LogP2P

Introduction

In 2001, Frédéric AIDOUNI has designed with Cyril VRILLAUD a smart software to chase diffusers of children pornography files on the IRC : LogIRC. That system is running on the five continents in national investigation agencies.

Some motivated investigators are yet doing manual identification on these networks, but :

  • it's a fairly difficult task
  • it's hardly accurate

After several month of research, packet analisys, protocols scanning, @idounix has designed, in early 2003, a system which identify diffusers of illegal content on Peer-to-Peer networks.

LogP2P can accurately identify the diffusers of child pornography files by logging their IP address. It repport it as a fully descriptive repport which can be exported into a procedure.

LogP2P perform a monitoring and a realtime analisys of incoming network traffic. It sits between the investigators and the Internet to identify the diffusers of any kind of contents (movies, images, softwares or mp3).

It fits perfectly into anti-cyber-crimilaty toolbox.

How does it works

Hardware

LogP2P is a monitoring tool which needs a dedicated GNU/Linux server.

For pedophile images monitoring, the minimum configuration is as follow :

  • P4 2ghz or alike
  • 1gb of RAM
  • 40gb free hard-drive

LogP2P is a memory and computation consumer. The more Peer-to-Peer client it monitor, the more powerful the server must be. For example, base hardware configuration can monitor 2 to 3 Peer-to-Peer clients.

Software

LogP2P server needs the following packages to operate :

  • Python 2.2
  • Samba
  • libpcap
  • pylibpcap
  • Python Imaging Library

LogP2P is written in the Python language, libpcap is for network sniffing.

Samba is the main repository for Peer-to-Peer clients downloaded files. LogP2P will checksum them with MD5.

If the network is switched, LogP2P will attempt to configure itself as a network gateway. In that case, Peer-to-Peer clients must use that gateway.

LogP2P installation is a matter of minutes, @idounix provides an environment validation software, which certify that LogP2P can operate on your system.

Also provided is the main LogP2P loader which will retrieve from the Internet the main code as well as datafiles. This, will warranty that it's always the last stable version of the software.

Using LogP2P

Configuration

Two main options to configure to operate LogP2P:

  1. Hosts to monitor
  2. Peer-to-Peer clients for these hosts

That configuration reside in an .ini like file that LogP2P will pre-initialize a first start-up. That file could look like this :

[directory]
gnutella = fred,gnutella,
kazaa = fred,kazaa,download.*dat

[global]
promisc = 0
network = 192.168.1.0
filepath = /Public
demomode = 0
organisation = @idounix
port = 8080
rootpath = /Work/logp2p
logfilter = .fr;.proxad.net

[scanner]
dagon = 192.168.1.42,eth0
fred = 192.168.1.50,eth0

Operation modes

LogP2P is two parts :

  • An embedded WEB server which provides user interface via the investigators WEB browsers
  • The monitoring/analysis system by itself
ScreenShots in demo-mode
Blurred pictures and hidden IP
Click to enlargeClick to enlargeClick to enlarge
Click to enlargeClick to enlargeClick to enlarge

Investigators uses their Peer-to-Peer clients to download potentially illegal files, LogP2P monitor and scan that network traffic.

With those data, it will build reports which can be manipulated :

  • By file
  • By Internet domain
  • By country

A typical scenario is to search for potentilly illegal files, download them in mass, and look the main Internet Domains log from hour to hour, or... on next day morning. Validate the illegal contents and export to a word processor to write the procedure.

Conclusion

Starring at the screen on only one Peer-to-Peer client to try to obtain diffusers IP will never happen again. LogP2P provides automatically, and accurately identification reports.

Please, Contact us for more informations.

Annexes

LogP2P requirements

FAQ de LogP2P

LogP2P dans les média

Press room