www.ComputerForensicsDigest.com
...
• Sneakernets
• 1999 – Napster
• DMCA =
#epicfail
• 2000 – Gnutella
• 2009 – P2P the
largest source of
network traffic
www...
Popular Peer-to-Peer Networks
• Gnutella, Gnutella2
• BitTorrent
• FastTrack
• KaZaA
• eDonkey
• Mininova
• Skype
www.Fred...
Popular Peer-to-Peer Clients
• LimeWire
• FrostWire
• BitComet
• Vuze
• µTorrent
• MP3 Rocket
• BitTorrent
• Morpheus
• Li...
Typical Operation of P2P Software
• Users Download Client Software and
Register for an Account
• Users Search for Specific...
Core Issue: Extent of User Control
• Nature and Name of Downloaded
Contents
• Evidence Downloaded Files Were
“Previewed” D...
Example: LimeWire Setup
www.FrederickLane.com www.ComputerForensicsDigest.com
Federal Anti-CP Programs
• FBI Cyber Crimes Program
• Innocent Images National Initiative
• Internet Crimes Against Childr...
Typical P2P Investigation
• Law Enforcement Officer Uses P2P Client to
Search for Contraband – Keywords &
Hashes
• Downloa...
P2P In the Courts
• An area of increasing interest for courts:
roughly 300 federal decisions involving P2P
software – only...
Recent P2P Decisions
• Comcast v. F.C.C., 08-1291 (D.C. Cir. April 6,
2010) – rejecting F.C.C.’s ability to regulate
netwo...
What’s That Doing on My
Hard Drive?
• Web Browser Overview
• Web Browser Caches & Cookies
• “Every Breath You Take …”
• Fi...
Multiple Browsers,
Multiple Caches
• First There Was Netscape …
• Internet Explorer, Mozilla,
Opera, Google Chrome
• Safar...
Cache Value
• Small Hard Drives & Dial-Up
• Hidden Files
• Organized by User
• Thumbnails
• Is “Private Mode” Really
Priva...
Other Types of Web History
• Cookies
• Directory Listings
• Email
• Network Logs
• Internet Service Providers
www.Frederic...
Distressingly Durable Data
• A Quick Overview of Computer
Forensics
• The Hardware of Data Storage
– Drives, Disks, RAM, R...
The Great Delete Myth
www.FrederickLane.com
• Of DOS and Disks
The Great Delete Myth
www.FrederickLane.com
• Of DOS and Disks
• Sneakernets
The Great Delete Myth
www.FrederickLane.com
• Of DOS and Disks
• Sneakernets
• “Information
Wants to Be Free”
The Great Delete Myth
www.FrederickLane.com
• Of DOS and Disks
• Sneakernets
• “Information
Wants to Be Free”
• “Intriguin...
The Great Delete Myth
www.FrederickLane.com
• Of DOS and Disks
• Sneakernets
• “Information
Wants to Be Free”
• “Intriguin...
Some Common File Questions …
• File Timestamps – Created, Last
Modified, Last Accessed?
• Is It Possible to Determine Leng...
Cache in the Courts
• U.S. v. Vosburgh, 08-4702 (3d Cir. April 20, 2010)
[pro-Gov.] – Thumbs.db
• U.S. v. Kain, 589 F.3d 9...
Survey/Feedback
http://bit.ly/cfDZCY
(survey open until
August 6, 2010 at 5:00 p.m.)
www.FrederickLane.com www.ComputerFor...
LimeWire Made
Me Do It
Frederick S. Lane
FSLane3@gmail.com
www.ComputerForensicsDigest.com
Federal Public Defender of Midd...
Upcoming SlideShare
Loading in …5
×

2010-07-30 LimeWire Made Me Do It

329 views

Published on

A presentation delivered to the Offices of the Federal Defender for the District of Tennessee, Eastern and Middle Divisions.

Published in: Law
  • Be the first to comment

  • Be the first to like this

2010-07-30 LimeWire Made Me Do It

  1. 1. LimeWire Made Me Do It Frederick S. Lane FSLane3@gmail.com www.ComputerForensicsDigest.com Federal Public Defender of Middle Tennessee and Federal Defender Services of Eastern Tennessee, Inc. 30 July 2010 www.FrederickLane.com And Other Digital Follies www.ComputerForensicsDigest.com
  2. 2. Seminar Overview – Part I • Introduction • Basics of P2P Software • Evidence of Intent • Law Enforcement Initiatives • P2P in the Courts www.FrederickLane.com www.ComputerForensicsDigest.com
  3. 3. Seminar Overview – Part II • Basics of File Storage and Web Browser Caches • “Every Breath You Take …” • Cookie Crumbs • Caches in the Courts www.FrederickLane.com www.ComputerForensicsDigest.com
  4. 4. Seminar Logistics • Ask ‘em If You’ve Got ‘em • Download a PDF of slides: bit.ly/a9wgM6 Survey/Feedback: bit.ly/cfDZCY • Email Me: FSLane3@gmail.com www.FrederickLane.com www.ComputerForensicsDigest.com
  5. 5. Personal Background • Computer Forensics Expert www.FrederickLane.com www.ComputerForensicsDigest.com
  6. 6. Personal Background • Computer Forensics Expert • Author of 5 Books www.FrederickLane.com www.ComputerForensicsDigest.com
  7. 7. Personal Background • Computer Forensics Expert • Author of 5 Books • Chair, Burlington (VT) School Board www.FrederickLane.com www.ComputerForensicsDigest.com
  8. 8. Personal Background • Computer Forensics Expert • Author of 5 Books • Chair, Burlington (VT) School Board • Attorney & Lecturer www.FrederickLane.com www.ComputerForensicsDigest.com
  9. 9. Personal Background • Computer Forensics Expert • Author of 5 Books • Chair, Burlington (VT) School Board • Attorney & Lecturer • Privacy Expert www.FrederickLane.com www.ComputerForensicsDigest.com
  10. 10. Computer Forensics Experience • A Decade of Computer Forensics Experience -- United States v. Dean (1999) • Civil and Criminal Cases • Emphasis on Obscenity and Child Pornography • Training in X-Ways Forensics • ComputerForensicsDigest.com & Digital Dirt Blawg www.FrederickLane.com www.ComputerForensicsDigest.com
  11. 11. • Sneakernets www.FrederickLane.com www.ComputerForensicsDigest.com “And File Sharing Begat P2P…”
  12. 12. • Sneakernets • 1999 – Napster www.FrederickLane.com www.ComputerForensicsDigest.com “And File Sharing Begat P2P…”
  13. 13. • Sneakernets • 1999 – Napster • DMCA = #epicfail www.FrederickLane.com www.ComputerForensicsDigest.com “And File Sharing Begat P2P…”
  14. 14. • Sneakernets • 1999 – Napster • DMCA = #epicfail • 2000 - Gnutella www.FrederickLane.com www.ComputerForensicsDigest.com “And File Sharing Begat P2P…”
  15. 15. • Sneakernets • 1999 – Napster • DMCA = #epicfail • 2000 – Gnutella • 2009 – P2P the largest source of network traffic www.FrederickLane.com www.ComputerForensicsDigest.com “And File Sharing Begat P2P…”
  16. 16. Popular Peer-to-Peer Networks • Gnutella, Gnutella2 • BitTorrent • FastTrack • KaZaA • eDonkey • Mininova • Skype www.FrederickLane.com www.ComputerForensicsDigest.com
  17. 17. Popular Peer-to-Peer Clients • LimeWire • FrostWire • BitComet • Vuze • µTorrent • MP3 Rocket • BitTorrent • Morpheus • LimeWire Pro • Ares Galaxy www.FrederickLane.com www.ComputerForensicsDigest.com
  18. 18. Typical Operation of P2P Software • Users Download Client Software and Register for an Account • Users Search for Specific Types of Content • Users Click on a Search Result to Initiate Download • P2P Software Typically Downloads to a “Shared” Directory • Content Can Be Made Instantly Available to Other Users of P2P Software www.FrederickLane.com www.ComputerForensicsDigest.com
  19. 19. Core Issue: Extent of User Control • Nature and Name of Downloaded Contents • Evidence Downloaded Files Were “Previewed” During Download Process • Search Terms Used • Are Client Settings Default or Specialized? Directories, Sharing, etc. • Evidence of Degree of Sophistication www.FrederickLane.com www.ComputerForensicsDigest.com
  20. 20. Example: LimeWire Setup www.FrederickLane.com www.ComputerForensicsDigest.com
  21. 21. Federal Anti-CP Programs • FBI Cyber Crimes Program • Innocent Images National Initiative • Internet Crimes Against Children (ICAC) • National Center for Missing and Exploited Children • Myriad Task Forces • Operation Fairplay (Wyoming/TLO) www.FrederickLane.com www.ComputerForensicsDigest.com
  22. 22. Typical P2P Investigation • Law Enforcement Officer Uses P2P Client to Search for Contraband – Keywords & Hashes • Download of Possible Contraband Initiated • P2P Client Shows IP Address of Source • List of Files at That Source Can Be Viewed • IP Address Is Traced to Physical Address • Warrant Obtained for Search and Seizure of Computer Equipment at That Address www.FrederickLane.com www.ComputerForensicsDigest.com
  23. 23. P2P In the Courts • An area of increasing interest for courts: roughly 300 federal decisions involving P2P software – only 25 or so state decisions • Does law enforcement use of P2P client constitute “search” of suspect’s computer? • Questions of control and distribution by suspect • Enhancements under sentencing guidelines www.FrederickLane.com www.ComputerForensicsDigest.com
  24. 24. Recent P2P Decisions • Comcast v. F.C.C., 08-1291 (D.C. Cir. April 6, 2010) – rejecting F.C.C.’s ability to regulate network traffic • U.S. v. Dodd, 09-1946 (8th Cir. 2010) – P2P supports sentencing enhancement • U.S. v. Dyer, 589 F.3d 520 (1st Cir. 2009) – P2P can enhance sentence for distribution • U.S. v. Borowy, 595 F.3d 1045 (9th Cir. 2010) -- No 4th Amend. violation in LimeWire investigation www.FrederickLane.com www.ComputerForensicsDigest.com
  25. 25. What’s That Doing on My Hard Drive? • Web Browser Overview • Web Browser Caches & Cookies • “Every Breath You Take …” • File Storage, Deletion, and Recovery • Caches in the Courts www.FrederickLane.com www.ComputerForensicsDigest.com
  26. 26. Multiple Browsers, Multiple Caches • First There Was Netscape … • Internet Explorer, Mozilla, Opera, Google Chrome • Safari and Mac variants • Extract cache files or analyze disk www.FrederickLane.com www.ComputerForensicsDigest.com
  27. 27. Cache Value • Small Hard Drives & Dial-Up • Hidden Files • Organized by User • Thumbnails • Is “Private Mode” Really Private? www.FrederickLane.com www.ComputerForensicsDigest.com
  28. 28. Other Types of Web History • Cookies • Directory Listings • Email • Network Logs • Internet Service Providers www.FrederickLane.com www.ComputerForensicsDigest.com
  29. 29. Distressingly Durable Data • A Quick Overview of Computer Forensics • The Hardware of Data Storage – Drives, Disks, RAM, ROM, Flash, etc. • Directories & Files • I Never Metadata … www.FrederickLane.com www.ComputerForensicsDigest.com
  30. 30. The Great Delete Myth www.FrederickLane.com • Of DOS and Disks
  31. 31. The Great Delete Myth www.FrederickLane.com • Of DOS and Disks • Sneakernets
  32. 32. The Great Delete Myth www.FrederickLane.com • Of DOS and Disks • Sneakernets • “Information Wants to Be Free”
  33. 33. The Great Delete Myth www.FrederickLane.com • Of DOS and Disks • Sneakernets • “Information Wants to Be Free” • “Intriguing but vague”
  34. 34. The Great Delete Myth www.FrederickLane.com • Of DOS and Disks • Sneakernets • “Information Wants to Be Free” • “Intriguing but vague” • Whole Earth Duplication
  35. 35. Some Common File Questions … • File Timestamps – Created, Last Modified, Last Accessed? • Is It Possible to Determine Length of Time an Image or Video Was Viewed? • Files Lost in Space: Allocated, Unallocated, Slack, Other Partitions • All Thumbs.db www.FrederickLane.com www.ComputerForensicsDigest.com
  36. 36. Cache in the Courts • U.S. v. Vosburgh, 08-4702 (3d Cir. April 20, 2010) [pro-Gov.] – Thumbs.db • U.S. v. Kain, 589 F.3d 945 (8th Cir. 2009) [pro-Gov.] • U.S. v. Miller, 527 F.3d 54 (3rd Cir. 2008) [even] • U.S. v. Kuchinski, 469 F.3d 853 (9th Cir. 2006); U.S. v. Romm, 455 F.3d 990 (9th Cir. 2006) [pro- defendant] • U.S. v. Tucker, 305 F.3d 1193 (10th Cir. 2002) [pro- Gov.] www.FrederickLane.com www.ComputerForensicsDigest.com
  37. 37. Survey/Feedback http://bit.ly/cfDZCY (survey open until August 6, 2010 at 5:00 p.m.) www.FrederickLane.com www.ComputerForensicsDigest.com
  38. 38. LimeWire Made Me Do It Frederick S. Lane FSLane3@gmail.com www.ComputerForensicsDigest.com Federal Public Defender of Middle Tennessee and Federal Defender Services of Eastern Tennessee, Inc. 30 July 2010 www.FrederickLane.com And Other Digital Follies www.ComputerForensicsDigest.com

×