Skip to main content

Forensic Analysis and Remote Evidence Recovery from Syncthing: An Open Source Decentralised File Synchronisation Utility

Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST,volume 157)

Abstract

Commercial and home Internet users are becoming increasingly concerned with data protection and privacy. Questions have been raised regarding the privacy afforded by popular cloud-based file synchronisation services such as Dropbox, OneDrive and Google Drive. A number of these services have recently been reported as sharing information with governmental security agencies without the need for warrants to be granted. As a result, many users are opting for decentralised (cloudless) file synchronisation alternatives to the aforementioned cloud solutions. This paper outlines the forensic analysis and applies remote evidence recovery techniques for one such decentralised service, Syncthing.

Keywords

  • Syncthing
  • Digital forensics
  • Remote forensics
  • Network analysis
  • Evidence recovery

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-25512-5_7
  • Chapter length: 15 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-25512-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   72.00
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.

References

  1. Greenwald, G., MacAskill, E.: NSA prism program taps in to user data of apple, google and others. Guardian 7(6), 1–43 (2013)

    Google Scholar 

  2. Pounds, E.: Introducing BitTorrent Sync 1.4: An Easier Way to Share Large Files (2014). http://blog.bittorrent.com/2014/08/26/introducing-bittorrent-sync-1-4-an-easier-way-to-share-large-files/. Accessed April 2015

  3. Scanlon, M., Farina, J., Le Khac, N.-A., Kechadi, M.-T.: Leveraging Decentralisation to Extend the Digital Evidence Acquisition Window: Case Study on BitTorrent Sync, pp. 85–99, September 2014

    Google Scholar 

  4. Borg, J.: SyncThing (2015). http://www.syncthing.net. Accessed April 2015

  5. Farina, J., Scanlon, M., Kechadi, M.-T.: Bittorrent sync: first impressions and digital forensic implications. Digital Invest. 11(Suppl. 1), S77–S86 (2014). Proceedings of the First Annual {DFRWS} Europe

    CrossRef  Google Scholar 

  6. Quick, D., Choo, K.-K.R.: Dropbox analysis: data remnants on user machines. Digital Invest. 10(1), 3–18 (2013)

    CrossRef  Google Scholar 

  7. Quick, D., Choo, K.-K.R.: Digital droplets: microsoft skydrive forensic data remnants. Future Gener. Comput. Syst. 29(6), 1378–1394 (2013). Including Special sections: High Performance Computing in the Cloud and Resource Discovery Mechanisms for P2P Systems

    CrossRef  Google Scholar 

  8. Quick, D., Choo, K.-K.R.: Google drive: forensic analysis of data remnants. J. Netw. Comput. Appl 40, 179–193 (2013)

    CrossRef  Google Scholar 

  9. Quick, D., Choo, K.-K.R.: Forensic collection of cloud storage data: does the act of collection result in changes to the data or its metadata? Digital Invest. 10(3), 266–277 (2013)

    CrossRef  Google Scholar 

  10. Federici, C.: Cloud data imager: a unified answer to remote acquisition of cloud storage areas. Digital Invest. 11(1), 30–42 (2014)

    CrossRef  Google Scholar 

  11. Reddit. SyncThing: Open Source BitTorrent Sync Alternative (P2P Sync Tool) (2015). http://www.webupd8.org/2014/06/syncthing-open-source-bittorrent-sync.html. Accessed April 2015

  12. Borg, J.: SyncThing: Block Exchange Protocol (2015). https://github.com/syncthing/specs/blob/master/BEPv1.md. Accessed April 2015

  13. Borg, J.: SyncThing: Config File and Directory (2015). https://github.com/syncthing/syncthing/wiki/Config-File-and-Directory. Accessed April 2015

  14. Borg, J.: SyncThing: Device IDs (2015). https://github.com/syncthing/syncthing/wiki/Device-IDs. Accessed April 2015

  15. Borg, J.: SyncThing: Device Discovery Protocol v2 (2015). https://github.com/syncthing/specs/blob/master/DISCOVERYv2.md. Accessed April 2015

  16. Garfinkel, S., Nelson, A., White, D., Roussev, V.: Using purpose-built functions and block hashes to enable small block and sub-file forensics. Digital Invest. 7, S13–S23 (2010)

    CrossRef  Google Scholar 

  17. Paul, J.: Java Revisited: Difference Between TrustStore and KeyStore Java SSL (2015). http://javarevisited.blogspot.ie/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html. Accessed April 2015

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Mark Scanlon .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Institute for Computer Sciences, Social informatics and Telecommunication Engineering

About this paper

Cite this paper

Quinn, C., Scanlon, M., Farina, J., Kechadi, MT. (2015). Forensic Analysis and Remote Evidence Recovery from Syncthing: An Open Source Decentralised File Synchronisation Utility. In: James, J., Breitinger, F. (eds) Digital Forensics and Cyber Crime. ICDF2C 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 157. Springer, Cham. https://doi.org/10.1007/978-3-319-25512-5_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25512-5_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25511-8

  • Online ISBN: 978-3-319-25512-5

  • eBook Packages: Computer ScienceComputer Science (R0)