Forensic Investigator Outlines BitTorrent Detection Technology

NewYorkCountryLawyer writes "In one of the many BitTorrent download cases brought by pornographic film makers, the plaintiff — faced with a motion to quash brought by a "John Doe" defendant — has filed its opposition papers. Interestingly, these included a declaration by its 'forensic investigator' (PDF), employed by a German company, IPP, Limited, in which he makes claims about what his technology detects, and about how BitTorrent works, and attaches, as an exhibit, a 'functional description' of his IPTracker software (PDF)."

GUID

It is not possible that an allocated GUID is allocated to another user again.

I would look into this. As it is written it sounds, at least, misleading. Even if it is true this GUID thing for all P2P protocols (which I sincerely doubt), I would say that it should be spoofable directly or indirectly (compromising the machine if public key cryptography is used).

Read their software specs

I've read their software specs. Seems they have some typo,

The data can only be decoded and used by the responsible lawyer, only his software contains the deciphering method and this one one in this case also secret (called "public") key.

Seems at least that one typo. At least I *hope* that's a typo.

... it is not possible that an allocated GUID is allocated to another user again.

Same could be said about MACs, and cell phone ID numbers. No one ever clones those!!!

So it seems, by their reasoning, if you go on a P2P network and clone someone else's GUID, well, then I guess the other party must be guilty, no?

Seems that even if you use Bittorrent or similar to only download Linux distros or even WoW patches, someone can just clone that and use it and then they will just send the innocent the bill?

Does The IPP Company Exist?

[andersh]

Does this so-called "IPP" company in fact exist at all? I've had a cursory glance on Google, but didn't find much of interest.

German companies are not called Limited or Ltd. if they are indeed "governed by German law", as claimed in the court declaration. Under German law it should be called "IPP GmbH". I would normally assume a "Ltd." company was based in the UK, on one of their islands or somewhere far away from Europe in general.

IPP seems to be a fairly common name in the German business register (Unternehmensregister), but none of them seem to be the company in question? Does anyone out there have further information?

Plausible Deniability...

[Jahava]

So in all of these cases, as a technical person, I can't help but wonder how they're connecting an IP address to positive evidence of a specific person's deliberate action. There are countless plausible scenarios where a person can own a number (IP address) involved in a crime and yet not themselves be aware of or involved in said crime. Some examples are:

• The defendant has (or had) an open WiFi access point at the time. The crime was committed by someone who used that connection.
• The defendant has (or had) a secure WiFi access point with bad credentials at the time. The crime was committed by someone who guessed those credentials.
• The defendant has (or had) a secure WiFi access point with secure credentials. The crime was committed by someone who obtained those credentials (overheard them, password reuse, friend-of-a-friend, etc.).
• One of the defendant's computers is (or was) infected by malware at the time, and the malware performed the crime on behalf of someone else.
• The defendant's IP address was spoofed by an employee at the defendant's ISP who was the actual party committing the crime.
• The defendant was tricked into executing commands resulting in the crime on their system without knowing what those commands were doing (jerk tech-support guy, etc.).
• The defendant's system performed the crime without the defendant's knowledge during routine execution of third-party content (Flash, Javascript) laced with malicious code.
• A friend or associate of the defendant performed the crime using the defendant's systems without the defendant's knowledge or permission.

In all of these scenarios, the crime could have been committed without any knowledge of the defendant. In some of these scenarios, the defendant has little-to-no chance to detect or thwart the crime. How does any lawyer convince any judge or jury that the person on trial committed a crime in light of this?

From a defensive point of view, what is the minimum number of compromises that one should run in their own network to provide themselves with sufficient plausible deniability from this type of thing?

• Can you prove I didn't have an open WiFi enabled at the time, or that my password was bad? What if I reset my router's logs daily?
• Can you prove I didn't have malware? What if I sold a computer recently - it must have been infected, since all of the ones you confiscated aren't - and wiped the disk prior?
• Can you prove someone didn't use my computer without my permission? What if I didn't have a password on it and frequently left it lying around work?

Furthermore, from an activist's point of view, imagine someone built a malware variant that monitored browser usage (Google, Facebook, etc.) for movie names and automatically downloads movie titles that were mentioned to a secret directory? I've now got a piece of malware that automatically, without any user knowledge or intervention, downloads illegal files that that user is interested in. What if the malware downloads new movie releases instead by monitoring public release knowledge bases for titles? Is being infected by such a malware enough for innocence? If enough people are thusly infected would the entire concept of using IP subpoenas for prosecution fall apart?

Just food for thought. I'd really like to know how someone can be held criminally-liable unless the prosecution caught them using the illegal file or captured an attributable confession.

Re:Plausible Deniability...

Heh, I wrote your hypothetical "malware" for myself as a useful piece of software. Checks the Rotten Tomatoes new on DVD RSS feed, discards anything with a rotten score, uses Torrentz search API to search for a variety of strings, prioritizes blu-ray rip over DVD rip, more seeds over less seeds, user "verified" torrents over non-verified torrents, tries to weed out common strings that denote non-English languages "ITA", uses release year to resolve ambiguities, and then feeds the magnet link into uTorrent via Web UI.

I get a bunch of great new movies every week, including stuff I haven't even heard of. Accuracy rate is >=90% and when it does backfire, it generally just downloads another movie.

And then another script I wrote is triggered when the torrent is done downloading, unzips if necessary, and moves the movie files to the appropriate directory.

Re:I2P/Freenet

[Znork]

Which is why some p2p software, such as WASTE, has modes where it will always load links wether or not there is real traffic.

If the arms race goes on, we'll end up with a constantly saturated internet with only random connections sending apparent random data, leaving any actual signal indistinguishable and drowned out by the massive amounts of random noise.

Re:I2P/Freenet

[EllisDees]

No, it really, really isn't. You apparently don't know the first thing about freenet, yet feel that you somehow know enough to spout off about it. If I insert a file into freenet, it is split into many parts and distributed randomly to other freenet nodes. When someone requests that content, there is a reasonable chance that they won't get even one chunk of data from my computer. Monitoring all of the traffic between nodes buys you almost exactly nothing.