Methodology to Investigate BitTorrent Sync Protocol

Algimantas Venčkauskas1, Vacius Jusas1, Kęstutis Paulikas1 and Jevgenijus Toldinas1

  1. Computer Department, Kaunas University of Technology
    Studentu st. 50, LT-51368, Kaunas, Lithuania
    {algimantas.venckauskas,vacius.jusas, kestutis.paulikas, eugenijus.toldinas}


The BitTorrent Sync client application is the most progressive development in the BitTorrent family. Nevertheless, it can be used for the activities that draw the attention of the forensics invetigators. The BitTorrent Sync client application employs quite largely the encryption for sending data packages. The initiation of the activity is carried out in the plain text only. Therefore, we proposed the methodology that enables to capture the initiation step and to inform the forensics investigator, which then takes the reactive actions. The experiment was carried in two modes: 1) simulating of the use of the BitTorrent Sync application; 2) monitoring of real traffic on the Internet. During the monitoring, it is possible to calculate the public lookup SHA1 hash of the shared file. The comparison of the calculated hash with the list of publicly available hashes allows determination whether sharing of the file is legal or illegal. The presented methodology can be applied to any BitTorrent protocol.

Key words

BitTorrent protocol, forensics investigation, computer network, cybercrime

Digital Object Identifier (DOI)

Publication information

Volume 14, Issue 1 (January 2017)
Year of Publication: 2017
ISSN: 1820-0214 (Print) 2406-1018 (Online)
Publisher: ComSIS Consortium

Full text

DownloadAvailable in PDF
Portable Document Format

How to cite

Venčkauskas, A., Jusas, V., Paulikas, K., Toldinas, J.: Methodology to Investigate BitTorrent Sync Protocol. Computer Science and Information Systems, Vol. 14, No. 1, 197–218. (2017),