Scribd Logo
Upload

Welcome to Scribd!

  • Frostwire 4.17.0 Forensic Examinations

    Uploaded by

    jformica
    216 views3 pages
    Unknown author describes forensic artifacts that can be found and how to analyze FrostWire 4.17.0.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Unknown author describes forensic artifacts that can be found and how to analyze FrostWire 4.17.0.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    216 views3 pages

    Frostwire 4.17.0 Forensic Examinations

    Uploaded by

    jformica
    Unknown author describes forensic artifacts that can be found and how to analyze FrostWire 4.17.0.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    FROSTWIRE 4.17.

    ***Frostwire in identical to Limewire in everyway except for name and treats its file in the
    exact same fashion***

    Change in Default Directories for Downloads/Shares


    Changes in the default directories for downloads and sharing led to changes in:

    C:\Documents and Settings\user\Application Data\FrostWire\library.dat


    C:\Documents and Settings\user\Application Data\FrostWire\installation.props
    C:\Documents and Settings\user\Application Data\FrostWire\tables.props
    C:\Documents and Settings\user\Application Data\FrostWire\questions.props
    C:\Documents and Settings\user\Application Data\FrostWire\frostwire.props
    C:\Documents and Settings\user\Application Data\FrostWire\mojito.props

    After confirming the changes, the same above files were written to as well.

    Downloads in Frostwire
    When a download is initiated in Frostwire, for example and MP3 the following things occur

    -Downloads.bak is created (if it’s the first ever download within frostwire) and written to.

    -C:\D&S\User\My Documents\Frostwire\Chicos Saved\Incomplete\T-2926592-Dave Mathwes Band – The


    Space Between.mp3 is created and updated throughout the download.

    One the download is completed the following things occur:

    -C:\....Frostwire\downloads.bak is written to/updated (this file is where Frostwire tracks its current
    downloads in the exact same way Limewire does)

    - C:\....Frostwire\xml\data\audio.sxml2 is created and is a database that provides Frostwire with the info
    displayed when other P2P users search your shared files

    - C:\...Frostwire\library.dat is written to

    - C:\...Frostwire\Fileurns.cache is written to and contains an index of shared files and their paths. This
    enables sharing of the files when user logs onto the network.

    - C:\...Frostwire\Createtimes.cache is written to
    Evidence Media Played in Built in Media Player
    Using Frostwires’ built in media player wrote to the registry:

    HKLM\System\CurrentControlSet\Hardware
    Profiles\0001\System\CurrentControlSet\Enum\HDAUDIO\FUNC_01&VEN_10EC&DEV_0883&SUB
    SYS_1043829E&REV_1000\4&B3DDC6A&0&0001\DirectSound\Speaker Configuration\Speaker
    Configuration

    PROPS Examination
    FrostWire has been described as “LimeWire Pro for free”. It behaves like LimeWire and contains many
    similarly named files. It is a peer-to-peer file sharing program that uses the Gnutella and BitTorrent
    networks.

    Examined C:\Documents and Settings\{user}\Application Data\FrostWire, which was created in the


    default installation. EnCase was used to conduct the examination.

    FrostWire.props file contained:

    #FrostWire properties file


    #Tue Nov 04 14:20:18 EST 2008
    LAST_FILECHOOSER_DIR=C\:\\Program Files\\FrostWire
    INTRO_LOCAL_LINK=http\://vimeo.com/1397400?pg\=embed&sec\=1397400
    LAST_EXPIRE_TIME=1225826399474
    PORT=36326
    EXTENSIONS_TO_SEARCH_FOR=m4a;mpg;tif;mpe;rmvp;wma;ogm;cue;swf;shn;arc;ogg;rpm;ccd;arj
    ;tiff;kar;wmv;mpeg;iso;gz;wm;mod;toast;mov;pyc;asf;pf;taz;pl;mpa;tar;mime;bin;cdg;gif;sxw;aif;srt;jpe;
    deb;midi;tbz;pmf;7z;dvi;c;m;h;jpg;sit;jve;png;ua;mp2v;mid;z;rmj;rmi;jpeg;bz;img;mlv;l6t;jar;avi;htm;fla;
    dmg;gzip;aifc;mkv;pkg;nsv;xml;aiff;flac;tex;exe;med;lwtp;sub;pyo;rm;mp4;wax;mp3;wav;rar;asx;txt;ra;
    mpv2;pyz;bz2;qt;snd;lit;zip;idx;sea;lqt;ace;au;dcr;py;ram;hqx;java;html;smi;tgz;ps
    DIRECTORY_FOR_SAVING_FILES=C\:\\Documents and Settings\\user\\My
    Documents\\FrostWire\\Saved
    CLIENT_ID=4498CCD8BD75199A9CC622F39EB29900
    CHAT_IRC_NICK=
    TEMPLATE_FOR_SAVING_LWS_FILES=
    INSTALLED=true
    EXTENSIONS_LIST_UNSHARED=pdf;doc;rtf
    DIRETORY_FOR_SAVING_LWS_FILES=C\:\\Documents and Settings\\user\\My
    Documents\\FrostWire\\Store Purchased
    INTRO_URL=http\://static.frostwire.com/images/overlays/default.png
    EXTENSIONS_MIGRATE=false
    DIRECTORIES_TO_SEARCH_FOR_FILES=C\:\\Documents and Settings\\user\\My
    Documents\\FrostWire\\Shared
    INTRO_NETWORK_LINK=http\://vimeo.com/1397400?pg\=embed&sec\=1397400
    COUNTRY=
    MAX_SIM_DOWNLOAD=8
    WINDOW_Y=112
    WINDOW_X=220

    The user’s GUID is contained within CLIENT_ID=. As you can see, other important info such as the
    directory where files are saved and the directory that is shared are contained.

    To determine when the client was installed, the installation.props file was examined:

    #FrostWire installs file


    #Tue Nov 04 14:20:18 EST 2008
    LANGUAGE_CHOICE=true
    FILTER_OPTION=true
    EXTENSION_OPTION=true
    SCAN_FILES=true
    LAST_EXPIRE_TIME=1225826401895
    FIREWALL_WARNING=true
    SAVE_DIRECTORY=true
    ASSOCIATION_OPTION=2
    START_STARTUP=true
    SPEED=true

    The date and time marked at the top of this file is one second later than the Created date within EnCase
    for this file.

    Also visible is that FrostWire was set to autostart.

    The default path for FrostWire’s storage is: C:\Documents and Settings\{user}\My Documents\FrostWire
    and contains four folders:
    • Incomplete – where the incomplete files are stored in a default installation. They are
    prefixed with “T-{total number of bites for complete download}” unless they have been
    previewed, in which case they are prefixed with “Preview-T-{total number of bites for
    complete download}”
    • Saved – where the complete downloaded files are stored in a default installation
    • Shared – the default shared folder; by default all downloaded files are also shared
    (checkbox in Tools->Options->Sharing)
    • Store Purchased - where purchased content would be saved

    While in LimeWire, the downloads.bak and downloads.dat files are stored in the Incomplete folder, these
    files within FrostWire are stored by default at C:\Documents and Settings\{user}\Application
    Data\FrostWire.

    A search was conducted for the name “ridiculousness”. Returns were obtained with “ridiculousness”
    listed as the album title for some mp3 files. One of these files was downloaded. The FrostWire folders
    created during installation were then imported into EnCase for examination. A keyword search was
    conducted for the term “ridiculousness” using the default text and Unicode. The only hits were contained
    within the downloaded audio file and the audio.sxml2 file, where it showed that album=”Ridiculousness”.
    It appeared that the search term was not stored in any other file.

    You might also like