BitTorrent Sync: Network Investigation Methodology

The volume of personal information and data most Internet users find themselves amassing is ever increasing, and the fast pace of the modern world results in most people requiring instant access to their files. Millions of these users turn to cloud-based file synchronisation services, such as Dropbox, Microsoft SkyDrive, Apple iCloud and Google Drive, to enable "always-on" access to their most up-to-date data from any computer or mobile device with an Internet connection. The prevalence of recent articles regarding invasion of privacy issues and data protection breaches in the media has caused many to review their online personal data security practices. To provide an alternative to cloud-based file backup and synchronisation, BitTorrent Inc. released an alternative cloudless file backup and synchronisation service, named BitTorrent Sync in April 2013. BitTorrent Sync\´s popularity rose dramatically throughout 2013, reaching over two million active users by the end of the year. This paper outlines a number of scenarios where the network investigation of the service may prove invaluable as part of a digital forensic investigation. An investigation methodology is proposed outlining the required steps involved in retrieving digital evidence from the network and the results from a proof of concept investigation are presented.