Peer-to-peer networks are the most popular mechanism for the criminal acquisition and distribution of child pornography (CP). This study examined observations of peers sharing known CP on the eMule and Gnutella networks. Data were collected by law enforcement officers using forensic tools developed by the authors.
The authors characterize a year's worth of network activity and evaluate different strategies for prioritizing investigators' limited resources. The highest impact research in criminal forensics works within, and is evaluated under, the constraints and goals of investigations. The authors follow that principle, rather than presenting a set of isolated, exploratory characterizations of users. First, this article focuses on strategies for reducing the number of CP files available on the network by removing a minimal number of peers. A metric is presented for peer removal that is more effective than simply selecting peers with the largest libraries or the most days online. Second, the authors characterize six aggressive peer subgroups, including peers that use Tor, peers that bridge multiple p2p networks, and the top 10 percent of peers who contribute to file availability. These subgroups have been found to be more active in their trafficking and have more known CP and more uptime than the average peer. Finally, although in theory Tor presents a challenge to investigators, in practice offenders use Tor inconsistently. Over 90 percent of regular Tor users send traffic from a non-Tor IP at least once after first using Tor. (Publisher abstract modified)