FORENSIC COMPUTER SERVICE

phone: 800-655-5245

FILE SHARING

Adium 

This search will parse files used by the P2P file sharing application Amule. It will parse the following files: known.met, emfriends.met, clients.met, StoredSearches.met, sharedfiles.dat, shareddir.dat, and AC_SearchStrings.dat. Information recovered varies from file to file, but all fields available in each file format are recovered. Of particular evidential interest are the known.met, emfriends.met, StoredSearches.met, and AC_SearchStrings.dat files. 


Ares P2P Search Keywords 

This search will carve and parse search keywords entered by a user in the P2P file sharing application called Ares. These keywords are stored in the Windows registry but can be found in other locations even after being deleted. Just the keywords are stored without any other metadata by Ares. 

 

eMule 

This search will parse files used by the P2P file sharing application Emule. It will parse the following files: known.met, emfriends.met, clients.met, StoredSearches.met, sharedfiles.dat, shareddir.dat, and AC_SearchStrings.dat. Information recovered varies from file to file, but all fields available in each file format are recovered. Of particular evidential interest are the known.met, emfriends.met, StoredSearches.met, and AC_SearchStrings.dat files. 

 

Frostwire.prop Files 

This search finds fragments of Frostwire.props files. These files contain configuration data for the Frostwire® peer to peer file sharing client and can include geo-locations, recent downloads, and many other useful items. 

 

Gigatribe Chat Messages 

This search will recover Gigatribe chat messages saved by Gigatribe® (versions 2 and 3). These logs are created when a user uses the chat feature of Gigatribe. Due to the way the software searches for these chat messages, they can be recovered even if the log file has been deleted or a portion of the log file has been corrupted or overwritten. The chat messages can also be recovered from live memory dumps. 

 

Limerunner/Luckywire 

The software provides deeper support for Limewire and its variants: Frostwire, Limerunner, and Luckywire. It can determine the following information for files shared using these applications: the file name, the shared type, the Base32 hash value as well as the SHA1 hash value of the file, and the last modified date time for the file. 

 

Limewire Search History (v5.2.8 – v5.5.16) 

Search keywords left behind in live memory by Limewire® (tested with Limewire® v5.2.8 – v5.5.16). Search keywords/terms that are recovered have an associated number indicating how many search results were returned for that search term at the time the keyword was left in memory. The recovered search terms are search keywords that were entered by the local user. Other search keywords that were passed through the client (“Incoming Searches”) from other clients on the P2P network are not recovered. 

 

Limewire.props files 

This search finds fragments of Limewire.props files. These files contain configuration data for the Limewire® peer to peer file sharing client and can include geo-locations, recent downloads, and many other useful items. 

 

Limewire and Frostwire Search Keywords 

Search keywords left behind in live memory by version 4 of Limewire® and Frostwire® (tested with most Limewire/Frostwire v4 clients). Search keywords/terms that are recovered have an associated number indicating how many search results were returned for that search term at the time the keyword was left in memory. The recovered search terms are search keywords that were entered by the local user. Other search keywords that were passed through the client (“Incoming Searches”) from other clients on the P2P network are not recovered. 

 

Shareaza Search Keywords 

This search will carve and parse search keywords entered by a user in the P2P file sharing application called Shareaza. These searches are stored in a file called “Searches.dat” but can be carved from live RAM captures and unallocated clusters, etc. 

 

Torrent File Artifacts 

This search will carve and parse data from .torrent files used to download “torrents” on various networks on the Internet. The data can be parsed from live files or carved from live memory captures, unallocated space, etc. Information recovered includes the name of the Torrent, the date/time the torrent file was originally created, and the names of the files included in the torrent. 

 

Usenet Binary Files (Newsgroup Messages) 

This search will recover yEnc/uuencoded encoded files that are used to transfer files on newsgroups/USENET. These files can have a number of header information like to/from, subject, date/time, etc. and can be split into multiple files. Rebuildable recovered files can be reconstructed.