Computer forensics is the application of computer investigation and analysis techniques to identify and capture potential evidence that is stored, installed, or otherwise maintained within a computing device. The evidence might be sought during an investigation for a wide range of potential computer crimes, including theft of trade secrets, theft of service, theft of or destruction of intellectual property, fraud, hacking, illegal sharing of files, sharing of illegal files, and other criminal or misuse activities. Unlike paper evidence, computer evidence can exist in many forms, with earlier versions and even some deleted versions of the evidence still accessible on a storage medium. Forms of computer evidence may include, for example, system log files, executing processes, stored files and the like.
An investigator may draw on an array of methods to discover and capture evidence from a computer device. One common method for obtaining computer evidence is on-site inspections or seizure of the computer. Another common method for obtaining computer evidence is to create a copy or image of the target computer. The investigator may physically connect an analysis device to the target computer, physically connect an analysis device to the copy of the target device, or load analysis software on the target device to acquire and analyze the computer evidence.
Illegal sharing of files, such as copyrighted music, or sharing of illegal files, such as child pornography, is often performed via a network capable of implementing one or more peer-to-peer (P2P) file sharing protocols implemented by a P2P client. In networks capable of implementing one or more P2P file sharing protocols via a P2P client, peers are able to directly share files. With respect to computing devices used by the peers, investigators are particularly interested in configuration parameters and usage information such as user name, password, times of use, time of install, log files of any transactions, the downloaded (or shared) files themselves, peers/servers, and the like, stored on the computing device.
Analyzing parameters on computing devices used by peers typically requires an investigator to gather, categorize, and analyze all of the parameters by hand due at least in part to the large number of different P2P file sharing protocols and P2P clients and differing characteristics and technologies. In addition, the investigator may need to obtain some secondary software (beyond the investigator's normal tools) for each different P2P file sharing protocol or P2P client to translate a log or cache file for the respective P2P file sharing protocol into a human-readable format.