Beruflich Dokumente
Kultur Dokumente
http://articles.forensicfocus.com/2012/07/19/foren...
Introduction
As digital forensic practitioners, we are faced regularly with users utilizing the internet to swop and
download copyrighted and contraband material. Peer to peer (P2P) applications are commonly used for
this purpose, and like any software application, they is ever changing, and ever evolving.
This paper will discuss how the P2P software application, FrostWire v.5, functions and what artifacts can
be found and examined for forensic purposes. The software application mentioned is one of the more
popular P2P, applications.
Problem Statement
P2P downloading of copyrighted media and contraband is a significant problem. The sheer proliferation
of these applications in various forms, requires digital forensic examiners to be aware of the potential
evidential artifacts that can exist in them.
With developers constantly changing and evolving their software, the artifacts change, and they find
new ways to make it more protected for their users. The problem discussed in this paper, is what
evidential artifacts are left by using FrostWire v.5, and what evidential value do they contain.
Research Methodology
The
of the following
1 of
7 research was conducted by way of practical experimentation making use 29/01/2015
11:48
experimental protocols.
Step 1:
http://articles.forensicfocus.com/2012/07/19/foren...
The hard drive on the laptop used in the experiment was forensically sanitized and validated .
Step 2:
The Windows 7 Standard operating system was installed on the laptop used, with default settings
selected.
Step 3:
FrostWire v.5 was installed on the laptop, and was downloaded from www.FrostWire.com.
Step 4:
FrostWire v.5 was installed using the standard method and keeping the default settings.
Step 5:
The test laptop was connected to the internet and FrostWire v.5 was executed and a search was
conducted for various Linux distributions.
Step 6:
Based on the results of Step 5, various files were selected and downloaded using FrostWire v.5 and once
completed it was shut down.
Step 7:
The test laptop was shut down and the hard drive forensically imaged.
Step 8:
The forensic image made of the test laptop was loaded into FTK 4.0 with default automatic data carving
enabled. Once completed the image was examined and all artifacts identified as being linked to
FrostWire v.5 documented.
http://articles.forensicfocus.com/2012/07/19/foren...
[root]user/xxx/AppData/Roaming/FrostWire
This folder essentially contains a few very important artifacts, which contain important evidentiary
information on what was downloaded.
Createtimes.cache: This cache file contains the SHA-1 value that is assigned to
all uploaded media
when a .torrent file is created and uploaded to the
distribution websites. The SHA-1 value is that
of the whole file when it
was originally uploaded.This is verified once the item has been
downloaded
to ensure that the right and complete item has been downloaded.
Download.dat: This database file contains all the names, identification
SHA-1 values of all the files
and media downloaded by the user using FrostWire
v.5. This can be used to identify
what was
downloaded when the actual physical items are no longer on the
machine.
Fileurns.cache &
Fileurns.bak: These two files essentially
contain the same information. When
a download is started the software logs
the SHA-1 value of the file to ensure that the completed
file is
downloaded. The SHA-1 value can be used to identify whether a certain item
matched the
online version of the said file.
FrostWire.props: This property file contains the selection made by the user upon installation. Here
you can determine what changes have been made to
the default settings of FrostWire v.5.
Hostiles.txt: This contains a log of all subnet Masks currently running on
the FrostWire v.5
network.
Library.dat: This database is of all media that is saved by the user to the FrostWire v.5 library,
even if it was not physically downloaded onto
the machine.
Registry Artifacts:
The registry keys SOFTWARE, SECURITY,SYSTEM and the Ntuser.dat were examined and the
following artifacts or changes were identified:
3 of 7
29/01/2015 11:48
HKEY/LOCAL
NTUSER.DAT as
http://articles.forensicfocus.com/2012/07/19/foren...
This contained the following relevant information of the software FrostWire v.5:
Display Name
Publisher
Help Link
URL
URL Info
Display Version
Uninstall Command
HKEY/LOCAL
MACHINE/SOFTWARE/Classes: This contained the following relevant information
of the software FrostWire v.5:
FrostWire Toolbar
FrostWire.exe files location.
HKEY/LOCAL
MACHINE/SOFTWARE/FrostWire:
This contained the following relevant information of the software FrostWire v.5:
The executable command used to access and run FrostWire v.5.
4. HKEY/LOCAL
MACHINE/SOFTWARE/Tracing:This contained the following relevant
information of the software FrostWire v.5:
This contains two tracing mechanisms that Microsoft uses to manage and monitor software, which is
the Rasapi 32 command and the RASMANCS command. The information saved is saved in
[root]/ProgramData/Microsoft/Search/Data/Applications/Windows/GatherLogs/SystemIndex
/SystemIndex.gthr:
HKEY/LOCAL
MACHINE/SYSTEM:
For FrostWire v.5 to be able to function, a change has to be made within how the system operates:
When installing FrostWire v.5, the software automatically change the FireWall policy to create an
exception to allow communication from FrostWire v.5 and the downloading servers, thus bypassing the
firewall completely.
6. HKEY/LOCAL
MACHINE/SECURITY:
7. No changes could be identified within this registry key.
machine:
http://articles.forensicfocus.com/2012/07/19/foren...
Meaning
http://tracker.torrentbox.com
2710
5 of 7
29/01/2015 11:48
http://articles.forensicfocus.com/2012/07/19/foren...
77.247.176.132:80
The
IP address
communicated
with
along with the port
used for downloading.
1238229350
Linux Books
31C8D8C7748C9CC8090C4C2A
Identification
hash value.
SHA-1
Summary
FrostWire v.5 contains a number of potential evidential artifacts that can prove useful in an investigation
in proving what has taken place on a computer using this P2P application.
A key observation, is that the artifacts that are generated when using FrostWire v.5 illustrate the Locard
Principle in relation to P2P application, in that for every interaction, there will be a trace left behind.
Discussion
http://articles.forensicfocus.com/2012/07/19/foren...
the active folder. The name of the file is the hash value . I cannot seem to piece these hashes with the
hash of the actual file download nor the torrent file. What is the importance of the hash value
(torrent_hash) in the downloads.config?
Also, I have looked into the search_db, depending on what updates you install for version 5, will
dictate whether or not you can search for search terms in search_db. Were you successful in finding
your search term? I found unless you knew the search term, you would need to parse out all of the
hits and then find the common word and that would be your search term. This was a huge change
from the early versions of Frostwire where it had your search terms saved.
POSTED BY JOHN | JULY 30, 2012, 5:23 PM
REPLY TO THIS COMMENT
4. The Frostwire.props file does not reset everytime it is rewritten. The rumor is that you can set the
software to wipe the search results when you close the software. I do concure that there are updates
that has changed items in the search_db since I did the paper. FTK did parse out the database with
my search results, this was easier as I had a controlled enviroment and believe it mgith be more
difficult in practise. The hash values are made by using an alorgorhytm which is software specific. I
am experimenting with each update to determine changed
POSTED BY VERONICASCHM | AUGUST 16, 2012, 7:18 PM
REPLY TO THIS COMMENT
7 of 7
29/01/2015 11:48