Forensics 101

Forensic Analysis Of The μTorrent Peer-to-Peer Client In Windows

by Michael R. Godfrey

The μTorrent software client is the most popular BitTorrent peer-to-peer software application worldwide [1]. Contraband files such as copyrighted movies and music, child pornography and pirated content, are frequently acquired through the peer-to-peer (P2P) file sharing protocol BitTorrent. This research will include the digital forensic analysis of the μTorrent client, specifically, the free (Basic) version 3.5.3 for Windows released on utorrent.com. The μTorrent client is based on the same architecture of the original, less popular client, itself named BitTorrent (bittorrent.com). In fact both software applications are owned by BitTorrent, Inc. [2] Although the same artifacts have been identified in all versions of μTorrent, any examination of other versions should be tested by the examiner.

μTorrent is available for Windows, Mac, Linux, Android, and iOS (only with a jailbroken device). A computer running μTorrent can be paired with external devices for viewing (iOS and Android mobile devices, USB storage drives, and certain streaming devices)[3].

A user can remotely and securely manage μTorrent running on a computer. Their μTorrent client can then be accessed from another computer or mobile device equipped with a web browser [4].

BitTorrent uses trackers to allow clients to find peers, known as seeds. Rather than downloading a file from a single source (node), the BitTorrent protocol allows users to join a swarm of hosts to upload and download content from each other. A seed is a node that possesses an entire file being distributed. A user who wants to distribute a file must first create a small torrent descriptor file that contains only metadata and has a .torrent file extension. The .torrent files are distributed through one or more Torrent websites, called an Indexer, that allows users to search for particular content and download applicable .torrent files. The .torrent files include specific tracker information. A tracker is a server that keeps track of what peers and seeds have the pieces of the files to be distributed. The creation of the distributed hash table (DHT) method for “trackerless” torrents make the trackers redundant [5].

Users with the .torrent file loaded into their BitTorrent client can establish connections among other BitTorrent nodes (peers or seeds) via the DHT communications feature of BitTorrent. The file being distributed is divided into segments (pieces), as each new peer receives a new piece, that peer now becomes a distributor of that piece. Every piece is protected by a cryptographic hash (SHA1). The BitTorrent client will identify what pieces are needed in order to obtain a complete file. Once a peer has downloaded a complete file, it then becomes a distribution seed.

BitTorrent does not ensure the anonymity of its participants. The IP of connected peers can be readily identified through the client user interface or via the netstat Windows command that will display the connected peers and seeds. The standard ports for BitTorrent, including the μTorrent client, are TCP/UDP ports 6881-6889 (6969 for the tracker port).

The μTorrent Client

The default installation will place all files for the μTorrent client in the user’s application data directory as follows:
C:\Users\<User_Name>\AppData\Roaming\uTorrent\

The following configuration files include relevant information regarding application setting and history:

  • resume.dat
  • settings.dat
  • dht.dat (distributed hash table)
  • rss.dat

If the client is shut down, the above DAT files are backed up and .old is appended as the new file extension. The below graphics are of the μTorrent directory following a fresh installation in Windows 10. After installation but prior to launching the application is shown on the left. On the right is the application files after first launch of μTorrent, adding TEST.torrent to the client, then shutting it down.

BEncode Editor

The DAT files and .torrent files are written in BEncode. Therefore, to view the contents, a tool capable of decoding BEncode files must be used, such as BEncode Editor.

When viewing these files in the BEncode Editor, data will appear with an indicator showing the data type adjacent to each heading:

  • Byte strings: (b)
  • Integers: (i) (base 10 ASCII characters)
  • Lists: (l)
  • Dictionaries: (d)

A number surrounded by brackets: [48], will represent a quantity based on the data type (byte string, integer, list or dictionary):

  • Byte strings: number of bytes or characters
  • Integers: number of digits
  • Lists and Dictionaries: number of items in the list or dictionary

Below is the contents of a settings.dat file viewed with BEncode Editor.

μTorrent DAT Files

settings.dat

Contains settings and configuration data

  • autostart=: 0=OFF, otherwise there will be no entry
  • ct_hist [#]: Number of .torrent files created by this client (within brackets), includes path and name of files/folders that the user used to create the .torrent file; good indicator of knowledge and intent; may point to external media or other storage drive/directory locations
  • born_on=13036184115: Lightweight Directory Access Protocol (LDAP) time, or FILETIME, number of 100 nanosecond intervals since 1 Jan 1601 UTC – must add 7 trailing zeroes in EpochConverter
  • devices: Paired devices will be listed here with device name, USB VID&PID and serial number
    • auto_transfer=: 0=OFF/1=ON
    • usb_id: contains the USB device vendor ID (VID) and product ID (PID), along with USB device electronic serial number and possibly the device friendly name

The graphic below shows the μTorrent Devices interface with two devices connected: iPhone/iPod and Apple iPhone 3GS.

dir_last entry is the directory selected by the user to download a Torrent file when the user added the associated .torrent file and selecting the “choose save dir” option (see below graphic). The dir_last entry is updated for each new .torrent file added in this manner.

  • *dir_active_download: Location set by user to save new downloads
  • *dir_autoload: Location set by user to autoload Torrent files
  • *dir_completed_torrents: Location set by user to store completed downloads
  • *dir_completed_torrents: Location set by user to archive completed .torrent files
  • *dir_torrent_files: Location set by user to store torrent files downloaded by the client

(*) The above settings will be present only if the user changed the default location for that particular directory using the Preferences menu (see below image), otherwise no entry will be present.

  • runs_since_born: Number of times the program started and closed since install
  • runtime_since_born_secs: Number of seconds the program has run
  • search_list: List of Torrent search sites used in the μTorrent toolbar, can be added by the user, results in user’s web browser loading the search site so check Internet History
  • settings_saved_systime: Last time client settings were changed, UNIX time

Remote Access

A system configured for Remote Access will allow a user to control the uTorrent client running on the remote system using a web interface. To initiate Remote Access, the user will navigate to https://remote.utorrent.com and enter the previously configured computer name and password. After authenticating, the user is presented with a web interface that appears nearly identical to the uTorrent client status on the remote system. The below image depicts the Remote Access web interface (top) and the actual uTorrent client (bottom).

Below are the more relevant entries in settings.dat that will be present if the client is set to be operated via
Remote Access connection using the Preferences > Remote menu settings. A unique name must be provided and
any password will be accepted. The below image shows the Remote Access setting enabled:

  • upnp.external_ip: Last external (routable) IP of the computer the client is installed on will be stored here; see image below
  • upnp_cached_host: Universal plug and play(upnp) URL of the IGDdevicedesc.xml file on the local network; will include the local network gateway IP and port; used to facilitate network connectivity

  • upnp.external_ip: External (routable) IP of the computer that the client is installed on
  • webui.ssdp_uuid: Universal unique identifier (last 6 characters represent the MAC address of the network interface)
  • webui.ucinnect_hashword: Salted SHA-1 hash of the login password for Remote Access
  • webui.ucinnect_username: Name of the computer assigned by the user in Preferences > Remote

resume.dat

Stores status info when client is shut down

  • added_on=: Time Torrent was added to the client (UNIX time)
  • completed_on=: Time Torrent was completely downloaded or created (UNIX time)
  • created_torrent=: 1=client created torrent, 0=client did not create torrent
  • download_url=: If client used ‘add torrent from URL’ function
  • downloaded=: Bytes of the file downloaded so far
  • last_seen_complete=: Last time client was seeding the complete file (UNIX time)
  • last_active=: Last time the file was being seeded or shared by this client (UNIX time)
  • path[##]=: Path where incoming files are saved, number of files for this Torrent in brackets
  • runtime=: Time file has been downloading in the client (or seeding time following download)
  • seedtime=: Seconds that client has been seeding file
  • started=: File status when client last exited (0=stopped, 1=force started, 2=started, 3=running/not downloading)
  • uploaded=: Total uploaded (shared) bytes of data for that specific file
  • uploaded=: Total uploaded (shared) bytes of data for that specific file
  • peers6 [##]=: IP and Port of peers sharing this file at time client exited (includes the client’s local and external IP, both IPv4 and IPv6), see below for the procedure to convert the data to identify the IP addresses.

Use the following procedure to view the IP address of each Peer:

o The peers6 field of the resume.dat file contains the IP addresses of each peer the client is communicating with in order to participate in the sharing of content via the BitTorrent protocol.
o In the peers6 field of the resume.dat file, select display options to “Raw BEncoded Data” and “as Binary.”
o Convert from Hex to Decimal to get the IP.
o The last 4 hex characters represent the port (Big Endian).
o Follow the below steps to translate the data in order to identify the IP address of each peer.

Open the data field adjacent to the peers6 entry:

Copy and paste this hex data into Notepad++ and create a new line with 36 characters each. Each line will display the IPv6 (all zeros if no IPv6 is present), followed by IPv6 port (FFFF if no IPv6), followed by the IPv4 (8 characters) and the IPv4 port (4 characters):

Byte string (36 characters): 00000000000000000000FFFFC0A80177B0E3

IPv4 IP and Port: FFFFC0A80177B0E3
IPv4 address (convert from hex to decimal):

C0A80177:E3B0
C0=192
A8=168
01=1
77=119

Port (Little Endian): E3B0=58,288 (port)
Converted: 192.168.1.119:58288

dht.dat

Contains data used by the client when connecting to the Distributed Hash Table (DHT) network for sharing contact information, so users engaged in downloading the same file(s) can discover each other. This file also stores the client’s outwardly facing IP address. This is a useful artifact as most Windows artifacts only store the local, non-routable IP address. Be sure and review dht.dat.old as this is the previous version of the file from the last shutdown of the μTorrent client for this user.

age: Time last updated, or when client shut down (UNIX decimal), good indicator of associating the client’s IP to a date/time.
ip: Represents the client’s routable IP address in hex (assigned by the client’s service provider), follow the below steps to translate the data to identify the outwardly facing client IP.

Double click the text data to the right (below example: G>#!):

Select display options: “Raw BEncoded Data” and “as Binary”:

Convert hex to decimal:

47=71
3E=62
23=35
21=33

Converted IP: 71.62.35.33

In the above test example, visiting the website www.whatismyipaddress.com disclosed the correctly translated IP address, rather than just the local IP, of the test Windows computer system.

nodes: Contains the IP addresses (IPv6 and IPv4) of each peer the client is communicating with in order to participate in the sharing of content via the BitTorrent protocol. To convert the data, follow the steps below.

  • 26-byte (52 hex digits):

To determine the total number of peers that the client is communicating with, divide the number in brackets (10036, in the example below) by 26 (hex bytes in the string) to determine the total number of IP addresses contained in the data (386 IPs in the example below) – display Type “Binary / as Binary” as depicted below.

  • id (b)[20]=: Contains the unique ID of the client’s node, 20 hex character pairs. To display the data, select: “Raw BEncoded Data” and “as Binary”:

Torrent files

To distribute files using the BitTorrent protocol, a .torrent file will need to be created and seeded. In the client, .torrent files can be created using the following procedure.

  • In μTorrent, select FILE  Create Torrent

  • Select either a single file, or the contents of a directory containing the files that will be associated with the torrent file
  • Add or change the torrent tracker URL information
  • Add any comments regarding the torrent contents as desired
  • Check Start seeding
  • Select Create
  • Provide a name for the torrent file, and be sure the file type is Torrent files:

A BEncode viewer (BEncode Editor) is necessary to view the content of a .torrent file.

  • announce: URL of the tracker site
  • announce-list: A new key, contains a list of URLs of all trackers for this torrent

o Tiers of announces will be processed sequentially
o All URLs in each tier must be checked before the client goes on to the next tier
o The first successful connection with a tracker will cause it to be moved to the front of the tier

  • info: Contains an entry for each file that is included in the torrent:
    • ITEM 1 (d)[n]: Indicates which file by number, with the number in brackets referring to the
      number of items contained in this section (2)
    • length (i)=: Number of bytes of the file
    • path (i)[n]: Name of the file
    • name (b)[n]=: Name of the torrent (not to be confused with the name of the .torrent file itself)
    • piece length (i)=: The number of bytes that each piece of the torrent file was split into, arrived at by adding all of the file sizes, and dividing this number by 2,040
    • pieces (b)[n]: Includes the complete SHA1 characters of all pieces strung together, n = total bytes of SHA1 concatenated hashes

The below graphic explains the contents of the info section of a torrent file. Each file is combined into one stream, then split into fixed piece lengths for efficient transfer using the BitTorrent protocol.

Once a .torrent file has been generated, it will need to be seeded so that others can locate the file based on a search using keywords. The below image displays the Info tab of TEST.torrent showing that there is one member of the swarm with one peer connected (both are the test client), and the content is included in 33 pieces, each 1 MB in size. TEST.torrent was created by μTorrent v 3.5.3 at 14:15:01, 2 Mar 18.

μTorrent statistics

In μTorrent, select Help –> Show Statistics

The entire μTorrent directory from the suspect’s system can be exported, and installed in test VM having the same OS in order to emulate (view) the suspect’s μTorrent state at time of last shutdown:

Install same version of μTorrent on the destination system first (look for the .exe file in the updates folder for the version installed). Note that this ‘emulation’ will increment the statistics to include your testing (e.g., program launch time +1), so use VM snapshots and restore as needed.

μTorrent Search Tool

In μTorrent, users can search for content and torrent file indexer site results will display. The search activity will be captured in Web History as it uses the default browser to run the searches.

μTorrent Windows Registry Artifacts

The following Windows Registry entries are associated with the installation and use of μTorrent:
ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent

ntuser.dat\Software\BitTorrent\uTorrent

ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\ FileExts\.torrent\OpenWithList

  • Will show which BitTorrent client type was preferred if multiple clients have been installed (and when)
  • Value = letter representing the order of assigned programs

ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\ RecentDocs\.torrent
– Shows recent Torrent files accessed

ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ OpenSavePidlMRU\torrent
– Shows Torrent files opened or saved via the Windows dialog shell

usrclass.dat\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
– When an applications is executed, Windows retrieves the application name and stores it
– Shows applications that have been executed

Using Notepad++

Notepad++ can be used to assist in translating the raw data retrieved from the encoded data stored in the DAT files or torrent files.

To force a string into new lines after every nth character:

  • Copy and paste data to Notepad++
  • Remove any leading ‘x0’ in byte string data)
  • Select CTRL+H to enter the find and replace menu
  • Enter: ^.{n} in ‘Find what’
  • Enter: $0\r\n in ‘Replace with’
  • Replace the {n} with the number of characters before each line (in the below example, {20} is used)
    o Use 36 for peers6 (resume.dat) – IP/Port
    o Use 52 for nodes (dht.dat) – Node ID/IP/Port
    o Use 40 for pieces (.torrent files) – SHA1 characters
  • Select Regular expression
  • Results can then be copied to Excel

About The Author

Michael Godfrey is a Senior Digital Forensics Examiner for ManTech International and was previously a Special Agent for Homeland Security Investigations assigned to the DHS Cyber Crimes Center in Fairfax VA. 

[1] Alan Henry, Most Popular BiTorrent Client: μTorrent; https://lifehacker.com/5813348/five-best-bittorrent-applications/1705622513 (May 2015)
[2] Ernesto, BitTorent Inc Buys uTorrent, https://torrentfreak.com/bittorrent-inc-buys-%C2%B5torrent/ (Dec 2006)
[3] Lauren Hockenson, μTorrent Pro Tips: How to Pair Your Android Device, http://blog.utorrent.com/2015/02/20/%CE%BCtorrent-pro-tips-how-to-pair-your-android-device
[4] μTorrent Remote; https://www.utorrent.com/remote
[5] Ben Jones, https://torrentfreak.com/common-bittorrent-dht-myths-091024 (Oct 2009)

About scar

Scar de Courcier is an assistant editor at Forensic Focus.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,146 other followers

%d bloggers like this: