Forensic Examination of FrostWire version 5 | Fo...

http://articles.forensicfocus.com/2012/07/19/foren...

Forensic Focus Articles

UNCATEGORIZED

DIGITAL FORENSICS ARTICLES AND RESEARCH PAPERS

Forensic Examination of FrostWire version 5

POSTED BY VERONICASCHM JULY 19, 2012 4 COMMENTS

Introduction
As digital forensic practitioners, we are faced regularly with users utilizing the internet to swop and
download copyrighted and contraband material. Peer to peer (P2P) applications are commonly used for
this purpose, and like any software application, they is ever changing, and ever evolving.
This paper will discuss how the P2P software application, FrostWire v.5, functions and what artifacts can
be found and examined for forensic purposes. The software application mentioned is one of the more
popular P2P, applications.

Problem Statement
P2P downloading of copyrighted media and contraband is a significant problem. The sheer proliferation
of these applications in various forms, requires digital forensic examiners to be aware of the potential
evidential artifacts that can exist in them.
With developers constantly changing and evolving their software, the artifacts change, and they find
new ways to make it more protected for their users. The problem discussed in this paper, is what
evidential artifacts are left by using FrostWire v.5, and what evidential value do they contain.

Research Methodology
The
of the following
1 of
7 research was conducted by way of practical experimentation making use 29/01/2015
11:48
experimental protocols.

Forensic Examination of FrostWire version 5 | Fo...

Step 1:

http://articles.forensicfocus.com/2012/07/19/foren...

The hard drive on the laptop used in the experiment was forensically sanitized and validated .
Step 2:
The Windows 7 Standard operating system was installed on the laptop used, with default settings
selected.
Step 3:
FrostWire v.5 was installed on the laptop, and was downloaded from www.FrostWire.com.
Step 4:
FrostWire v.5 was installed using the standard method and keeping the default settings.
Step 5:
The test laptop was connected to the internet and FrostWire v.5 was executed and a search was
conducted for various Linux distributions.
Step 6:
Based on the results of Step 5, various files were selected and downloaded using FrostWire v.5 and once
completed it was shut down.
Step 7:
The test laptop was shut down and the hard drive forensically imaged.
Step 8:
The forensic image made of the test laptop was loaded into FTK 4.0 with default automatic data carving
enabled. Once completed the image was examined and all artifacts identified as being linked to
FrostWire v.5 documented.

Data Artifacts Found and Examined

[root]User/xxx/FrostWire
This folder contains five subfolders that contain the actual .torrent files and the actual media that has
been downloaded. The subfolders contained within the abovementioned folder are:
Incomplete: Within this folder, the temporary tracker of the media is
saved while in the process of
2 of 7being downloaded, this is the metaphorical
29/01/2015
11:48
bookmark that enables the software to
stop and start

Forensic Examination of FrostWire version 5 | Fo...

http://articles.forensicfocus.com/2012/07/19/foren...

as the user wishes.

Saved: This folder contains the artifacts of .torrent files that the
user wishes to save- to be able to
download at another time.
Shared: This folder contains all the .torrent trackers that the user
has uploaded or created.
FrostWirev.5 enables the creation of .torrent
trackers.
Torrent Data: Possibly one of the most important folders, this is where the software saves the
actual downloaded media.This is a system automated
process, which remains standard.
Torrent: This folder contains the actual .torrent tracker file, which
is the tracker and that is created
to download the requested item. For
each item downloaded, two entries are created -A .torrent file
is created that
contain the creation time, the SHA 1 value of the downloaded item, and
from
where it was downloaded. The second entry created is in unallocated
space, which contains the
exact same information.

[root]user/xxx/AppData/Roaming/FrostWire
This folder essentially contains a few very important artifacts, which contain important evidentiary
information on what was downloaded.
Createtimes.cache: This cache file contains the SHA-1 value that is assigned to
all uploaded media
when a .torrent file is created and uploaded to the
distribution websites. The SHA-1 value is that
of the whole file when it
was originally uploaded.This is verified once the item has been
downloaded
to ensure that the right and complete item has been downloaded.
Download.dat: This database file contains all the names, identification
SHA-1 values of all the files
and media downloaded by the user using FrostWire
v.5. This can be used to identify
what was
downloaded when the actual physical items are no longer on the
machine.
Fileurns.cache &
Fileurns.bak: These two files essentially
contain the same information. When
a download is started the software logs
the SHA-1 value of the file to ensure that the completed
file is
downloaded. The SHA-1 value can be used to identify whether a certain item
matched the
online version of the said file.
FrostWire.props: This property file contains the selection made by the user upon installation. Here
you can determine what changes have been made to
the default settings of FrostWire v.5.
Hostiles.txt: This contains a log of all subnet Masks currently running on
the FrostWire v.5
network.
Library.dat: This database is of all media that is saved by the user to the FrostWire v.5 library,
even if it was not physically downloaded onto
the machine.

Registry Artifacts:
The registry keys SOFTWARE, SECURITY,SYSTEM and the Ntuser.dat were examined and the
following artifacts or changes were identified:
3 of 7

29/01/2015 11:48

Forensic Examination of FrostWire version 5 | Fo...

HKEY/LOCAL
NTUSER.DAT as

http://articles.forensicfocus.com/2012/07/19/foren...

MACHINE/SOFTWARE/Current Version: (These changes can be seen in the

well)

This contained the following relevant information of the software FrostWire v.5:
Display Name
Publisher
Help Link
URL
URL Info
Display Version
Uninstall Command
HKEY/LOCAL
MACHINE/SOFTWARE/Classes: This contained the following relevant information
of the software FrostWire v.5:
FrostWire Toolbar
FrostWire.exe files location.
HKEY/LOCAL

MACHINE/SOFTWARE/FrostWire:

This contained the following relevant information of the software FrostWire v.5:
The executable command used to access and run FrostWire v.5.
4. HKEY/LOCAL
MACHINE/SOFTWARE/Tracing:This contained the following relevant
information of the software FrostWire v.5:
This contains two tracing mechanisms that Microsoft uses to manage and monitor software, which is
the Rasapi 32 command and the RASMANCS command. The information saved is saved in
[root]/ProgramData/Microsoft/Search/Data/Applications/Windows/GatherLogs/SystemIndex
/SystemIndex.gthr:
HKEY/LOCAL

MACHINE/SYSTEM:

For FrostWire v.5 to be able to function, a change has to be made within how the system operates:
When installing FrostWire v.5, the software automatically change the FireWall policy to create an
exception to allow communication from FrostWire v.5 and the downloading servers, thus bypassing the
firewall completely.
6. HKEY/LOCAL
MACHINE/SECURITY:
7. No changes could be identified within this registry key.

Identifying Searches Done Using FrostWire v.5:

4 of
7
29/01/2015
11:48
When
a user searches for a specific item to download, that search is stored in various places
on the
local

Forensic Examination of FrostWire version 5 | Fo...

machine:

http://articles.forensicfocus.com/2012/07/19/foren...

1. [root]/$Logfile: Contains the search term searched for, where it

was found along with the SHA-1
identification hash value.
2. [root]/ProgramData/Microsoft/Search/Data/Applications/Windows/GatherLogs/SystemIndex
/SystemIndex.gthr: The header information contained within this gather log, is the
search term and
how the system and the software communicated.This
information is gathered by the two tracing
protocols mentioned early Rasapi 32 and RASMANCS.
3. [root]users/xxx/.FrostWire/search_db.h2.db :This is the database that FrostWire v.5 uses to record all
searches done by the users.The information recorded is the following:
URL Details, where the .torrent file is residing.
The search term searched.
The magnet link and corresponding SHA-1 hash value.
The creation date in Unix that .torrent tracker was created.
4. [root]users/xxx/.FrostWire/search_db/search_db/_28.tii: This is the actual entry in the database for
each search term
done by the user.This contained what the search term was and the
corresponding file ID.
5. [root]users/xxx/.FrostWire/search_db_searchdb__28.tis:This is a record of the search results for the
particular search term, meaning that for every .tii file a corresponding .tis file
can be found.

Examining a .torrent File and the Artifacts Found:

The file header for .torrent files in hex is:
0x64 38 3A 61 6E 6E 6F 6F 63 65 35 39 (As viewed in hex)
d8:announce59 (As viewed in text)
Contained in this .torrent file is the following information:
File

Meaning

http://tracker.torrentbox.com

The website that the

.torrent
file
was
uploaded to and stored
on

2710

The initial port used to

communicate to the
website initially.

5 of 7

29/01/2015 11:48

Forensic Examination of FrostWire version 5 | Fo...

http://articles.forensicfocus.com/2012/07/19/foren...

77.247.176.132:80

The
IP address
communicated
with
along with the port
used for downloading.

1238229350

Unix creation date of

the torrent.

Linux Books

The name of the item

downloaded.

31C8D8C7748C9CC8090C4C2A

Identification
hash value.

SHA-1

Summary
FrostWire v.5 contains a number of potential evidential artifacts that can prove useful in an investigation
in proving what has taken place on a computer using this P2P application.
A key observation, is that the artifacts that are generated when using FrostWire v.5 illustrate the Locard
Principle in relation to P2P application, in that for every interaction, there will be a trace left behind.

Discussion

4 thoughts on Forensic Examination of FrostWire version 5

1. How does the frostwire props file determine the creation and last accessed date? Is the .props file
written over every time you reboot the program?
POSTED BY ANN MARIE | JULY 21, 2012, 9:11 AM
REPLY TO THIS COMMENT
2. How are the creation and last accessed dates for the props file determined? Do these change? I read
somewhere that it was rewritten every time you reboot the program, is this true?
POSTED BY AMSUTTER | JULY 21, 2012, 9:13 AM
REPLY TO THIS COMMENT
there is a11:48
sha-1
6 of3.7Can you elaborate more on the hash values found in the downloads.config? I know
29/01/2015
hash located under an items torrent_hash value. I know this hash corresponds to a .DAT file inside

Forensic Examination of FrostWire version 5 | Fo...

http://articles.forensicfocus.com/2012/07/19/foren...

the active folder. The name of the file is the hash value . I cannot seem to piece these hashes with the
hash of the actual file download nor the torrent file. What is the importance of the hash value
(torrent_hash) in the downloads.config?

Also, I have looked into the search_db, depending on what updates you install for version 5, will
dictate whether or not you can search for search terms in search_db. Were you successful in finding
your search term? I found unless you knew the search term, you would need to parse out all of the
hits and then find the common word and that would be your search term. This was a huge change
from the early versions of Frostwire where it had your search terms saved.
POSTED BY JOHN | JULY 30, 2012, 5:23 PM
REPLY TO THIS COMMENT
4. The Frostwire.props file does not reset everytime it is rewritten. The rumor is that you can set the
software to wipe the search results when you close the software. I do concure that there are updates
that has changed items in the search_db since I did the paper. FTK did parse out the database with
my search results, this was easier as I had a controlled enviroment and believe it mgith be more
difficult in practise. The hash values are made by using an alorgorhytm which is software specific. I
am experimenting with each update to determine changed
POSTED BY VERONICASCHM | AUGUST 16, 2012, 7:18 PM
REPLY TO THIS COMMENT

Forensic Focus Articles

Blog at WordPress.com. The Morning After Theme.
Follow

Follow Forensic Focus - Articles

Build a website with WordPress.com

7 of 7

29/01/2015 11:48