PeekaTorrent: Leveraging P2P hash values for digital forensics

In this paper we show how these hash values can be of use for identifying possibly vast amounts of data and thus present a feasible solution to cope with the ever-increasing case sizes in digital forensics today. While the methodology used is independent of the used file sharing protocol, we harvested information from the BitTorrent network. In total we collected and analyzed more than 3.2 billion hash values from 2.3 million torrent files, and discuss to what extent they can be used to identify otherwise unknown file fragments and data remnants. Using open-source tools like bulk_extractor and hashdb, these hash values can be directly used to enhance the effectiveness of sub-file hashing at scale.