Proposal / Submission Type
Presentation
Location
Richmond, Virginia
Start Date
10-6-2013 1:45 PM
Abstract
Tracing contraband downloads leads investigators to an IP address, and in turn Internet Service Providers (ISP) can provide a physical location using this IP address. However, most homes and offices share this IP address among many computers using wireless networks. In other words, there needs to be another investigation to find out which computer was responsible for contraband downloads. To make matters worse, these shared wireless networks often have vulnerabilities in access control such as using WEP or using weak passwords. In such cases, any computer in range, not necessarily at the given physical address, could be responsible. We use shallow packet analysis to identify which computer in the shared wireless network is participating in peer-to-peer downloads. Our approach does not require the packet content, thus does not require wiretapping warrant. We discuss characteristics of peer-to-peer traffic and show how we derive and use them. Our approach monitors the patterns in the duration, the frequency, the amount of information uploaded and downloaded, and the download speed in all connections. In particular, we monitor the traffic distribution over time for each connection and combine them based on their unencrypted header information to learn which connections are likely to stem from which application.
Keywords: peer-to-peer, contraband download, tracing, investigation tool
Scholarly Commons Citation
Piel, Simon and Jung, EJ, "Identifying Peer-to-Peer Traffic on Shared Wireless Networks" (2013). Annual ADFSL Conference on Digital Forensics, Security and Law. 3.
https://commons.erau.edu/adfsl/2013/monday/3
Included in
Computer Engineering Commons, Computer Law Commons, Electrical and Computer Engineering Commons, Forensic Science and Technology Commons, Information Security Commons
Identifying Peer-to-Peer Traffic on Shared Wireless Networks
Richmond, Virginia
Tracing contraband downloads leads investigators to an IP address, and in turn Internet Service Providers (ISP) can provide a physical location using this IP address. However, most homes and offices share this IP address among many computers using wireless networks. In other words, there needs to be another investigation to find out which computer was responsible for contraband downloads. To make matters worse, these shared wireless networks often have vulnerabilities in access control such as using WEP or using weak passwords. In such cases, any computer in range, not necessarily at the given physical address, could be responsible. We use shallow packet analysis to identify which computer in the shared wireless network is participating in peer-to-peer downloads. Our approach does not require the packet content, thus does not require wiretapping warrant. We discuss characteristics of peer-to-peer traffic and show how we derive and use them. Our approach monitors the patterns in the duration, the frequency, the amount of information uploaded and downloaded, and the download speed in all connections. In particular, we monitor the traffic distribution over time for each connection and combine them based on their unencrypted header information to learn which connections are likely to stem from which application.
Keywords: peer-to-peer, contraband download, tracing, investigation tool
