P2P Marshal™—Peer-to-Peer System Analysis

A digital forensic examiner must often examine files that have been shared on a target computer through peer-to-peer (P2P) technology. Currently, this analysis is manually intensive and time consuming: investigators must determine which types of P2P clients were used, must identify all the files associated with each client, and must then (in a client-specific way) extract information from those files. Existing automated support is very limited in scope: each tool applies only to one P2P client and performs only one analysis task (for example, translating an "activity" log file into a human readable format). This has placed a great burden on investigators operating under tight deadlines.

Using P2P Marshal an investigator can automatically gather, in a forensically sound way, all the files related to P2P usage on a target computer. P2P Marshal shows an investigator the files that have been downloaded from a P2P network, the log files for each transaction in human readable form, and other information of particular forensic interest (such as user name, password, servers/peers used). P2P Marshal currently supports multiple P2P networks and is easily extensible to incorporate new P2P platforms as they arise. P2P Marshal is a stand-alone tool, requiring no additional software.

Download this article from the 2007 Digital Forensic Research Workshop (DFRWS) for a discussion of P2P Marshal (717K PDF).

With development sponsored by the U.S. National Institute of Justice, the tool is available free of charge to the U.S. law enforcement community.

For more information about P2P Marshal, visit www.p2pmarshal.com