It has been a few months since my last forensic (4N6) blog post. I had a slight heart issue in July 2018. I'm so excited to be back into the 4N6 work and finding new information to share!
I've noticed that many of the criminal P2P sharing cases involved the qBittorrent application. For some reason, over the last year, it has become the "go to" P2P application. There are plenty of Digital Forensic resources available on uTorrent, the BitTorrent protocol and the great, free, BENcode tool for looking at .torrent and .dat files.
I did not find much data specific to the qBittorrent application. The obvious next step was to download it and start playing ... I mean testing. Understanding how the program worked from a user perspective is important. The application interface is very similar to that of uTorrent and is as easy to use. The Internet Archive has numerous free classic movies available for download via Torrent. This is a good place to find legal data to test BitTorrent clients. I chose "Monster of Frankenstein" torrent.
Here's the link if you are interested: Internet Archive Movie Link
BEncode of Torrent File
qBittorrent Download Progress Screen
The Log FileThe next step was to search for data files related to the qBittorrent application. What I found was that qBittorent stores 6 months of detailed logs that are extremely easy to read. According to testing and the application documentation, logging is enabled by default. Many of the questions that can arise from either the prosecution or defense can be answered with the log or using the log in conjunction with other digital artifacts like the Windows SRUM database. The log is stored in plain text and can be viewed easily.
Notice that a separate log file is created for each user on Windows systems.
Log File Path: x:\Users\username\AppData\Local\qBittorrent\Logs\qbittorrent.log
The dates/times in the log file are stored in the system's local time zone. This can be validated by comparing the log file's initial or last entries to the log file's creation or modified date/time.
Useful Log Entries
- Each time the program is started and exited
This includes the last time used
- Application version noted
Useful for tracking upgrades over time
- External IP Address
This is the public IP which can be compared to the reporting agents notes
- Download activity
- Download started
- Resume download started
- Removed from transfer list
- Removed from hard disk
Log File SampleA sample of what the log file looks like is shown below.
(N) 2019-02-19T17:48:13 - qBittorrent v3.3.12 started (I) 2019-02-19T17:48:25 - qBittorrent is trying to listen on any interface port: 8999 (N) 2019-02-19T17:48:25 - HTTP User-Agent is 'qBittorrent/3.3.12' (I) 2019-02-19T17:48:25 - DHT support [ON] (I) 2019-02-19T17:48:25 - Local Peer Discovery support [ON] (I) 2019-02-19T17:48:25 - PeX support [ON] (I) 2019-02-19T17:48:25 - Anonymous mode [OFF] (I) 2019-02-19T17:48:25 - Encryption support [ON] (I) 2019-02-19T17:48:25 - Embedded Tracker [OFF] (I) 2019-02-19T17:48:25 - UPnP / NAT-PMP support [ON] (I) 2019-02-19T17:48:30 - External IP: xxx.xxx.xxx.xxx (I) 2019-02-19T17:48:33 - Python found in 'C:\Python34\' (I) 2019-02-19T17:48:33 - Python version: 3.4.3 (N) 2019-02-19T17:52:14 - 'sample filename' added to download list. (N) 2019-02-19T17:52:37 - 'sample filename' was removed from transfer list and hard disk.
Incomplete Download Storage
qBittorrent also keeps a folder with current incomplete .torrent downloads and "fast resume" data. These files are also Windows user specific and can be found at:
Program Settings (INI)
Additional program settings for qBittorrent are located in an INI file. Once again, this is Windows user specific. The commonly referenced data from the INI is the save path history. This stores the paths used when downloading content with qBittorrent.
The INI file can be found at: