P2P Marshal Forensic Edition™ is a software tool that runs on a forensic investigator's workstation to detect and analyze peer-to-peer software use. Get the Forensic Edition here.

Features

• Analyzes peer-to-peer network usage on images of Windows XP, 2003, Vista, 2008, and Windows 7 systems (English and non-English, 32- and 64-bit)
• Provides full analysis for: Ares, BitTorrent, FrostWire, LimeWire, uTorrent, Azureus Vuze, and eMule
• Detects and shows default download locations for Kazaa
• Provides extensive search capabilities
• Built-in thumbnail and image viewer
• Produces customizable reports in CSV, HTML, PDF, and RTF formats
• Integrated online help
• Performs all actions in a forensically sound manner

Requirements

• Microsoft Windows XP or newer, 32- or 64-bit
• 120M disk space free

Screenshots

Click on the headings or images below to view P2P Marshal Forensic Edition in action.

Selecting a Target Disk to Analyze

P2P Marshal can analyze any mounted logical volume (e.g., C:, D:, ...).

Main Page Showing P2P Marshal

Each discovered P2P client has its own tab. Each tab allows the investigator to display information on individual users as well as all users.

Searching for Downloaded Files

Investigators can search for files matching complex patterns, such as filename extension (e.g., .jpg) and file size and MAC times.

Reviewing Saved Searches

Searches can be saved to be included in the report that P2P Marshal generates. A search description includes all of the search terms and constraints that were specified.

Reviewing Saved Searches (the selected search has been renamed)

Saved searches can be renamed with a mnemonic name to make it easy to distinguish among different searches.

Generate custom report

Reports may be customized and generated in CSV, HTML, PDF, and RFT formats.

View thumbnails

Images can be quickly reviewed with P2P Marshal's thumbnail browser. It's fast!