Frostwire 5 Forensics

March 30, 2018 | Author: erdanerdan | Category: Windows Registry, Computer File, Computer Architecture, Computing, Technology


Comments



Description

Forensic Examination of FrostWire version 5 | Fo...http://articles.forensicfocus.com/2012/07/19/foren... Forensic Focus – Articles UNCATEGORIZED DIGITAL FORENSICS ARTICLES AND RESEARCH PAPERS Forensic Examination of FrostWire version 5 POSTED BY VERONICASCHM ⋅ JULY 19, 2012 ⋅ 4 COMMENTS Introduction As digital forensic practitioners, we are faced regularly with users utilizing the internet to swop and download copyrighted and contraband material. Peer to peer (P2P) applications are commonly used for this purpose, and like any software application, they is ever changing, and ever evolving. This paper will discuss how the P2P software application, FrostWire v.5, functions and what artifacts can be found and examined for forensic purposes. The software application mentioned is one of the more popular P2P, applications. Problem Statement P2P downloading of copyrighted media and contraband is a significant problem. The sheer proliferation of these applications in various forms, requires digital forensic examiners to be aware of the potential evidential artifacts that can exist in them. With developers constantly changing and evolving their software, the artifacts change, and they find new ways to make it more protected for their users. The problem discussed in this paper, is what evidential artifacts are left by using FrostWire v.5, and what evidential value do they contain. Research Methodology The of the following 1 of 7 research was conducted by way of practical experimentation making use 29/01/2015 11:48 πμ experimental protocols. 5 was installed on the laptop.5 was executed and a search was conducted for various Linux distributions.torrent files and the actual media that has been downloaded.com. this is the metaphorical 29/01/2015 11:48 πμ bookmark that enables the software to stop and start . Step 7: The test laptop was shut down and the hard drive forensically imaged.5 was installed using the standard method and keeping the default settings. Data Artifacts Found and Examined [root]User/xxx/FrostWire This folder contains five subfolders that contain the actual .forensicfocus..Forensic Examination of FrostWire version 5 | Fo.. The subfolders contained within the abovementioned folder are: Incomplete: Within this folder.5 and once completed it was shut down.FrostWire.com/2012/07/19/foren. Step 3: FrostWire v. various files were selected and downloaded using FrostWire v. Once completed the image was examined and all artifacts identified as being linked to FrostWire v. Step 4: FrostWire v.5 documented. with default settings selected. and was downloaded from www.. Step 6: Based on the results of Step 5. Step 5: The test laptop was connected to the internet and FrostWire v. The hard drive on the laptop used in the experiment was forensically sanitized and validated .. Step 1: http://articles. Step 2: The Windows 7 Standard operating system was installed on the laptop used. the temporary tracker of the media is saved while in the process of 2 of 7being downloaded. Step 8: The forensic image made of the test laptop was loaded into FTK 4.0 with default automatic data carving enabled. This can be used to identify what was downloaded when the actual physical items are no longer on the machine.cache & Fileurns. which is the tracker and that is created to download the requested item. Shared: This folder contains all the .dat: This database is of all media that is saved by the user to the FrostWire v.Forensic Examination of FrostWire version 5 | Fo. The SHA-1 value is that of the whole file when it was originally uploaded.to be able to download at another time.dat were examined and the following artifacts or changes were identified: 3 of 7 29/01/2015 11:48 πμ ..5.txt: This contains a log of all subnet Masks currently running on the FrostWire v.torrent file is created and uploaded to the distribution websites.torrent file is created that contain the creation time.torrent files that the user wishes to save. Download. Saved: This folder contains the artifacts of . as the user wishes..This is verified once the item has been downloaded to ensure that the right and complete item has been downloaded.torrent tracker file.. SECURITY. The second entry created is in unallocated space. Torrent Data: Possibly one of the most important folders. and from where it was downloaded.5 library.5.torrent trackers. which remains standard. When a download is started the software logs the SHA-1 value of the file to ensure that the completed file is downloaded.bak: These two files essentially contain the same information.5 network. identification SHA-1 values of all the files and media downloaded by the user using FrostWire v. which contain important evidentiary information on what was downloaded. the SHA 1 value of the downloaded item. Library. Fileurns. FrostWirev. this is where the software saves the actual downloaded media. even if it was not physically downloaded onto the machine. For each item downloaded.torrent trackers that the user has uploaded or created. The SHA-1 value can be used to identify whether a certain item matched the online version of the said file. [root]user/xxx/AppData/Roaming/FrostWire This folder essentially contains a few very important artifacts.. Createtimes.This is a system automated process. Registry Artifacts: The registry keys SOFTWARE.cache: This cache file contains the SHA-1 value that is assigned to all uploaded media when a .props: This property file contains the selection made by the user upon installation. Torrent: This folder contains the actual . http://articles. which contains the exact same information. two entries are created -A . Here you can determine what changes have been made to the default settings of FrostWire v. FrostWire.5 enables the creation of .forensicfocus.com/2012/07/19/foren.dat: This database file contains all the names.SYSTEM and the Ntuser. Hostiles. 5: This contains two tracing mechanisms that Microsoft uses to manage and monitor software.5. The information saved is saved in [root]/ProgramData/Microsoft/Search/Data/Applications/Windows/GatherLogs/SystemIndex /SystemIndex. MACHINE/SOFTWARE/Current Version: (These changes can be seen in the well) This contained the following relevant information of the software FrostWire v.forensicfocus. that search is stored in various places on the localπμ . 6. Identifying Searches Done Using FrostWire v. a change has to be made within how the system operates: When installing FrostWire v.Forensic Examination of FrostWire version 5 | Fo.5.5 to be able to function. HKEY/LOCAL NTUSER..gthr: HKEY/LOCAL MACHINE/SYSTEM: For FrostWire v. which is the Rasapi 32 command and the RASMANCS command..5: FrostWire Toolbar FrostWire..5: Display Name Publisher Help Link URL URL Info Display Version Uninstall Command HKEY/LOCAL MACHINE/SOFTWARE/Classes: This contained the following relevant information of the software FrostWire v.DAT as http://articles.com/2012/07/19/foren. thus bypassing the firewall completely. the software automatically change the FireWall policy to create an exception to allow communication from FrostWire v..5 and the downloading servers. HKEY/LOCAL MACHINE/SECURITY: 7. 4. HKEY/LOCAL MACHINE/SOFTWARE/Tracing:This contained the following relevant information of the software FrostWire v.5: The executable command used to access and run FrostWire v. No changes could be identified within this registry key.5: 4 of 7 29/01/2015 11:48 When a user searches for a specific item to download.exe files location. HKEY/LOCAL MACHINE/SOFTWARE/FrostWire: This contained the following relevant information of the software FrostWire v. is the search term and how the system and the software communicated. where it was found along with the SHA-1 identification hash value.torrent file is residing.torrent File and the Artifacts Found: The file header for .5 uses to record all searches done by the users. 5 of 7 29/01/2015 11:48 πμ .. meaning that for every .torrentbox.db :This is the database that FrostWire v.torrent tracker was created. machine: http://articles. The magnet link and corresponding SHA-1 hash value.com/2012/07/19/foren.FrostWire/search_db/search_db/_28..tis file can be found. 1.Forensic Examination of FrostWire version 5 | Fo.. [root]/ProgramData/Microsoft/Search/Data/Applications/Windows/GatherLogs/SystemIndex /SystemIndex.This contained what the search term was and the corresponding file ID.torrent files in hex is: 0x64 38 3A 61 6E 6E 6F 6F 63 65 35 39 (As viewed in hex) d8:announce59 (As viewed in text) Contained in this .tii file a corresponding .com The website that the . 3. [root]users/xxx/. where the .h2. Examining a .forensicfocus.This information is gathered by the two tracing protocols mentioned early Rasapi 32 and RASMANCS. [root]users/xxx/.tii: This is the actual entry in the database for each search term done by the user. The creation date in Unix that . 4. 2. [root]users/xxx/. The search term searched.. [root]/$Logfile: Contains the search term searched for.torrent file was uploaded to and stored on 2710 The initial port used to communicate to the website initially.FrostWire/search_db_searchdb__28. 5.tis:This is a record of the search results for the particular search term.torrent file is the following information: File Meaning http://tracker.The information recorded is the following: URL Details.FrostWire/search_db.gthr: The header information contained within this gather log. 132:80 The IP address communicated with along with the port used for downloading. is that the artifacts that are generated when using FrostWire v.5 contains a number of potential evidential artifacts that can prove useful in an investigation in proving what has taken place on a computer using this P2P application.. 2012. How are the creation and last accessed dates for the props file determined? Do these change? I read somewhere that it was rewritten every time you reboot the program. 77.props file written over every time you reboot the program? POSTED BY ANN MARIE | JULY 21. http://articles. A key observation. I know this hash corresponds to a .forensicfocus.7Can you elaborate more on the hash values found in the downloads. 2012. Linux Books The name of the item downloaded.Forensic Examination of FrostWire version 5 | Fo... SHA-1 Summary FrostWire v. 9:11 AM REPLY TO THIS COMMENT 2. there will be a trace left behind. How does the frostwire props file determine the creation and last accessed date? Is the . 1238229350 Unix creation date of the torrent. 31C8D8C7748C9CC8090C4C2A Identification hash value. is this true? POSTED BY AMSUTTER | JULY 21. Discussion 4 thoughts on “Forensic Examination of FrostWire version 5” 1.com/2012/07/19/foren. in that for every interaction. 9:13 AM REPLY TO THIS COMMENT there is a11:48 sha-1πμ 6 of3.config? I know 29/01/2015 hash located under an items torrent_hash value.176.5 illustrate the Locard Principle in relation to P2P application.DAT file inside .247.. The Morning After Theme. I have looked into the search_db.config? Also. http://articles. What is the importance of the hash value (torrent_hash) in the downloads.props file does not reset everytime it is rewritten.com/2012/07/19/foren. The Frostwire.Articles” Build a website with WordPress.com. FTK did parse out the database with my search results. this was easier as I had a controlled enviroment and believe it mgith be more difficult in practise.Forensic Examination of FrostWire version 5 | Fo.. I cannot seem to piece these hashes with the hash of the actual file download nor the torrent file. POSTED BY JOHN | JULY 30.forensicfocus. The name of the file is the hash value . I do concure that there are updates that has changed items in the search_db since I did the paper. 2012. the ‘active folder’. depending on what updates you install for version 5. will dictate whether or not you can search for search terms in search_db. you would need to parse out all of the hits and then find the common word and that would be your search term. This was a huge change from the early versions of Frostwire where it had your search terms saved.. The rumor is that you can set the software to wipe the search results when you close the software. Were you successful in finding your search term? I found unless you knew the search term. 2012. I am experimenting with each update to determine changed POSTED BY VERONICASCHM | AUGUST 16.  Follow Follow “Forensic Focus ..com 7 of 7 29/01/2015 11:48 πμ . The hash values are made by using an alorgorhytm which is software specific. 7:18 PM REPLY TO THIS COMMENT Forensic Focus – Articles Blog at WordPress. 5:23 PM REPLY TO THIS COMMENT 4..
Copyright © 2024 DOKUMEN.SITE Inc.