Investigation of Artifacts Left by BitTorrent Client on the Local Computer Operating under Windows 8.1

Authors

  • Algimantas Venčkauskas Kaunas University of Technology
  • Vacius Jusas Kaunas University of Technology, Lithuania
  • Kęstutis Paulikas Kaunas University of Technology
  • Jevgenijus Toldinas Kaunas Uiniversity of Technology

DOI:

https://doi.org/10.5755/j01.itc.44.4.13082

Keywords:

BitTorrent protocol, forensics investigation, Windows registry, cybercrime

Abstract

BitTorrent client application is a popular tool to download large files from Internet, but this application is quite frequently used for illegal purposes that are one of the types of cybercrimes. If order to fight against this type of cybercrime we carried out the research, during which we investigated the evidences left by BitTorrent client application in registry under Windows 8.1 operating system. The experiment was carried out in three steps: installation, download, and uninstallation. The snapshots of registry were taken and compared prior and after each step. Changes in Windows registry were collected and joined into tables. The experiment revealed that BitTorrent client application creates Windows registry artefacts that can contain information which might be used as evidence during an investigation. The evidence remains in the registry even after the removal of the application, although it can really prove the fact of usage of the application only. The investigation of file system can reveal the purpose and the contents of the BitTorrent client session.

DOI: http://dx.doi.org/10.5755/j01.itc.44.4.13082

Published

2015-12-18

Issue

Section

Articles