Network Investigation Methodology for BitTorrent Sync: A Peer-to-Peer Based File Synchronisation Service

Mark Scanlon; Jason Farina; M-Tahar Kechadi

Note: Since this publication, BitTorrent Sync has been rebranded as Resilio Sync

Publication Date:  October 2015

Publication Name:  Computers & Security

Abstract:   High availability is no longer just a business continuity concern. Users are increasingly dependant on devices that consume and produce data in ever increasing volumes. A popular solution is to have a central repository which each device accesses after centrally managed authentication. This model of use is facilitated by cloud based file synchronisation services such as Dropbox, OneDrive, Google Drive and Apple iCloud. Cloud architecture allows the provisioning of storage space with “always-on” access. Recent concerns over unauthorised access to third party systems and large scale exposure of private data have made an alternative solution desirable. These events have caused users to assess their own security practices and the level of trust placed in third party storage services. One option is BitTorrent Sync, a cloudless synchronisation utility provides data availability and redundancy. This utility replicates files stored in shares to remote peers with access controlled by keys and permissions. While lacking the economies brought about by scale, complete control over data access has made this a popular solution. The ability to replicate data without oversight introduces risk of abuse by users as well as difficulties for forensic investigators. This paper suggests a methodology for investigation and analysis of the protocol to assist in the control of data flow across security perimeters.

Download Paper:

Download Paper as PDF

BibTeX Entry:


      @article{scanlon2015network,
title = "Network Investigation Methodology for BitTorrent Sync: A Peer-to-Peer Based File Synchronisation Service",
journal = "Computers \& Security",
volume = "54",
pages = "27 - 43",
year = "2015",
month = "10",
issn = "0167-4048",
doi = "http://dx.doi.org/10.1016/j.cose.2015.05.003",
url = "http://www.sciencedirect.com/science/article/pii/S016740481500067X",
author = "Mark Scanlon and Jason Farina and M-Tahar Kechadi",
keywords = "BitTorrent Sync",
keywords = "Distributed Storage",
keywords = "Peer-to-Peer",
keywords = "Network Traffic Analysis",
keywords = "Remote Evidence Acquisition",
abstract = "High availability is no longer just a business continuity concern. Users are increasingly dependant on devices that consume and produce data in ever increasing volumes. A popular solution is to have a central repository which each device accesses after centrally managed authentication. This model of use is facilitated by cloud based file synchronisation services such as Dropbox, OneDrive, Google Drive and Apple iCloud. Cloud architecture allows the provisioning of storage space with ``always-on'' access. Recent concerns over unauthorised access to third party systems and large scale exposure of private data have made an alternative solution desirable. These events have caused users to assess their own security practices and the level of trust placed in third party storage services. One option is BitTorrent Sync, a cloudless synchronisation utility provides data availability and redundancy. This utility replicates files stored in shares to remote peers with access controlled by keys and permissions. While lacking the economies brought about by scale, complete control over data access has made this a popular solution. The ability to replicate data without oversight introduces risk of abuse by users as well as difficulties for forensic investigators. This paper suggests a methodology for investigation and analysis of the protocol to assist in the control of data flow across security perimeters."
}