Windows 7 registry forensic evidence created by three popular BitTorrent clients.

Abstract: Internet file sharing via the use of peer-to-peer networks is an activity that has been growing steadily for several years. It has rapidly become the most widespread method for the exchange of digital material and as a result raises much controversy. The current, most popular protocol in this field is BitTorrent. Although it is relatively simple in most cases to link particular file sharing activities to an IP address, this does little to prove that a particular user was responsible for using the connection. This study explores three popular BitTorrent client applications, BitComet, Vuze and μTorrent and outlines the registry artefacts that are produced by the installation and use of these programs on a Windows 7 client. These artefacts are examined in detail to establish what useful evidence, if any, can be recovered from them. Relevant information is highlighted for each application. [Copyright &y& Elsevier]