ImraanP wrote:
What locations would the artefacts be created when downloading files using a torrent in uTorrent?
That's one of the basic questions a FE would like to have answered, yes. It's a question that needs to be answered completely, though: taking product releases, user configuration and perhaps even platform localization into account. (You, on the other hand, may need to consider only one platform or a small subset of releases to keep the work from ballooning out of control.)
But I would expect you to fill in many of the missing questions yourself, as they are more or less standard questions for just about any software product:
Is there or has there been a uTorrent client installed or otherwise present on the equipment examined? (i.e. what unique footprint does the software leave?)
When was it installed/downloaded/etc?
When was it used? By whom?
How was it used -- downloads as well as uploads? Or perhaps neither?
What transactions (downloads/uploads/other) can be traced? Can any transferred data be identified? Where is/was the files stored?
Are there any secondary footprints that appear during use, and may be left after removal? (In this area is client-specific malware -- are there any particular vulnerabilities associated with uTorrent clients? Are there any known exploits? Can successful exploits be identified? While interesting, it's not of primary importance, though)
(You may also want to cast an eye at uTorrent servers for the same platform, as to ensure that you don't mistakenly identify a uTorrent server installation for a client.)
Some of those questions may be best answered by non-uTorrent artifacts -- prefetch records, etc. Those would probably be of secondary interest for your work.
There also may be additional uTorrent-specific questions that are of forensic interest., of course.
↧