Forensic Analysis and Remote Evidence Recovery from Syncthing: An Open Source Decentralised File Synchronisation Utility

  • Conor Quinn
  • Mark ScanlonEmail author
  • Jason Farina
  • M.-Tahar Kechadi
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 157)


Commercial and home Internet users are becoming increasingly concerned with data protection and privacy. Questions have been raised regarding the privacy afforded by popular cloud-based file synchronisation services such as Dropbox, OneDrive and Google Drive. A number of these services have recently been reported as sharing information with governmental security agencies without the need for warrants to be granted. As a result, many users are opting for decentralised (cloudless) file synchronisation alternatives to the aforementioned cloud solutions. This paper outlines the forensic analysis and applies remote evidence recovery techniques for one such decentralised service, Syncthing.


Syncthing Digital forensics Remote forensics Network analysis Evidence recovery 


  1. 1.
    Greenwald, G., MacAskill, E.: NSA prism program taps in to user data of apple, google and others. Guardian 7(6), 1–43 (2013)Google Scholar
  2. 2.
    Pounds, E.: Introducing BitTorrent Sync 1.4: An Easier Way to Share Large Files (2014). Accessed April 2015
  3. 3.
    Scanlon, M., Farina, J., Le Khac, N.-A., Kechadi, M.-T.: Leveraging Decentralisation to Extend the Digital Evidence Acquisition Window: Case Study on BitTorrent Sync, pp. 85–99, September 2014Google Scholar
  4. 4.
    Borg, J.: SyncThing (2015). Accessed April 2015
  5. 5.
    Farina, J., Scanlon, M., Kechadi, M.-T.: Bittorrent sync: first impressions and digital forensic implications. Digital Invest. 11(Suppl. 1), S77–S86 (2014). Proceedings of the First Annual {DFRWS} EuropeCrossRefGoogle Scholar
  6. 6.
    Quick, D., Choo, K.-K.R.: Dropbox analysis: data remnants on user machines. Digital Invest. 10(1), 3–18 (2013)CrossRefGoogle Scholar
  7. 7.
    Quick, D., Choo, K.-K.R.: Digital droplets: microsoft skydrive forensic data remnants. Future Gener. Comput. Syst. 29(6), 1378–1394 (2013). Including Special sections: High Performance Computing in the Cloud and Resource Discovery Mechanisms for P2P SystemsCrossRefGoogle Scholar
  8. 8.
    Quick, D., Choo, K.-K.R.: Google drive: forensic analysis of data remnants. J. Netw. Comput. Appl 40, 179–193 (2013)CrossRefGoogle Scholar
  9. 9.
    Quick, D., Choo, K.-K.R.: Forensic collection of cloud storage data: does the act of collection result in changes to the data or its metadata? Digital Invest. 10(3), 266–277 (2013)CrossRefGoogle Scholar
  10. 10.
    Federici, C.: Cloud data imager: a unified answer to remote acquisition of cloud storage areas. Digital Invest. 11(1), 30–42 (2014)CrossRefGoogle Scholar
  11. 11.
    Reddit. SyncThing: Open Source BitTorrent Sync Alternative (P2P Sync Tool) (2015). Accessed April 2015
  12. 12.
    Borg, J.: SyncThing: Block Exchange Protocol (2015). Accessed April 2015
  13. 13.
    Borg, J.: SyncThing: Config File and Directory (2015). Accessed April 2015
  14. 14.
    Borg, J.: SyncThing: Device IDs (2015). Accessed April 2015
  15. 15.
    Borg, J.: SyncThing: Device Discovery Protocol v2 (2015). Accessed April 2015
  16. 16.
    Garfinkel, S., Nelson, A., White, D., Roussev, V.: Using purpose-built functions and block hashes to enable small block and sub-file forensics. Digital Invest. 7, S13–S23 (2010)CrossRefGoogle Scholar
  17. 17.
    Paul, J.: Java Revisited: Difference Between TrustStore and KeyStore Java SSL (2015). Accessed April 2015

Copyright information

© Institute for Computer Sciences, Social informatics and Telecommunication Engineering 2015

Authors and Affiliations

  • Conor Quinn
    • 1
  • Mark Scanlon
    • 1
    Email author
  • Jason Farina
    • 1
  • M.-Tahar Kechadi
    • 1
  1. 1.School of Computer ScienceUniversity College DublinDublinIreland

Personalised recommendations