A Practitioner’s Guide to locating fruits of a crime when explicit files are shared on a local network.

By now most examiners in the digital forensic community have become familiar with Gnutella-based (peer-to-peer) software programs where users can download from and share all types of files with the world. For approximately ten years the capability of sharing all types of multimedia files has extended to local networks by use of the iTunes application and Gnutella-based software programs. Two types of sharing features are incorporated in the iTunes application since version 9; one which allows iTunes users to access (stream) files from a shared library, and the other allows users to import shared files.

Introduction
The first version of iTunes (v1.0) was released by Apple, Inc. in January, 2001.² Since the release of this paper, 10.4.0.8 was the latest available version and can be downloaded for free from the Apple iTunes Web site (http://www.apple.com/itunes/). The primary purpose of the iTunes program was to provide users with a “one-stop-shop” to organize music, movies, audio books, TV Shows, and more.

Since version 9.x, iTunes has the ability to share files between other iTunes users on a local network by use of a service discovery called Bonjour. Bonjour is also known as zero-configuration networking that enables the automatic discovery of any node, (computers, printers, services, etc.) which uses the industry standard Internet protocol.³ The implementation of Bonjour into iTunes has become a key component on most other applications by Apple that are used on peer-to-peer and client-server networks. When the computer’s registry or file system is examined and the Bonjour service is identified, a forensic examiner will know one or more Apple applications are installed.

Starting with v4, the Digital Audio Access Protocol (DAAP) was introduced into iTunes’ audio player where the music sharing server listens on TCP port 3689. The DAAP is used to not only share music across a local network, but to list a user’s playlist as the host.⁶ 

Case Scenario
What prompted the writing of this paper? In a recent child pornography case, two software programs of interest were installed on a suspect’s laptop computer: LimeWire 5.2.13 and iTunes 9.0.1.8. The user did not modify any default settings in LimeWire and therefore downloaded files from the peer network were shared with the world. However, the prosecution took the distribution charge off the table and focused primarily on possession of child pornography. The user downloaded numerous videos from the peer-to-peer (P2P) network using LimeWire with filenames indicative of child pornography. The video files were found in the default LimeWire folders (Incomplete and Saved), which were located under the user’s profile. The Saved folder contained the fully downloaded files found in the Public Shared List of LimeWire. But the main focus from the prosecution’s standpoint was mainly the iTunes program and how it shares files on a local network. Although the distribution charge was no longer a consideration, discovery in the capability of iTunes and the interaction with P2P programs might indicate the user’s possible intent, or at least their knowledge, of sharing video files from the iTunes Library on a local network.