You are here

Forensic Analysis and Remote Evidence Recovery from Syncthing: An Open Source Decentralised File Synchronisation Utility

Publication Type: 
Refereed Conference Meeting Proceeding
In an ever increasing mobile and connected world, the demand for end users to access their data on the go using multiple platforms and devices is higher than ever. While numerous platforms have been developed to respond to this constant information need, these platforms can give rise to data protection and privacy concerns. These concerns primarily lie with cloud-based le synchroni- sation services such as Dropbox, OneDrive and Google Drive. A number of these services have been leaked as sharing replicated information with government se- curity and spying agencies without rst requiring the issue of a warrant [1]. The desire for privacy has led to a rise in cloudless le synchronisation services such as BitTorrent Sync (BTSync), Syncthing and OnionShare. One of the most popular decentralised le synchronisation services is cur- rently BTSync, which as of August 2014 had over 10 million user installs [2]. However a signi cant number of these users are not comfortable with the pro- prietary nature of the application and its handling of their data. This has moti- vated a transparent alternative being developed, called Syncthing. Syncthing is an open source, cloudless le synchronisation service. Users have the ability to identify how the software nds other active nodes to sync with, transfers data from node to node, and synchronises information between di erent devices. With BTSync emerging from beta in March 2015, limitations on how many folders can be synchronised for free have been imposed { with the free tier being limited to syncing ten folders. It is likely that the lack of transparency regarding security and privacy and these new limitations imposed on the free BTSync tier users will push many towards deploying Syncthing for their le replication needs. Syncthing is a decentralised tool created for the purposes of data backup and synchronisation, teamwork/collaboration, data transfer between systems, etc. From a law enforcement and digital forensic perspective, an area of concern with decentralised services is the possible exploitation of the service to distribute unauthorised/illegal data: industrial espionage, copyright infringement, sharing 2 Conor Quinn, Mark Scanlon, Jason Farina, M-Tahar Kechadi of child exploitation material, malicious software distribution, etc. [3]. These cloudless services have no regulation by their developers and as a result are at high risk of being used for criminal activity. Syncthing has many desirable features for privacy-concerned users who wish to use le synchronisation but conscious of their data's security. Such features include [4]: { Private { The synchronised data is never replicated anywhere else other than on devices con gured. { Encrypted Trac { All communication between devices is secured using TLS. { Authenticated { Every node is identi ed by a strong cryptographic certi - cate; only nodes you have explicitly allowed can connect to your cluster. { Cost and Limitations { Most main stream cloud-based le synchronisation software give you a small storage allowance at the free tier. Syncthing is limited only by the storage available across your devices. { Transparency { The software is open source which facilitates analysis to prove that the software is secure. With increased privacy and security of any tool or service, there is always the contraposition of law enforcement regarding the diculty (or possibility) of capturing evidence from these systems. At the time of writing, there are no tools available for the recovery of evidence from Syncthing.
Conference Name: 
The 7th International Conference on Digital Forensics and Cyber Crime (ICDF2C)
Digital Object Identifer (DOI): 
Publication Date: 
Conference Location: 
Korea, South (Republic of Korea)
National University of Ireland, Dublin (UCD)
Open access repository: