Introduction to File Sharing Services

An IT-Forensic Examination of P2P Clients

 Introduction to Filesharing Services

Contents

What is File Sharing – P2P? ............................................................................................................................... 7

The History of File Sharing – in Short ................................................................................................................ 8
Networks ......................................................................................................................................................... 10
Network Topologies ........................................................................................................................................ 11
First-generation networks ........................................................................................................................... 11
Second-generation networks ...................................................................................................................... 12
Third- generation networks ......................................................................................................................... 12
Fourth-generation networks ....................................................................................................................... 13
Clients .............................................................................................................................................................. 14
eMule................................................................................................................................................... 14
LimeWire ............................................................................................................................................. 14
eMule............................................................................................................................................................... 15
What is eMule?............................................................................................................................................ 15
What does eMule mean? ............................................................................................................................ 15
How often is eMule updated? ..................................................................................................................... 15
A short list of eMule’s features ................................................................................................................... 15
The files used in eMule................................................................................................................................ 16
Known.met .............................................................................................................................................. 16
Known2_64.met ...................................................................................................................................... 17
Clients.met............................................................................................................................................... 17
Clients.met.bak ........................................................................................................................................ 17
Server.met ............................................................................................................................................... 17
Webservices.dat ...................................................................................................................................... 17
Statistics.ini .............................................................................................................................................. 17
Emfriends.met ......................................................................................................................................... 17
Preferences.ini ......................................................................................................................................... 17
Fileinfo.ini ................................................................................................................................................ 17

2
 Introduction to Filesharing Services

Category.ini.............................................................................................................................................. 17
Ipfilter.dat ................................................................................................................................................ 17
Onlinesig.dat ............................................................................................................................................ 17
Preferences.dat ....................................................................................................................................... 18
Sharedir.dat ............................................................................................................................................. 18
cancelled.met .......................................................................................................................................... 18
Staticservers.dat ...................................................................................................................................... 18
Addresses.dat .......................................................................................................................................... 18
AC_SearchStrings.dat .............................................................................................................................. 18
AC_ServerMetURLs.dat ........................................................................................................................... 18
AC_BootstrapIPs ...................................................................................................................................... 18
Cryptkey.dat ............................................................................................................................................ 18
eMule.tmpl .............................................................................................................................................. 18
xxx.part .................................................................................................................................................... 18
xxx.part.met............................................................................................................................................. 19
xxx.part.met.BAK ..................................................................................................................................... 19
eMule.log ................................................................................................................................................. 19
eMule_Debug.log .................................................................................................................................... 19
Information about file sharing..................................................................................................................... 19
The Installation of eMule......................................................................................................................... 20
The Mounting of an Installed eMule Client ..................................................................................................... 38
Forensic Examination of eMule ....................................................................................................................... 43
Standard installation ................................................................................................................................... 43
Windows registry ......................................................................................................................................... 43
preferences.ini ......................................................................................................................................... 44
downloads.txt .......................................................................................................................................... 45
AC_SearchStrings.dat .............................................................................................................................. 46
known.met............................................................................................................................................... 47
An analyzis of "known.met" ........................................................................................................................... 48
What do the different data mean?.......................................................................................................... 50
The content of the”Temp” folder ............................................................................................................ 54
Analysis tool for ”known.met” ........................................................................................................................ 56

3
 Introduction to Filesharing Services

Instructions on using ”DonkeyMetParser v. 1.3.3” ..................................................................................... 56

The GUI of the the parser: ....................................................................................................................... 56
How to use:.............................................................................................................................................. 56
Explanation to the different fields........................................................................................................... 59
Ocurrence of "negative TimeDelta" ........................................................................................................ 61
Finding data of interest in unallocated clusters .............................................................................................. 61
How to analyze data found in unallocated clusters .................................................................................... 62
Which data to copy out? ......................................................................................................................... 65
How to export the data into a new file ................................................................................................... 66
LimeWire ......................................................................................................................................................... 68
What version of LimeWire is examined?..................................................................................................... 68
About LimeWire........................................................................................................................................... 68
The Company ........................................................................................................................................... 68
What is LimeWire? .................................................................................................................................. 69
Installation ................................................................................................................................................... 69
WIKI information from the LimeWire website ............................................................................................ 78
Download................................................................................................................................................. 80
Browse Files from a friend ....................................................................................................................... 85
What I'm Sharing With ............................................................................................................................ 86
Sharing Categories ................................................................................................................................... 87
Snapshot .................................................................................................................................................. 88
Snapshot plus future files ........................................................................................................................ 89
Chat.......................................................................................................................................................... 91
Supported accounts................................................................................................................................. 92
My Library .................................................................................................................................................... 93
Options ........................................................................................................................................................ 98
My Library ................................................................................................................................................ 98
File category ............................................................................................................................................ 99
File extension ........................................................................................................................................... 99
Sharing Categories ................................................................................................................................... 99
LimeWire player ........................................................................................................................................ 100
Search ........................................................................................................................................................ 100

4
 Introduction to Filesharing Services

Search bar .............................................................................................................................................. 100

Downloads ................................................................................................................................................. 100
Saving..................................................................................................................................................... 101
Share files downloaded from the P2P Network with the P2P Network ................................................ 101
Security ...................................................................................................................................................... 101
Warning Messages .................................................................................................................................... 101
Unsafe Categories.................................................................................................................................. 101
Filtering ...................................................................................................................................................... 101
Misc ........................................................................................................................................................... 102
Notifications .............................................................................................................................................. 102
Friends and Chat ........................................................................................................................................ 102
Advanced ................................................................................................................................................... 102
Files ........................................................................................................................................................ 102
File Extensions ....................................................................................................................................... 102
Download Folders .................................................................................................................................. 103
LimeWire Store .......................................................................................................................................... 103
Transfers ................................................................................................................................................ 103
Downloads ............................................................................................................................................. 103
Uploads .................................................................................................................................................. 103
Connection Speed.................................................................................................................................. 104
System ....................................................................................................................................................... 104
File Associations .................................................................................................................................... 104
Startup and Shutdown........................................................................................................................... 104
Bugs ....................................................................................................................................................... 104
Super Really Advanced .............................................................................................................................. 104
Share .......................................................................................................................................................... 105
Friends ................................................................................................................................................... 106
Share Widget ............................................................................................................................................. 109
Friends ....................................................................................................................................................... 111
Forensic examination of LimeWire 5.1.3 ................................................................................................... 111
Default installation path (WindowsXP) ................................................................................................. 111
limewire.props....................................................................................................................................... 112

5
 Introduction to Filesharing Services

downloads.dat ....................................................................................................................................... 115

Version. Props........................................................................................................................................ 115
Library5.dat............................................................................................................................................ 115
Fileurns.cache ........................................................................................................................................ 119
How does an entry in “fileurns.cache” look like? .................................................................................. 121
Comparing data from “library5.dat” and “fileurns.cache”........................................................................ 125
Searching for data in unallocated clusters ................................................................................................ 145

6
 Introduction to Filesharing Services

What is File Sharing – P2P?

The expression peer-to-peer is especially used within the field of data communication to describe
communication or the direct exchange of data between equal units of a communication network,
without involving a central computer. The expression “P2P” or file sharing is used for the same
form of communication as well.

Apart from the above-mentioned, it may be added, that the users of file sharing programmes are
connected to each other in a larger network, that works more or less autonomously. As a
consequence of this, it is not possible immediately afterwards to carry out an investigation in this
environment, since the communication lines are interrupted at log-out of the programme and the
connection is disconnected. This again means, that no log-outs are generated elsewhere, but only
between the involved parties. frThere are, however, several file sharing programmes that contain
internal log files, which may give information about files downloaded earlier and which files have
been available for sharing and so on.

The programmes work in such a way that you, during installation, define a folder as being “shared”
with other users of file sharing services (it is not necessary to make use of the same file sharing
programme – as long as the programme is active in the same network – typically Gnutella
Network, eD2k Network or Fast Track Network). The content of this shared folder is available to all
the other users, just as they are able to run searches of the content. In some programmes it is
possible to “switch off” the file sharing function, which means that files cannot be downloaded
from the computer.

In order to explain the functionality of file sharing programmes, you have to metaphorically
compare a film file to a jigsaw, for example. All the users of the file sharing programmes place a
number of “jigsaws” at the disposal of all the other users of the file sharing service/network (the
files in their shared folders).

When a user searches the network for a certain file – the film “Titanic”, for instance – the user will
be told which users have the file in question. Our user may click on a file corresponding to his wish
and then start downloading the file. He is not restricted to one single user, but can download from
several different users that have the desired file. The programme now gets pieces for the
complete jigsaw from several other users at the same time and the final result will be gathered

7
 Introduction to Filesharing Services

together at our user’s computer. This functionality ensures, that the individual users’ bandwidth is
not burdened too much, just as the user is not immediately affected when individual remote users
shut down and close their connection.

The History of File Sharing – in Short

Ever since the infancy of computers, there has been a need for exchanging files between several
computers and users. In the beginning no actual storage medias existed, which meant that if any
information should be transferred from one computer to another, everything had to be typed in
manually. Later on, the first magnetic storage medias arrived and these could contain data, but
were very difficult to move around. Later on, the punch card was a reality and you were suddenly
able to print cards that could be read into another computer – a difficult, but usable method.

By the introduction of the floppy disk and the magnetic tape unit, the sharing of files became
much easier, but the spreading of files still went very slowly, since the files had to be moved
physically from one place to another.

With the rising popularity of the Internet in the beginning of the nineties, the ordinary user quickly
figured out that it was possible to download and send files to each other through the network,
even though you were both sitting on each side of the Earth.

USENET was the first network in which you could actually share files with many other unknown
users; in everyday speech this is referred to as newsgroups. Here it became possible to post
smaller files that other users then could download. Newsgroups are still being used, but not quite
to such an extent as they have been.

In the start of the nineties it also became very popular to set up FTP servers. By using an ordinary
FTP client, you could log on a server and download the content that was available. The FTP
server’s popularity soon fell, because different intellectual property rights holders could easily
identify the owner of the server and thus claim large sums in compensation from him. Today, FTP
servers are seldom seen.

At the same time as the FTP servers appeared, the IRC also started gaining ground. Especially the
client mIRC became very popular, as it was possible to develop script extensions for the
programme, by which you could set up the so-called file server (F server), a bit like the FTP servers.
mIRC is still being used for file sharing.

8
 Introduction to Filesharing Services

In the end nineties, the first modern file sharing programme, Napster, came into existence. This
service worked in such a way, that a number of central indexing servers registered the content of
all users in the network and their files. However, in 2001, the service was sued by, amongst others,
Lars Ulrich from the band Metallica. The legal actions lead to the closure of Napster.

Same year, the next generation of file sharing services appeared. This generation was no longer
dependent on central servers, but was a so-called distributed system, in which all requests went
through other clients connected to the network, without involving central servers.

The first distributed client was KaZaA. Through KaZaA it now became possible to share other
things than music files and it was very easy to make use of. The programme became a huge
success and you quickly had up to several million users in the network at the same time. In the
time after, a number of different clients were developed.

In 2002, the client eMule saw the light of day. eMule was a further development of the client
eDonkey 2000, which was made by a group of programmers getting tired of the client
eDonkey2000. eMule became an open-source programme and many people could now participate
in the improvement of the client.

Since then, many new versions of eMule and other file sharing clients have been developed.

9
 Introduction to Filesharing Services

Networks

The different file sharing services often make use of their own network protocols, which is why
you sometimes have to have specific clients in order to act in a specific network. However, many
clients have started to become so-called multi-network-clients, which means that they can
operate in different networks at the same time. That way the user gets more search options and
search hits.

Many different networks exist, a number of them are listed below:

eD2K
KAD
Gnutella
FastTrack
BitTorrent
Freenet
l2P
AntsP2P

and many more...

The first 5 networks mentioned on the list are open and unencrypted, whereas the last 3 are
encrypted networks.

As mentioned earlier, many clients are written to operate in several networks. eMule, for instance,
is able to connect to eD2K, KAD, Gnutella and BitTorrent.

As it appears, encrypted networks also exist. These are not that popular, since the clients are not
as straight forward to use as the unencrypted clients and the network is very slow, just as there
are not nearly as many files available in these networks.

The individual networks, of course, have different topologies and these will be described in the
next paragraph.

10
 Introduction to Filesharing Services

Network Topologies

First-generation networks
Centralized networks (Napster, for instance).

First-generation network architecture was based on a number of centralized indexing servers,

which kept up a data base on all clients logged in and their shared files. The database was updated
every time a client logged on to the network.

11
 Introduction to Filesharing Services

Second-generation networks

Decentralized networks (KaZaA, for instance).

Second-generation networks implemented a fully decentralized and distributed network-

structure. Instead of central servers, the individual user’s PC now formed an integral part of the
network, since it acted, and still acts, both as an indexing server, carries out local searches and
carries out routings of requests between the different clients.

Third- generation networks

Encrypted networks (Ants, for instance).

These networks are based on the same topology as second-generation networks, but are
encrypted.

12
 Introduction to Filesharing Services

Fourth-generation networks

The BitTorrent network is based on a “partly decentralized network”, in the way that you
download a so-called “.torrent” file through a homepage. Through your client you are then
connected to a “tracker”, which is a server keeping track of the different files that are available.
Files found complete, are called “seeds” and the tracker sends information about where you can
download the file. Downloading takes place from the complete seeds, whereas the parts missing
in the incomplete files are being uploaded to the clients at the same time. BitTorrent is based on
the principle of “tit-for-tat” and it is impossible to disconnect this “share” function.

Tracker

Client

13
 Introduction to Filesharing Services

Clients

In the following paragraphs, I will go through the different file sharing clients.

Below there is a list of clients, which at present form a part of this material:

eMule

LimeWire

14
 Introduction to Filesharing Services

eMule

The text given below has been taken directly from eMule’s official homepage on www.emule-
project.org.

What is eMule?

At dawn of May 13th, 2002, a guy called Merkur was dissatisfied with the original eDonkey2000
client and was convinced he could do better. So he did. He gathered other developers around him,
and eMule project was born. Their aim was to put the client back on track where eDonkey had
been famous before, adding tons of new features and a nice GUI. They couldn’t imagine what
impact this decision would have...

As of today, eMule is one of the biggest and most reliable peer-to-peer file sharing clients around
the world. Thanks to its open source policy, many developers are able to contribute to the project,
making the network more efficient with each release.

What does eMule mean?

The name "eMule" comes from an animal called “Mule”, which is somehow similar to a donkey. ;-)

How often is eMule updated?

eMule is not updated regularly, but at the moment the frequencies are between 1 and 3 months.
Don’t take this for guaranteed.

A short list of eMule’s features

Clients use several networks to create one reliable network (ED2K, Source Exchange, Kad).

Kad has now been implemented and versions 0.48 onwards connect automatically to Kad.

eMule’s “Queue and Credit” system helps to ensure that everyone will get the file he wants by
promoting those that upload back to the network.

15
 Introduction to Filesharing Services

eMule is completely free. eMule is also completely free of any Adware, Spyware and etc. We do
this for fun and knowledge, not for money.

Each file is checked for corruptions while downloading to ensure an error free file

The eMules Intelligent Corruption Control helps to speed up the correction of corrupted parts.

Auto priorities and Source management allows you to start many downloads without having to
monitor them.

The Preview function allows you to look at your videos and archives (zip, rar and so on) before
they are completed. For video previewing, we recommend the Video Lan Client (VLC).

The eMule features web services and a web server that allows you to have quick access to and
from the Internet.

You can create categories for your downloads to organize them.

To find the file you want, eMule offers a wide range of search possibilities which include: Servers
(local and global), web based (Jigle and Filedonkey) and Kad (still in Alpha).

eMule also allows you to use very complex Boolean searches that make the searches much more
flexible.

With the messaging and friend system, you can send messages to other clients and add them as
friends. In your friend list, you can always see if a friend is online.

With the built-in IRC client, you can chat with other downloaders and chatters around the globe.

The files used in eMule

While eMule is performed a large number of files are being used. If they do not exist already, they
will be made the first time eMule is started. Most of the files will be found in eMule’s “Config”
folder, whereas the rest will be found either in eMule’s “Temp” folder or in the installation folder.

Known.met
The “Known.met” file contains information about all files eMule has downloaded. Information
about size, file name, hash sets, hash values and some statistics are saved for each file.

16
 Introduction to Filesharing Services

Known2_64.met
The “Known2_64.met” file saves information about hash values for each file in connection with
eMule’s AICH (Advanced Intelligent Corruption Handler).

Clients.met
This file saves all users, which have credit at your eMule.

Clients.met.bak
This file contains a backup of the above-mentioned file.

Server.met
Contains all known servers.

Webservices.dat
In this file you have the possibility to build in functionality in eMule, in relation to homepages. The
file can be opened by a text editor such as Notepad and contains an explanation about the
functionality.

Statistics.ini
This file contains all statistics shown in eMule’s statistics window.

Emfriends.met
If there are any users added to eMule’s friend list, they are being saved in this file.

Preferences.ini
All settings made in eMule’s “Settings” are saved here, just as information about the user
interface, such as width of columns etc.

Fileinfo.ini
Comments or evaluations of your own shared files.

Category.ini
Saves the settings for your categories such as name, comments and choice of colour.

Ipfilter.dat
This file contains IP areas as well as access levels that have to be filtered by eMule. You can find
more information about IP filtration on http://www.emuleguides.dk/support.php?id=18

Onlinesig.dat
The online signature is a small file containing the server eMule is connected to, as well as statistics
on uploads and downloads. It can be used in IRC scripts and pictures for signatures.

17
 Introduction to Filesharing Services

Preferences.dat
The user hash is saved here. It is a value that is computed the first time eMule is started up and it
is used to identify the client on the network. It is used for the credit system and for friends.

Sharedir.dat
Contains the paths for all shared files.

cancelled.met
Contains information about the files you have cancelled.

Staticservers.dat
Static servers never change IP address and are, in theory, always online on the network. By right-
clicking on a server, you may add servers to this list.

Addresses.dat

eMule updates its server list when the programme starts up, if the file contains correct addresses
for “server.met” files. In eMule’s “Settings -> Servers”, there is a button that gives you the option
to edit this list and change the settings for updating at start up. The file can contain several
addresses (one for each line), but only the first line that has a correct address to a “server.met” file
will be used.

AC_SearchStrings.dat
Each search expression used in eMule is saved in this file

AC_ServerMetURLs.dat
The same principles as the above-mentioned file, except that this file saves typed addresses for
“server.met” files.

AC_BootstrapIPs
The same principles as the above-mentioned file, except that this file saves typed IP addresses for
the use of bootstrap in the Kad network.

Cryptkey.dat
Contains the unique 384bit private RSA key for your eMule client.

eMule.tmpl
The files with the extension “.tmpl” are necessary if you want to make use of eMule’s web
interface. They define layout and settings of the shown pages.

xxx.part
The files with the extension “.part” are downloads in eMule that are not yet finished. eMule
downloads from more than one user at a time, which means that the “.part” files always have the

18
 Introduction to Filesharing Services

size of the final download. The missing parts are zerofilled. In the newer versions, and when using
the NTFS file system, you have the option to share your incomplete downloads as “sparse”. This
counteracts the mentioned process and therefore saves space on your hard disk.

xxx.part.met
Each “.part” file has a ”.part.met” file belonging to it. In order to identify downloads on the
network and check for errors all downloads are divided into parts of 9,28MB (9500 bytes). For
each part a so-called hash value is computed. After that a new hash value is computed for all the
hash value parts. This information, together with file name and status of all the different hash’es,
is saved in “.part.met” files.

xxx.part.met.BAK
A backup of each “.part.met” file is generated and saved, since it is critical if these files become
corrupt by a mistake.

eMule.log
The log, you can see in the server window, is saved here if the window is activated in eMule’s
“Settings -> Advanced”.

eMule_Debug.log
The debug_log, you can see in the server window, is saved here if the window is activated in
eMule’s “Settings -> Advanced”.

Information about file sharing

From the “FAQ” on the official homepage, the following appears about sharing files and folders:

Notice that the share function cannot be switched off, as regards the folders created by the
system!!!

(http://www.emule-project.net/home/perl/help.cgi?l=1&rm=show_topic&topic_id=311#unshare)

19
 Introduction to Filesharing Services

The Installation of eMule

The actual installation file for the newest eMule client is found on the official homepage
www.emule-project.org, where the page has been set up in several languages – including Danish.
As of today, version 0.49c (June, 2009) is the latest addition.

Below you can see all displays from a standard installation of version 0.49c:

20
Introduction to Filesharing Services

21
Introduction to Filesharing Services

22
Introduction to Filesharing Services

23
 Introduction to Filesharing Services

The first part of the installation stops here. The user now has to start the application manually, by
using one of the shortcuts to the programme.

When the programme has started up, the set up of the programme continues.

24
Introduction to Filesharing Services

25
Introduction to Filesharing Services

26
Introduction to Filesharing Services

27
 Introduction to Filesharing Services

When you click on “Finish”, the programme starts up. Yet another set-up box appears:

28
 Introduction to Filesharing Services

When choices have been made in the box above, the start display appears:

29
 Introduction to Filesharing Services

By clicking on ”Connect” the programme will go online.

By clicking on the icons in the menu bar, we see the following pages:

30
 Introduction to Filesharing Services

Search function:

The search word is typed in the search field and a possible file type is chosen in the drop-down
box.

31
 Introduction to Filesharing Services

Shared files

(Here an example from a client that has been running for a while).

Notice the five files marked as being placed in the “Temp” folder. From these files sufficient
material has been downloaded to share (“chunks larger than 9500 kb”).

From the same display, you can see how many requests the network has sent for the individual
shared files, how many requests have been accepted, and how many bytes material has been
uploaded. All this information can be found in the file “known.met”.

32
 Introduction to Filesharing Services

Downloads:

33
 Introduction to Filesharing Services

KAD:

Shows the actual connection to the KAD network.

34
 Introduction to Filesharing Services

Statistics:

From the statistics picture, you can see the active traffic, accumulated data for downloads, uptime
and so on. The content is constructed from the file “statistics.ini” – the page is just a graphic
presentation of these data.

35
 Introduction to Filesharing Services

Settings:

Under “Settings”, there are a number of possibilities, in which you can set up your client. It will,
however, take too long to cover all functions.

Under ”Directories” , it will be shown, which folders the user actively has chosen to share.

Under “Extended” it will be indicated, whether the user has chosen to log traffic.

36
Introduction to Filesharing Services

37
 Introduction to Filesharing Services

The Mounting of an Installed eMule Client

In connection with the examination of an installed client, it is possible to get the client
running/started by mounting the evidence file containing the disk from the installed client.

You can mount the Evidence file in different ways – either by mounting it directly from EnCase or
by using Mount Image Pro (which I recommend).

Mounting via Mount Image Pro takes place this way:

1. Open the folder containing the Evidence file that is to be mounted.

2. Right-click on the ”*.E01” file and choose ”Mount Image Pro ->Mount as Logical Drive(s)”.

3. The drive will now be available in ”Denne Computer” (This computer).

4. It is now possible to browse to the ”eMule mappen” (eMule folder) on the mounted drive.

38
 Introduction to Filesharing Services

Notice, that the drive has got another drive letter. Originally, it would have had “C” as drive
name.

5. Double-click on ”emule.exe”.

6. At start up of the programme, an error message will appear telling you that the folders
”C:\Programmer\eMule\incoming” and ”C:\Programmer\eMule\Temp” are not to be
found.

39
 Introduction to Filesharing Services

As can be seen, the programme is unable to find the folders on the path. The path has to
be corrected subsequently in the programme itself.

7. Click on “OK” for both error messages and open the programme’s user interface.

8. Go to ”\eMule\Config\shareddir.dat” and open this via Notepad. Read which possible

folders have been shared by the user (notice that possible subfolders are not automatically
shared).

9. Return to eMule’s user interface and choose the menu item ”Options” and the submenu
”Directories” . Correct the drive name to the drive letter, that the disk is mounted with,
and mark possible user made folders as shared (the folders that are mentioned in
”shareddir.dat”).

40
 Introduction to Filesharing Services

10. Click “OK”.

11. Shut down and restart eMule.

12. It is now possible to see all shared files – including possible files that are about to be
downloaded and where sufficient data has been downloaded for sharing.

13. In connection with this exercise, it is a good idea to document your discoveries with screen
dumps. These pictures often say more than words and show how the user has seen his
interface.

41
 Introduction to Filesharing Services

It is completely safe to use this method as the Evidence file is write protected, which means that
possible changes only take place in RAM.

This method is relatively simple to carry out. Of course, you may also start the mounted disk
through LiveView and VirtualMachine. This is, however, only possible if all shared folders are
placed on the same physical hard disk, as it is not immediately possible to mount several disks at
the same time and run them through LiveView.

By making use of the above-mentioned method, it is possible to mount a random number of disks
and get the installation running across various disks.

42
 Introduction to Filesharing Services

Forensic Examination of eMule

Standard installation

The standard installation of eMule is found on "C:\Programmers\eMule”. The installation

automatically sets up the folders “C:\Programmer\eMule\incoming" and
"C:\Programmer\eMule\Temp" as shared with other users. As mentioned earlier, this “share”
function cannot be switched off.
In EnCase it looks like this:

Windows registry

We find no information of any interest in the registry.

Information about shared folders/files

In the file "C:\Programmer\eMule\config\sharedir.dat", we find information about shared folders

(apart from ”Incoming” and ”Temp”). The files can be opened by Notepad.

43
 Introduction to Filesharing Services

Other Files of Interest

The files listed below are worth examining closer:

14. preferences.ini (Contains information about accumulated up-/download, among other

things)
15. downloads.txt (Contains information about ongoing downloads)
16. AC_Searchstring.dat (Contains the last typed search words)
17. known.met (Information about files that have been shared – both present and former)

preferences.ini
The file is found in the folder ”C:\Programmer\eMule\config”.

The content of “preferences.ini” can be documented with advantage, by activating the client and
having the content visually presented:

44
 Introduction to Filesharing Services

downloads.txt

The file is found in the folder ”C:\Programmer\eMule\”.

This file contains information about the files that are being downloaded at present – that is the
same information which is shown under the tab “Overførsler” (Transfer).

The content is readable in Notepad and will look like this:

45
 Introduction to Filesharing Services

A line in “downloads.txt” could look something like this:

013.part ed2k://|file|paris_hilton_1.jpg|113903|02375E7B2BB138DCE2A71C89F0A0A750|/

“.part” number File name File size in bytes eD2K hash value

The line above is a fully valid eD2K link that can be copied directly into a browser, which then
automatically opens an eMule and starts downloading this specific file.

AC_SearchStrings.dat

The file is found in the folder ”C:\Programmer\eMule\config”.

The file contains information about the search words last used. The words are given in Unicode. In
EnCase, “Text Styles” may with advantage be set to Unicode:

46
 Introduction to Filesharing Services

In this example, the user has run searches on ”metallica”, ”madonna” and ”paris hilton”.

known.met

The file is found in the folder ”C:\Programmer\eMule\config”.

“Known.met” is a virtual gold mine of data. The file contains information about all files that have
been downloaded through the programme – or have been placed at the disposal of other clients
by our user. It is possible to read out the data listed below:

File name
File size
eD2K hash value
When the date has last been changed
Number of requests for the file from the network

47
 Introduction to Filesharing Services

Number of requests accepted

Number of bytes that have been uploaded
The file’s upload priority
“Last seen finished” date – that is, when has the file last been posted as available on the
network from this installation (from version 0.48a).
I will go into details with this later on.

An analyzis of "known.met"

When eMule is installed, the file “known.met” will not be created before connection has been
made to the network. The first time eMule is shut down, the file will be created. If no material has
been downloaded, the file will only contain 5 bytes of data. In HEX the file will look this way:

0E 00 00 00 00

The first byte (offset 0) contains the value 0E (NOTE: in newer versions it can be 0F), which is the
file’s signature byte. Offset 1-4 contains information about the number of records in “known.met”
and as can be seen above, no files have been downloaded.

If the first 5 bytes in ”known.met” contain the following data:

0E FF 00 00 00

You may deduce from this, that there are 256 entries in all, in this “known.met”, since the decimal
value for “FF” is 256.

When examining ”known.met”, you can open it in Notepad, for instance, but the information is
not very usable. It is only possible to deduce file name and type.

bôG$Ô•E§ºÍsñV(•ˆšäÏ••ý땾•‘Æ׺k†¬•ÃŒÕr•ƒëüæ ÓlϤüÖ¾ò••••••••%•Madonna
- Hung Up (Album Version).mp3
••••€PÎ
••••PÍ´Y••••T•••••••Q•••••••R•••••••••••••••'•OQ3KVGPW6JPLN2ZFYNCMSB7IIHUWMPJM
•••!•ÿõG •••"
••••••••••148.part•••ÓQ••••••Ô@••••••Õ•• Hung Up (Album Version)•••Ñ•Album
Version

As can be seen, there are many “holes” in the data that can be read in text view.

48
 Introduction to Filesharing Services

In order to get more out of the data, you have to change to HEX View. The same posting looks this
way:

B662F44724D40E45A7BACD73F1562804889AE4CF0200FDEB1FBE1591C6D7BA6B86AC11C38CD272C2
1F83EBFCE609D36CCFA4FCDABEF2100000000201000125004D61646F6E6E61202D2048756E672055
702028416C62756D2056657273696F6E292E6D7033030100028050CE0003010050CDB45900030100
5400000000030100510F000000030100520F00000003010019050000000201002720004F51334B56
475057364A504C4E325A46594E434D53423749494855574D504A4D030100210FFFF5470301002201
0000000201001208003134382E70617274030100D351010000030100D440010000020100D2170048
756E672055702028416C62756D2056657273696F6E29020100D10D00416C62756D2056657273696F
6E020100D007004D61646F6E6E61

It is possible to interpret the data with EnCase, but an actual HEX viewer such as WinHEX is much
more usable for the analysis. In WinHEX it is possible to interpret data up to 64 bytes onwards and
give information, whether there are any possible time and date stamps and so on.

See the example below on the use of WinHEX.

Be aware of that the “Data Interpreter” interprets the data both as numbers and dates – for

49
 Introduction to Filesharing Services

instance in this case where the 32 bits are interpreted both as numbers and UNIX date. You have
to be aware of, that the interpretation is made from the existing data, which means that “false
positives” could occur in relation to datings and so on. As a consequence of this, it is important to
look at the data structures when analyzing in WinHEX.

What do the different data mean?

In the example below, the meaning of the different data can be read out:

Below here, you see the meaning of the individual markings.

50
 Introduction to Filesharing Services

Every record may contain a number of different META-tags and all tags are not always
represented. Moreover, it has not been possible to interpret all tags completely.

51
 Introduction to Filesharing Services

In general, META-tags can be divided into two groups:

• Strings
• Numerical values

Strings:

The META-tag for strings has the format “02 01 00 xx”, in which “xx” represents the ”value” of the
tag. Immediately after the tag, the 2 bytes are placed that contain the length of the string.

Numerical values:

The META-tag for numerical values has the format “03 01 00 xx”, in which “xx” represents the
”value” of the tag. The subsequent 4 bytes contain the numerical value or a date/time value
(UNIX/C-date).

Examples of different META-tags.

TAG Meaning
02 01 00 01 File name
02 01 00 12 Temp file name (.part)
02 01 00 27 AICH hash *)
02 01 00 D0 Artist name
02 01 00 D1 Album
02 01 00 D2 Title
03 01 00 02 File size
03 01 00 19 Upload priority **)
03 01 00 21 File dating (date/time when file has last been posted on KAD ***)
03 01 00 22 Currently unknown (possibly a mp3 tag)
03 01 00 50 Transferred amount of data (total upload)
03 01 00 D3 Playing length of file in sec.
03 01 00 51 Number of requests from network
03 01 00 52 Number of accepted requests
03 01 00 D4 Bit rate
03 01 00 54 Currently unknown

*) This hash value is an Advanced Intelligent Corruption Handler hash value. It helps you

52
 Introduction to Filesharing Services

determine whether parts (“chunks”) of downloaded data are corrupt. Each “chunk” is divided into
53 (52x 180KB and 1x 140KB (9500 KB)) and each of these parts is hashed with SHA1. Each of these
hashes is called a “block hash”. By combining a couple of “block hashes” – each part with the part
next to it, for instance – eMule gets a complete “tree” of hash values. This “hash tree” of “block
hashes” is called the AICH hash set.

**) The upload priority is automatically set to the value ”05” (Auto), but it can be changed by the
user. This is done in the window “Shared Files”, wherein each file can be set manually to the
desired value.

Upload priority:

00 00 00 00: Low
01 00 00 00: Normal
02 00 00 00: High
03 00 00 00: Release
04 00 00 00: Very Low
05 00 00 00: Auto

***) This time and date stamp is rather special and demands an explanation:

When eMule connects to the network, the programme checks whether the individual file is still in
the shared folders. If the file is present, eMule will try to post the file on the KAD network. If the
file in question has insufficient sources, the file will be posted and the actual date/time (in GMT)
will be updated. On the other hand, if there are insufficient sources on the KAD network, the file
will not be posted (in order to prevent flooding). Instead the file is given a time and date stamp
(“reposting time”) which is actual time + 5 hours (GMT). When the new time comes, the process
will be repeated. If there is a shortage of sources, the file is posted with the actual time (GMT) or
else the file will get a new “reposting time”, which again is actual time + 5 hours.

This means that when examining “known.met” it is possible to determine for how long time the
individual file has been shared (+/- 5hours) – even if the file has been removed or deleted from the
shared folders. You can work out the period in which the file has been shared by deducting the
posting time from “last changed” time (Notice that this is ONLY when the file has been
downloaded through eMule – more about this later on).

53
 Introduction to Filesharing Services

How do we determine whether a file has been downloaded via eMule or the user has
placed it at the disposal of the network?

In the file ”C:\Programmer\eMule\config\shareddir.dat” paths are found to the current shared

folders (”incoming” and ”Temp” are not mentioned here).

If other folders have been shared, all files in the folders will be added to “known.met”, but the
individual files will not have references to a ”.part” file. This means that NO tag exists for this
information (02 01 00 12) in this record.

A quick way to check this is to read out the number of records in “known.met” (offset 1-4), and
then carry out a search on the HEX values 02 01 00 12 and compare them with the number of
records that have been read out earlier. If there is a difference, single files will have been shared
by the user (NOTE: If the user chooses to delete the old program before installing a new – or the
known.met file has been deleted/corrupted - there will be no referenced to the “.part” file – even
if the file had been downloaded by the previous program installation. Do a thorough examination
on this prior to saying, that the user has set the files shared by him self )

The content of the”Temp” folder

When examining the folder "C:\Programmer\eMule\Temp", we see that this folder contains the
partly downloaded files.

During download, a file is divided into 3 separate files:

“xx.part” file
“xx.part.met” file
“xx.part.met.bak” file

"xx.part" file contains the actual file data. The file has the same size as the complete file (possible
missing file parts are being marked with ”00”).

"xx.part.met" contains "meta-data" for the file, such as file name, file size, data chunks
downloaded, AICH hash of chunks downloaded and so on.

54
 Introduction to Filesharing Services

"xx.part.met.bak" is a backup of "xx.part.met".

If a partly downloaded file contains a video sequence, you can often play it in MediaPlayer or in
VirtualDub, for instance.

55
 Introduction to Filesharing Services

Analysis tool for ”known.met”

Instructions on using ”DonkeyMetParser v. 1.3.3”

The GUI of the the parser:

How to use:

Prior to the first use, you have to update the program with your current timezone:

1. Open <Edit> -> <Preferences>

56
 Introduction to Filesharing Services

2. Fill in the desired separator for the CSV file (";" is the default separator in Excel (Europe) ) -
this way you can directly open the file in Excel just by double-clicking it

3. Fill in your locale time zone (find the right time zone table below. By filling in the right zone
instead of the GMT offset, you'll have the right change of DST (Daylight saving time))

4. Click Apply

5. Go to <File> -> <Open> to browse to the desired "known.met" file and click "Open"

6. The parsed data will be shown in the grid

57
 Introduction to Filesharing Services

7. Choose <File> -> <Export> - Select filename and path, and click "Save"

8. Double click the new CSV file and view the data

Please notice that the parser shows the "TimeDelta" in minutes - while Excell shows the
same time in seconds (this due to an internal calculation mode within Excell)

58
 Introduction to Filesharing Services

Explanation to the different fields

Fieldname Meaning Notes

The name of the file, that the user has clicked

Filename
on when searching

File size in bytes Size of file in bytes

For files smaller than 9500

eD2K Hash value The eDonkey hash value of the file bytes, this value is the same as
the MD4 hash value of the file

If the file has been shared

"manually" by the user, will
this time/date be the original
Last Written The time when the file was fully downloaded
"Last Written" timestamp - see
further under the "Has Part"
part later on

The number of hits on the file from the

Hits
eD2K/KAD network

Number of accepted hits, where the eDonkey

Accepted hits client "grants" access to download data from
the desired file

The accumulated (total) upload from this

Bytes uploadet
specific file

00 00 00 00: Low
01 00 00 00: Normal
The upload priority of the file (05 - Auto is 02 00 00 00: High
Upload priority
default) 03 00 00 00: Release
04 00 00 00: Very Low
05 00 00 00: Auto

59
 Introduction to Filesharing Services

If the Upload priority has been

changed from Auto, it shows,
that the user has done this
manually to the file (in the
"Shared files" pane he has
selected the file, right-clicked
it and changed the priority)
When eMule connects to the network, the
program checks whether the individual file is
still in the shared folders. If the file is present,
eMule will try to post the file on the KAD
network. If the file in question has insufficient
sources, the file will be posted and the actual
date/time (in GMT) will be updated. On the
other hand, if there are insufficient sources on
the KAD network, the file will not be posted (in
order to prevent flooding). Instead the file is
given a time and date stamp (“reposting
SystemCheckTime
time”) which is actual time + 5 hours (GMT).
When the new time comes, the process will be
repeated. If there is a shortage of sources, the
file is posted with the actual time (GMT) or
else the file will get a new “reposting time”,
which again is actual time + 5 hours.
This means that when examining “known.met”
it is possible to determine for how long time
the individual file has been shared (+/- 5
hours) – even if the file has been removed or
deleted from the shared folders.

When transferring the data

from the parser to the CSV file,
and opening it, the shown
The amount of time, that the file has been amount of time will change
TimeDelta
shared from minutes to seconds. In
rare cases you will get a
negative amount of time - see
note further down

60
 Introduction to Filesharing Services

When a file is downloaded through eMule, the

entry in "known.met" will contain a reference
True/false indicates whether
to the temporary ".part" file. If this entry not is
Has Part there is a reference to the
present, the file has not been downloaded
".part" file
through eMule (at least not the present
installation)

Ocurrence of "negative TimeDelta"

In rare cases occurrences of negative values will appear, when parsing af "known.met" file. This
happens when a larger file is being downloaded. When sufficient data is available ("chunks") they
are shared on the network in the same way as full downloaded files. The available "chunks" gets a
"SystemCheckTime" stamp, while the "LastWritten" timestamp NOT is present in the "known.met"
file until the full file has been downloaded.

Scenario:

The user selects a 500 Mb file for download at 13:00 GMT present day. During the download he
obtains several full "data chunks" that are set as shared. Every time the file gets a
"SystemCheckTime" timestamp. At 15:30 GMT present day the file gets the last
"SystemCheckTime", and at 16:00 GMT the file is fully downloaded. The entry in the "known.met"
file is created with "Last Written" as 16:00 GMT present day. The user removes the file from the
shared folder before next "SystemCheckTime" is stamped into the file.

When parsing this file the "TimeDelta" will be negative as it is calculated as a subtraction of the
"LastWritten" from "SystemCheckTime".

Even if you have a negative "TimeDelta" you can have a large amount of hits, accepted hits and
upload of data

Finding data of interest in unallocated clusters

When you are making an examination - try to use the following GREP search (EnCase version)

61
 Introduction to Filesharing Services

\x03\x01\x00\x51.{4,4}\x03\x01\x00\x52

This GREP searches for parts of the entries in "known.met"

This search is specifically searching for the "Number of hits from the network" (the tag 03010051)
- then followed by the actual number of hits - which is stated in the next 4 bytes (unknown data)
and then followed by the "Number of accepted hits" (the tag 03010052)

When you have finished this search, you might get a lot of hits (as each entry in the known.met file
has these tags).

How to analyze data found in unallocated clusters

Using EnCase you might get searchhits like below when using the GREP search shown above:

62
 Introduction to Filesharing Services

Same data shown in WinHEX - the GREP search is here shown in red/yellow/green

63
Introduction to Filesharing Services

64
 Introduction to Filesharing Services

Which data to copy out?

65
 Introduction to Filesharing Services

How to export the data into a new file

Right-click the selected data and choose "Export"

Choose the Output file and path (somthing.met) and click "ok"

The data will now be exported into a ".met" file.

Open DonkeyMet Parser, and parse the new file

66
 Introduction to Filesharing Services

This is how to parse data found in unallocated clusters

It's possible to use other tools to extract the binary data - find your own way to use these tools :-)

67
 Introduction to Filesharing Services

LimeWire

What version of LimeWire is examined?

The following information is based on examination of LimWire v. 5.1.3 – basic version. This is the
current newest version of LimeWire (june 2009) – and it has some significant changes compared to
the 4.x versions. The differences to earlier versions will not be mentioned.

LimeWire is a P2P client connecting to the Gnutella network.

The client comes in 2 different versions:

LimeWire Basic

LimeWire Pro

The “Basic version” is free, while the “Pro version” costs aprox. 35 UD$ a year

The text given below has been taken directly from the official homepage of LimeWire on
www.limewire.com

About LimeWire

LimeWire is the world's most popular peer-to-peer file-sharing program. With over 70 million
unique monthly users, the software is downloaded hundreds of thousands of times every day and
boasts millions of active users at any given moment. LimeWire uses the BitTorrent protocol and
the Gnutella network to provide an unparalleled searches and download speed to the user. As
always, LimeWire takes the security of its users very seriously and will never bundle spyware,
adware, or viruses

The Company

Founded in 2000 by CEO Mark Gorton, Lime Wire is a leader of innovative peer-to-peer software
development and solutions in the file sharing industry. We develop powerful, sophisticated
software offering an unparalleled user experience. Our signature products, LimeWire BASIC and

68
 Introduction to Filesharing Services

LimeWire PRO, run on the decentralized Gnutella Network and are among the world's most
popular peer-to-peer file sharing applications. More recently we've launched the LimeWire Store,
a digital media store, and are working on a number of projects to help further connect Lime Wire's
peer-to-peer community. Interested in joining Lime Wire? Read about our open positions here.

What is LimeWire?

LimeWire is a peer-to-peer file sharing program that connects to the Gnutella network and
enables users to search for and download files from other users. It is not a web site or a service,
and Lime Wire does not provide any of the content found on the network. LimeWire enables you
to share your files with millions of other LimeWire users, and vice versa, so there is always a
diverse selection of files available.

Installation

The following screenshots shows a standard installation of LimeWire 5.1.3 Basic version (free)

69
Introduction to Filesharing Services

70
Introduction to Filesharing Services

71
Introduction to Filesharing Services

72
Introduction to Filesharing Services

73
 Introduction to Filesharing Services

NOTE: Files downloaded with LimeWire are automatically shared on the P2P network – in spite of
the setting shown !!

74
Introduction to Filesharing Services

75
Introduction to Filesharing Services

76
Introduction to Filesharing Services

77
 Introduction to Filesharing Services

WIKI information from the LimeWire website

The following information is taken from the LimeWire WIKI

(http://wiki.limewire.org/index.php?title=Main_Page)

Browse files is a way to see all the files someone who appears in a search result is sharing. Click the
down arrow next to '1 P2P User', '# P2P Users', 'Friend' or even 'People' to browse which files are shared.

'Friend' appears if you are using Friends and a contact has a file which matches your search. On the other
hand, 'People' might appear if a friend and other people on the P2P Network are sharing the file.

78
 Introduction to Filesharing Services

or with the Classic View

79
 Introduction to Filesharing Services

Then when you select a person to browse, the library is shown on the Sidebar under On LimeWire:

Download

Download a search result through LimeWire by clicking on the file name.

Downloads from the P2P Network are automatically shared, as specified in your Options. On the other
hand, downloads from Friends are not shared automatically.

80
 Introduction to Filesharing Services

When you click a search result to download, the search results shows an arrow and adds "Downloading"
to the search result. At the bottom of the screen is the status of your last few downloads.

81
 Introduction to Filesharing Services

When the file finishes downloading, the down arrow becomes a book icon to show it's in My Library. If
you double-click the book icon or single-click the underlined 'My Library', LimeWire takes you to My
Library and selects the file.

Additionally, you can click Show all from the search results to see all your downloads along with more
detailed information:

Here's a thumbnail view of the monkey image in My Library:

82
 Introduction to Filesharing Services

Here's a list of Downloads with different progress:

Monkey on ice skates - Downloading

Psychology 101 Lecture 3 - Downloading
New England Foliage.bmp - Done. You can launch the file to check it out.
Psychology 101 Lecture 2.avi - Waiting. LimeWire will attempt to download the file after a
time period. You might receive this message if the computer who is sharing the file has a limit

83
 Introduction to Filesharing Services

on how many people can download at once so you have to wait your turn. Also, you might
have reached a limit of how many downloads you can start at once.
Psychology 101 Lecture 1 - Unable to download. Remove it and try searching again. The file
you are trying to download might have a problem.
Psychology 102 Lecture 1 - Connecting. Your computer is attempting to connect to the
computer that has this file. If your computer can't connect, the download becomes Stalled.
Cancun.bmp - Stalled. You should click Try again so your computer will again attempt to
connect to a computer with the file. Between starting and finishing the download, the
computer sharing the file might have shut down. You can either cancel the download (clicking
on the x), try again or wait.

The Friends feature is a way for you to use an account to get a list of contacts who you can share files
from My Library and, or chat.

The accounts use an open standard (XMPP) which maintains lists of contacts per account.

Note: Signing in with an account and password through LimeWire doesn't give you, nor anyone else
access to your email or your account information. Signing in with the email account only lets you see
your contacts who you can then either share files with, or download files your friends are sharing with
you.

You can add a friend to your contact two ways:

1. send and receive an email from a friend with your email account
2. add the friend's account through LimeWire. Then your friend must accept you as a friend
through his account or through LimeWire. Similarly, you would need to accept a friend
through LimeWire or your email account if he added you as a friend.

84
 Introduction to Filesharing Services

Browse Files from a friend

Here Abby shared an image, 'Quabbin Reservoir MA 2.JPG' which you downloaded as shown by the book
icon:

You can get a list of all the files your friends are currently sharing with you through All Friends:

85
 Introduction to Filesharing Services

What I'm Sharing With

Here you can see you decided to share a picture of a man posing as a statue and a night scene at the
Feast of San Gennaro with Abby.

86
 Introduction to Filesharing Services

Sharing Categories

You can share all the files in a category, either current snapshot of files, or the current snapshot plus
future files. Through Options, you can select how to share all the files in your audio, images, video or
documents categories.

Note: Changing your Sharing Categories setting makes all previous category shares with friends a
snapshot share.

87
 Introduction to Filesharing Services

Snapshot

From My Library, select a file category (either Audio, Videos, Images or Documents), then click 'Share'
and select 'Share all with Friend...'.

Then all the files in your image category are selected and the Share Widget appears to add friends:

88
 Introduction to Filesharing Services

Snapshot plus future files

Additionally, you can share the current and future files you add to My Library in your audio, image or
video category with your friends.

For example, you decide to share your image category with Abby, along with future downloads. After you
find and download another image of the Quabbin, whether from a friend of the P2P Network, that file is
automatically shared with Abby.

To share all files in a category including new files, you need to make a change in the Tools > Options.
Then from My Library, highlight a file category, then click 'Share' and select 'Share all with a Friend...' to
get the collection share widget:

To show you are sharing future files, My Library states 'Sharing Collection: 1':

89
 Introduction to Filesharing Services

Also, if you see 'What I'm Sharing' with a friend through My Library, you get a notification you are
sharing future files:

90
 Introduction to Filesharing Services

Chat

You can chat with friends whether they are 'On LimeWire' or 'Online'. A friend could be signed into their
account, for example checking their email, without being 'On LimeWire'. You can use LimeWire to chat
with your friend even if he isn't 'On LimeWire'.

Highlight a friend from the Sidebar, right click (control click) and select 'Chat':

91
 Introduction to Filesharing Services

Supported accounts

LimeWire supports the following accounts:

Google's Gmail(tm)* webmail service

Hot-Chilli
Jabber.ru (r),
JabberES
Jabberim
LiveJournal (r)
MacJabber.de

Domain names

For the active list of Jabber serices, see http://www.jabber.org/web/Services

Enter the following in the Domain name depending on your account:

binaryfreedom.info
darkdna.net
im.apinc.org
im.flosoft.biz

92
 Introduction to Filesharing Services

im.thiessen.it
jabber.ccc.de
jabber.hot-chilli.net
jabber.org
jabber.rootbash.com
jabber.se
jabberes.org
jabster.pl
macjabber.de
programmer-art.org
swissjabber.ch

My Library

My Library is the central location to view or share files with LimeWire. These are files you either told
LimeWire to watch, or downloaded from the P2P Network or the LimeWire Store. Files and folders you
add to My Library aren't automatically shared with the P2P Network unless you previously shared them.

You can add files or folders to My Library if you select File > 'Add File to Library...' or 'Add Folder to
Library...' in LimeWire.

Click on Tools > Options (Preferences > Options), My Library to see which files and folders you want
LimeWire to manage:

93
 Introduction to Filesharing Services

Here are files in the Images category of My Library:

94
 Introduction to Filesharing Services

If you right-click (Control-click) you can get more options:

Here's the Videos category of My Library:

95
 Introduction to Filesharing Services

Here are audio files in My Library:

96
 Introduction to Filesharing Services

You can narrow down files shown in My Library to display only files in My Library which match the filter.
The filter searches information known about the files, including information listed in 'View More Info...'.

For example, filtering for 'CMJ' shows:

97
 Introduction to Filesharing Services

Options

My Library

Use My Library to set which folders you want LimeWire to look for files to manage.

Note: Files in My Library aren't shared automatically.

Once LimeWire adds a file to My Library, you have a central location to find files on your computer. Here
you can share files with the Person to Person (P2P) Network your Friends, or both.

Click Add Folder to add folders to scan.

98
 Introduction to Filesharing Services

Additionally, you can control which file categories LimeWire adds to My Library.

File category

LimeWire groups files into categories based on the files' extensions. The categories are:

audio (may only have sound)

documents (may have words, numbers, images and sometimes sounds and videos)
images (may have pictures)
programs ( may have computer instructions; for example LimeWire is a program)
other (Since there are thousands of file extensions used with computers, it's impossible for
LimeWire to group every file extension into a type. This category includes extensions
LimeWire isn't sure where to put.)
video (may have sound, pictures and video)

For example, 'sailboat.JPG' is the name of an image file. The file extension, 'JPG', is a common extension
for files with pictures so LimeWire puts all files with the extension 'JPG' (and 'jpg') into the image file
category.

You can click Manage in the Tools > Options > Advanced > Files option to see the file categories for each
file extension.

File extension

The file extension is the letters and, or numbers after the dot in a file name. For example, the file
extension for the file name 'sailboat.JPG' is 'JPG'.

File extensions help you figure out what category the file is (audio, document, image, program or
videos).

Sharing Categories

You can share a category of files in My Library (Audio, Images or Videos) in two ways:

Snapshot
Snapshot plus future files in that category

A snapshot are all the files you currently have in that category. This is a quick way to share all files of a
particular category in all folders in My Library.

On the other hand, a snapshot also includes any files you may add to My Library in the future. For
example, when share your image collection with a friend, then all images which LimeWire lists in My
Library are shared with him. Then if you download an image of a 'Monkey on a skateboard', then the
monkey file is automatically shared with that friend. Also, if you add an image of a cute cat to My Library,
then it too is shared with your friend who you shared the image collection.

99
 Introduction to Filesharing Services

LimeWire player

You can either use the LimeWire player when you launch audio files from LimeWire, or use another player
on your computer.

Search

Search bar

You can set which file category to search. For example, if you only want to search for images, you can set
that here.

Also, you can Group similar search results together. Based on the available data, LimeWire groups search
results that appear to be similar. For example, if the network has two files, Simon_Short_Story.txt and
Simon.txt (both have similar content, like they are the same size and the same file extension), then
when you search for "Simon Short Story", both results are grouped.

For example, the search result for 'LimeWire' returned:

When you click on the plus sign, you see two additional files which are similar.

Downloads

100
 Introduction to Filesharing Services

Saving

Before LimeWire starts downloading a file, it checks if there is a file already with the same name.
Checking this option tells LimeWire to add a number to avoid replacing the existing file with the new file.

For example, instead of replacing 'sailboat.JPG', LimeWire saves the download file as 'sailboat(1).JPG'.

Share files downloaded from the P2P Network with the P2P Network

This option gives other people the chance to download files you downloaded from the P2P Network. When
you search using LimeWire you are actually searching the Gnutella network of computers. These
computers create a person to person (P2P) connection of computers to allow you to share files.

Another download option is having LimeWire update your iTunes Library.

Also, LimeWire keeps a list of your recent downloads in File > Recent Downloads.

Security

Warning Messages

Unsafe Categories

In order to protect users from unknowingly downloading potentially harmful programs, LimeWire doesn't
let you search for, or share programs by default. Known programs, like 'LimeWire' can be safe to
download, however many times virus hide inside programs. Therefore, we recommend your don't
download programs.

Additionally, to protect your personal information, LimeWire doesn't share Documents by default with the
P2P Network. However, you can share documents with Friends. (See Manage Extensions for a list of
document file extensions.)

Filtering

Don't show adult content in search results

Select this option to prevent common adult search results from appearing.

Additionally, you can add terms to Filter Keywords... to further restrict search results. For example, if you
added 'ime' to the Filter Keywords... and then searched for 'limewire', you wouldn't see any search
results with the letters 'ime'.

101
 Introduction to Filesharing Services

The Filter File Extensions... prevents showing results with file extensions which could include viruses or
cause harm to your computer.

Misc

You can set which language you'd like to see LimeWire's text use.

Notifications

A notification includes a dialog box that appears in the lower right corner of your monitor when you
receive a chat message from a friend.

Friends and Chat

Like Google's Gmail(tm)* webmail service LimeWire uses the XMPP open standard for the Friends feature.

The Friends feature lets you send text messages to your friends, or to share files directly with friends.
Your email account and messages are not accessible through the Friends feature and the password is
encrypted to protect your privacy.

* Gmail is a trademark of Google Inc. Google Inc is not a sponsor or partner of Lime Wire LLC.

Advanced

Files

File Extensions

Here you can see how LimeWire groups file extensions into categories. For example, LimeWire puts all
files with the file extension 'txt' into the Documents category.

Also, you can control what file extensions LimeWire recognizes for loading into My Library. If, for
example, you decide to exclude MS Word documents from loading into your library, then remove the
check.

Setting file extensions is a great way to control what files you share. For example, if you have sensitive
information in MS Excel files, you might want to restrict sharing 'xls' and 'xlsx' extensions.

102
 Introduction to Filesharing Services

Download Folders

You can set where downloaded files are stored on your computer for Audio, Documents, Images,
Programs, Other, or Video.

LimeWire Store

Configure file naming

You can decide how files purchased from the LimeWire Store are saved onto your computer. LimeWire
could create a folder structure with the name of the artist and, or the album, and various file name
possibilities (artist/album/title/track number, etc.).

For example, if you set:

Then when you use LimeWire to download "Connjur" by the artist "School of Seven Bells" through the
LimeWire Store (from the album "LimeWire Store + CMJ present CMJ08: 28 Years, 28 Tracks"), the file is
saved:

... \Store Purchased\School of Seven Bells\LimeWire Store + CMJ present CMJ08_ 28 Years, 28 Tracks\School
of Seven Bells - LimeWire Store + CMJ present CMJ08_ 28 Years, 28 Tracks - 01 - Connjur.mp3

iTunes

Transfers

Downloads

Uploads

An upload is a file on your computer another person is downloading.

The upload bandwidth is how much data you want to allow someone to download from you. Like
adjusting how wide a window is open to control how much air goes out, the greater you increase the
upload bandwidth, you give others more opportunity to download data. Older and, or slow Internet
connection computers might want to decrease the upload bandwidth to improve computer performance.

103
 Introduction to Filesharing Services

Connection Speed

Setting your network connection speed is critical to allow fast searches and downloads from the P2P
Network.

A Broadband connection typically means you have a fast Internet connection. On the other hand, a Dial-
up connection is typically a slower connection where your modem makes a call through the telephone
lines into an Internet service provider (ISP).

System

File Associations

You can tell your computer to use LimeWire to open .magnet or .torrent files when using the Windows
operating system.

Startup and Shutdown

Here you can tell LimeWire to run when your computer starts. Also, you can set if you want to minimize
LimeWire to the System Tray when you hit X (the 'Close' button in the upper right of the program), or to
exit.

Bugs

Bug reports list areas in the code where a problem traveled and helps software developers fix mistakes.

Tell me about Beta updates

Here you set if you want LimeWire to notify you about Beta updates. Beta versions of LimeWire are work-
in-progress releases of the software with the latest features and bug fixes. The goal of a beta release is
for a small sample of users to find bugs, or to report what they like or don't like. LimeWire uses the beta
feedback to improve the next wide release.

Super Really Advanced

These settings are quite technical and difficult to explain to a broad audience without some confusion.
Therefore, since we expect only people already familiar with these options to make change here, we
won't document.

Firewall
Proxy

104
 Introduction to Filesharing Services

Network Interface
Performance
BitTorrent
Filtering
Spam

Share

Sharing files is what makes the P2P Network. The more shares, the bigger the network. The bottom left
corner of LimeWire lists the number of files you are sharing:

My Library is the central location to manage files and folders. You can add folders to My Library using
Tools > Options, My Library.

Note: Once you add files or folders to My Library, the files aren't automatically shared. You can use the
Share Widget to select which files to share. Additionally, you can use the Share Widget to stop sharing a
file.

Click on My Library and then 'What I'm Sharing'.

Here is a list of the videos category of what you are sharing with the P2P Network:

105
 Introduction to Filesharing Services

Here is a thumbnail view of the images category of what you are sharing with the P2P Network:

Friends

If you are signed into Friends, you additionally see the friends icon ( ) and your list of friends.

106
 Introduction to Filesharing Services

Click on My Library and then 'What I'm Sharing'.

Then select either 'P2P Network' or a friend to see which files you are sharing:

A file is shared if the share icon is enabled. The share icon can either be:

disabled; the file is not shared with the P2P Network

enabled; the file is shared with the P2P Network
disabled; the file is not shared with any friends
enabled; the file is shared with one friend

You could for example, share a file with the P2P Network and not a friend. Here you are sharing a
Creative Commons audio file with the P2P Network but not with any friends:

Here you are sharing a video of you running your first marathon:

107
 Introduction to Filesharing Services

Here you are sharing images. In the first case you are sharing with only the P2P Network and in the
second case you are sharing with both the P2P Network and a friend.

Documents are not shared by default:

108
 Introduction to Filesharing Services

Share Widget

The Share Widget lets you control if a file is shared with the P2P Network and, or with friends.

The P2P Network is a group of person to person users who create the Gnutella Network. When you are
searching the network, you are searching for files hosted by users like you on the P2P Network.

You can access the Share Widget through the file's share icon which can either be:

disabled; the file is not shared

enabled; the file is shared

Here is the share icon as seen in the videos category of My Library:

109
 Introduction to Filesharing Services

Click the share icon to show the Share Widget:

Once you share a file, the share icon is enabled as shown for the subway statue file.

110
 Introduction to Filesharing Services

Friends

When using the Friends feature, the Friend share icon appears near the file and means:

- not shared with any friends

- shared with one friend
- shared with multiple friends

Note: the number lists the number of friends you are sharing with so it can grow beyond two.

When you click on either the P2P Network or Friends share icons, you get the Share Widget to manage
sharing with both the P2P Network and, or friends. Here, you are sharing an image with the P2P Network
and Abby, and haven't yet shared it with Dan:

Forensic examination of LimeWire 5.1.3

Default installation path (WindowsXP)

LimeWire is by default installed at "C:\Program Files\LimeWire". In this folder, you find the
program "core files".

111
 Introduction to Filesharing Services

The files containing the settings is found at "C:\Documents and Settings\ <USER>\Application
Data\LimeWire". (It's among these data you find what you want :-) )

In this folder you - among other files - find the following files of interest:

limewire.props

downloads.dat

version.props

library5.dat

fileurns.cache

limewire.props

The “limewire.props” file contains the “properties” of the system. There is a lot of good
information in this file, e.g.

RECENT_DOWNLOADS=
Shows the recent downloaded files and their paths

HARD_MAX_UPLOADS=
This entry is ONLY present, if the user has changed the number of “upload slots”. If the
entry is “0”, then sharing is disabled

UPLOAD_SPEED=
This entry is ONLY present, if the user has changed the uploadspeed

DIRECTORY_FOR_SAVING_FILES=
Contains the path to the folder used for saving downloaded files. This file will often contain
the files that automatically are shared

CLIENT_ID=
Contains a unique SHA1 value to identify the user

TOTAL_UPTIME=
Total uptime of the client in seconds

112
 Introduction to Filesharing Services

LAST_SHUTDOWN_TIME=
UNIX time/date stamp

TOTAL_CONNECTION_TIME=
Total connectiontime to the network in miliseconds

LAST_UPDATE_TIMESTAMP=
UNIX time/date stamp

LAST_SHUTDOWN_TIME=
UNIX time/date stamp

“limewire.props” is constantly overwritten, and it’s possible to search for information in

unallocated clusters for old versions of the file. If you search unallocated clusters for information
it’s a “must” to search for “HARD_MAX_UPLOADS=” as this is crucial information regarding
proving past sharing of files.

The limitation of upload speed/simultaneous uploads is found in the <Tools>-><Options>->

<Advanced>-><Transfers> tab

The default setting for ”Uploads” i

20 connections and nol imitation in
bandwidth.

If the “box” is ticked, then the slider

appears – otherwise it is hidden

113
 Introduction to Filesharing Services

By default LimeWire only allows search and sharing of music-, video- and image files. To allow
search for other filetypes – click <Tools>-><Options>-><Security> - Unsafe Categories

If these settings are applied the “limewire.props” file is added the lines

DOCUMENT_SHARING_ENABLED=true

PROGRAMS_ALLOWED=true

114
 Introduction to Filesharing Services

downloads.dat

Downloads.dat contains information on the current downloads. The file is rewritten constantly, so
there is a good possibility to find information in unallocated clusters, pagefile.sys etc.

To se what currently is being downloaded – look in the “Temp-folder” – the temporary files shows
there with name. An example is seen below:

T-5395563-Madonna - Hey Mr. DJ.mp3.

The “T-5395563-“ is added in fornt of the filename here – “T” for temporary – and the number
sequence is the filesize in bytes.

The adding of the “prefix” does not indicate, that the temporary file has been played/viewed

Version. Props

Version.props contains information on what version of LimeWire is installed

5.1.3=true

Version 5.1.3 is installed

Library5.dat

As shared files in Limewire v.5.x not are shared on “folder basis”, but on file level, the information
on which files are shared has to be stored somewhere – and in this case the information is stored
in the file “library5.dat” In the previous version the shared files where mentioned in “library.dat”.

The content of the file looks like this:

¬í··sr··java.util.HashMap··ÚÁ÷`Ñ···F·

loadFactorI·
thresholdxp?@······w·········t··USER_EXTENSIONSsr··java.util.HashSetºD???¸·4···xpw·····
?@······xt··MANAGED_DIRECTORIESsq·~··w·····?@······sr··java.io.File·-¤E·

äÿ···L··patht··Ljava/lang/String;xpt·:C:\Documents and Settings\USER\My

Documents\LimeWire\Savedw··\xsq·~··t·+C:\Documents and Settings\USER\My
Documentsw··\xsq·~··t·DC:\Documents and Settings\USER\My Documents\LimeWire\Store
Purchasedw··\xsq·~··t·&C:\Documents and Settings\USER\Desktopw··\xxt·

115
 Introduction to Filesharing Services

EXCLUDE_FILESsq·~··w·····?@······xt··USER_REMOVEDsq·~··w····@?@······t··mnyt··xlst··xlsxt··docmt··
qdft··dott··dotmt··xlsmt··qdbt··xlsbt··dotxt··qsdt··xlamt··xltxt··bakt··qelt··qtxt··qift··datt··xltmt··flvt··
mbft··docxt··csvt··qphxt·

DO_NOT_MANAGEsq·~··w·····?@······xt·

SHARE_DATAsq·~··?@······w·········sq·~··t·VC:\Documents and Settings\USER\My

Documents\LimeWire\Saved\Madonna - Like A
Prayer.mp3w··\xsr·=com.limegroup.gnutella.library.LibraryFileData$FileProperties

¥Ð^Cgª®···Z··gnutellaL··friendst··Ljava/util/Set;xp·psq·~··t·XC:\Documents and Settings\USER\My

Documents\LimeWire\Saved\Metallica - Enter Sandman.mp3w··\xsq·~·4·pxx

As seen, there is a lot of “not human readable data” in the file. To interpret the data, you have to
look at in HEX mode. The data then looks like this:

AC ED 00 05 73 72 00 11 6A 61 76 61 2E 75 74 69 6C 2E 48 61 73 68 4D 61 70 05 07 DA C1 C3 16
60 D1 03 00 02 46 00 0A 6C 6F 61 64 46 61 63 74 6F 72 49 00 09 74 68 72 65 73 68 6F 6C 64 78 70
3F 40 00 00 00 00 00 0C 77 08 00 00 00 10 00 00 00 06 74 00 0F 55 5345 52 5F 45 58 54 45 4E 53
49 4F 4E 53 73 72 00 11 6A 61 76 61 2E 75 74 69 6C 2E 48 61 73 68 53 65 74 BA 44 85 95 96 B8 B7
34 03 00 00 78 70 77 0C 00 00 00 10 3F 40 00 00 00 00 00 00 78 74 00 13 4D 41 4E 41 47 45 44 5F
44 49 52 45 43 54 4F 52 49 45 53 73 71 00 7E 00 03 77 0C 00 00 00 10 3F 40 00 00 00 00 00 04 73
72 00 0C 6A 61 76 61 2E 69 6F 2E 46 69 6C 65 04 2D A4 45 0E 0D E4 FF 03 00 01 4C 00 04 70 61 74
68 74 00 12 4C 6A 61 76 61 2F 6C 61 6E 67 2F 53 74 72 69 6E 67 3B 78 70 74 00 3A 43 3A 5C 44 6F
63 75 6D65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 55 53 45 52 5C 4D 79 20 44 6F 63
75 6D 65 6E 74 73 5C 4C 69 6D 65 57 69 7265 5C 53 61 76 65 64 77 02 00 5C 78 73 71 00 7E 00 07
74 00 2B 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 55 53 45
52 5C 4D 79 20 44 6F 63 75 6D 65 6E 74 73 77 02 00 5C 78 73 71 00 7E 00 07 74 00 44 43 3A 5C 44
6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 55 53 45 52 5C 4D 79 20 44 6F
63 75 6D 65 6E 74 73 5C 4C 69 6D 65 57 69 72 65 5C 53 74 6F 72 65 20 50 75 72 63 68 61 73 65 64
77 02 00 5C 78 73 71 00 7E 00 07 74 00 26 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53
65 74 74 69 6E 67 73 5C 55 53 45 52 5C 44 65 73 6B 74 6F 70 77 02 00 5C 78 78 74 00 0D 45 58 43
4C 55 44 45 5F 46 49 4C 45 53 73 71 00 7E 00 03 77 0C 00 00 00 10 3F 40 00 00 00 00 00 00 78 74
00 0C 55 53 45 52 5F 52 45 4D 4F 56 45 44 73 71 00 7E 00 03 77 0C 00 00 00 40 3F 40 00 00 00 00
00 19 74 00 03 6D 6E 79 74 00 03 78 6C 73 74 00 04 78 6C 73 78 74 00 04 64 6F 63 6D 74 00 03 71
64 66 74 00 03 64 6F 74 74 00 04 64 6F 74 6D 74 00 04 78 6C 73 6D 74 00 03 71 64 62 74 00 04 78
6C 73 62 74 00 04 64 6F 74 78 74 00 03 71 73 64 74 00 04 78 6C 61 6D 74 00 04 78 6C 74 78 74 00
03 62 61 6B 74 00 03 71 65 6C 74 00 03 71 74 78 74 00 03 71 69 66 74 00 03 64 61 74 74 00 04 78
6C 74 6D 74 00 03 66 6C 76 74 00 03 6D 62 66 74 00 04 64 6F 63 78 74 00 03 63 73 76 74 00 03 71

116
 Introduction to Filesharing Services

70 68 78 74 00 0D 44 4F 5F 4E 4F 54 5F 4D 41 4E 41 47 45 73 71 00 7E 00 03 77 0C 00 00 00 10 3F
40 00 00 00 00 00 00 78 74 00 0A 53 48 41 52 45 5F 44 41 54 41 73 71 00 7E 00 00 3F 40 00 00 00
00 00 0C 77 08 00 00 00 10 00 00 00 02 73 71 00 7E 00 07 74 00 56 43 3A 5C 44 6F 63 75 6D 65 6E
74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 55 53 45 52 5C 4D 79 20 44 6F 63 75 6D65 6E 74
73 5C 4C 69 6D 65 57 69 72 65 5C 53 61 76 65 64 5C 4D 61 64 6F 6E 6E 61 20 2D 20 4C 69 6B 65
20 41 20 50 72 61 79 65 72 2E 6D 70 33 77 02 00 5C 78 73 72 00 3D 63 6F 6D 2E 6C 69 6D 65 67
72 6F 75 70 2E 67 6E 75 74 65 6C 6C 61 2E 6C 69 62 72 61 72 79 2E 4C 69 62 72 61 72 79 46 69 6C
65 44 61 74 61 24 46 69 6C 65 50 72 6F 70 65 72 74 69 65 73 0A A5 D0 5E 43 67 AA AE 02 00 02
5A 00 08 67 6E 75 74 65 6C 6C 61 4C 00 07 66 72 69 65 6E 64 73 74 00 0F 4C 6A 61 76 61 2F 75 74
69 6C 2F 53 65 74 3B 78 70 01 70 73 71 00 7E 00 07 74 00 58 43 3A 5C 44 6F 63 75 6D 65 6E 74 73
20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 55 53 45 52 5C 4D 79 20 44 6F 63 75 6D 65 6E 74 73 5C
4C 69 6D 65 57 69 72 65 5C 53 61 76 65 64 5C 4D 65 74 61 6C 6C 69 63 61 20 2D 20 45 6E 74 65
72 20 53 61 6E 64 6D 61 6E 2E 6D 70 33 77 02 00 5C 78 73 71 00 7E 00 34 00 70 78 78

As seen, there is a lot of tata to interpret. In this “library5.dat” file, there is information on 2 files –
but only 1 of them are shared – how can you determine which files are shared.

The information on sharing is stored in one byte attached to the fileentry.

When comparing 2 “library5.dat” files – one where files are shared, and one where the files have
been unshared, it shows, that the “sharing byte” is at the end of each entry

When looking at the picture below, you can see, that one file is hared (green byte) and one file is
unshared (red byte)

117
 Introduction to Filesharing Services

As seen, the “header” for the sharing byte is not the same, and other variations can occur. The
GREP search (EnCase style GREP) below will extract the sharing state of the files within the
“library5.dat” file

(\x78\x70[\x00\x01])|(\x7E\x00.[\x00\x01])

The search hits will by the last byte show, whether the file is shared or not

00 : Unshared

01: Shared

To extract filename, path and share-byte use one of the following GREP-searches:

If the first GREP shows that all files are shared use this new GREP-search:

\x73\x71\x00\x7E\x00\x07\x74\x00.{0,255}(\x78\x70\x01)|(\x7E\x00.\x01)

NOTE: If the total string length of path and filename exceeds 255 characters no hits will be
returned. It is however possible to bookmark these files individually

If the first GREP shows that some files are unshared, you have to run the GREP above and the
following:

118
 Introduction to Filesharing Services

\x73\x71\x00\x7E\x00\x07\x74\x00.{0,255}(\x78\x70\x00)|(\x7E\x00.\x00)

NOTE: If the total string length of path and filename exceeds 255 characters no hits will be
returned. It is however possible to bookmark these files individually

By running the 2 GREP’s separately, you can create 2 tables with these data for later comparison
with the entries in “fileurns.cache”

When files are deleted from the “library”, their entry in “library5.dat” is deleted. It is however
possible to search for deleted “library5.dat” files, by searching for the “footer” of the file. The
following GREP-search, will find the footer (including the share setting of the last file entry)

((\x78\x70[\x00\x01])|(\x7E\x00[\x30\x34][\x00\x01]))\x70\x78\x78

From hits on this search, you have to go backwards and save as much of the deleted file as
possible

HINT (EnCase): Export the found entries into a binary file, add the file to the case and use the
GREP-search that extracts the filename, paths and share-bit

As this file doesn’t contain any hash values, you need to compare the findings with entries from
“fileurns.cache”

Fileurns.cache

Fileurns.cache contains information on the files that are in the LimeWire “library”.

Each entry consists of Filename, storage path, LastModified date, SHA1_base32 hashvalue and
TigerTree_base32 hashvalue of the file

When a file is deleted, the entry is also deleted in “fileurns.cache”

The files in “fileurns.cache” does not have to have been downloaded by LimeWire – they only have
to be in one of the folders, that are mentioned in the library. By default the “Documents” and the
“Desktop” (both with subfolders) are in the library (only certain filetypes – see picture below)

119
 Introduction to Filesharing Services

This setting means, that if you download a file from eg. Internet Explorer, ad place it on the
desktop, the file will be mentioned in “fileurns.cache” – but you have to set the files as shared
manually.

This means that the bare presence of a fileentry in “fileurns.cache” is not an evidence of sharing –
but it’s an evidence of possession of the file.

When searching unallocated clusters for deleted “fileurns.cache” files”, it’s possible to find the
SHA1 or TTH hashvalues of the deleted files, and hereby prove the earlier possession of certain
files (If you have a database of illegal files, it’s possible to compare the hashvalues from the
database and the hashvalues from the case and hereby prove earlier possession of these files)

120
 Introduction to Filesharing Services

How does an entry in “fileurns.cache” look like?

If you open the “fileurns.cache” in a HEX-editor, an entry could look like the picture below. In this
picture, there are 2 entries. An entry starts with 73 (71 00)

”system entry”-
Note the ”70”
after the ”78” –
End Tag

”download entry”-
Note no ”70” after
the ”78” – End Tag

TAG Meaning Notes

02 (77 08) Java Timestamp “Last Written of file” – time

when file was fully
downloaded

0C (77 xx) URN

2B SHA1 URN

121
 Introduction to Filesharing Services

34 TTH URN

70 End “system entry” Follows entries, where the

system has added the data.
Note: This tag is not found
right after files downloaded via
LimeWire

71 Currently unknown Followed by 1 byte – meaning

currently unknown

72 Java String Followed by 2 bytes telling

length of string

73 Start of entry

74 Path Followed by 2 bytes telling

length of string

77 Text string Followed by 2 bytes telling

length of string

7E Currently unknown

78 End of entry

How to extract filenames, paths, dates and SHA1_base32 value from “fileurns.cache”

When using EnCase the following GREP-search can extract the desired information *)

\x73\x71\x00\x7E.{0,8}\x77\x08.{8,8}\x74\x00.{0,255}\x78\x73\x71.{0,30}\x2B\x00\x29urn\:sha1\
:[A-Z0-9]{32,32}\x71

*) the GREP will return a string of max 255 carachters – see explanation later

Looking at one of the entries on the previous page, the search will find the following data:

122
 Introduction to Filesharing Services

Note that the GREP not returns the TTH value

There is a flaw to this method. EnCase GREP only allows to search and return strings of maximum
255 carachters.

Look at the 2 examples below:

String below 255 carachters:

123
 Introduction to Filesharing Services

Note that the full entry is extracted

String above 255 carachters

When the strings get long, it’s often due too extremely long filenames or storage paths

124
 Introduction to Filesharing Services

When you go through your search hits note the length of these (sort them on length to see which
ones exceed 255 characters) and manually bookmark these entries in their full length.

Comparing data from “library5.dat” and “fileurns.cache”

By using the above mentioned GREP searches, you should now have text documents containing
the search hits.

To compare these data, you can use Microsoft Access. Before comparison you need to “clean up
the data, and remove the “tag code”

This procedure is a little tricky, but as soon a direct parser is made for the files – this is a way to
get around the problem. To get the described procedures to work, you need to follow the naming
of the fields and tables (unless you already is an Acces Ace  )

Open Access and create an empty database

Select <File> -> <Get External data> -> <Import>

125
 Introduction to Filesharing Services

Browse to the exported data from “fileurns.cache”

126
 Introduction to Filesharing Services

Click <Import>

You will now get the opportunity to import the data into the database.

127
 Introduction to Filesharing Services

Select <Delimited> import – click <Next>

Choose the “~ “ (tilde) as your separator

128
 Introduction to Filesharing Services

Click <Next>

Select <In a new table> - click <Next>

129
 Introduction to Filesharing Services

In the next window you get the opportunity to name the single fields in the table. In Field1 you
rename it to “Path”

Field5 you rename to “SHA1”

Click <Next>

130
 Introduction to Filesharing Services

Select <No primary key> - Click <Next>

You have now imported the data. Click <Finish>

131
 Introduction to Filesharing Services

Go to the main window and open the table and see the imported data. As you can see, there are
data, which needs to be removed

We now need to import the data from the “Libray5.dat” file

Go to <File> -> <Get External data> -> <Import>

132
 Introduction to Filesharing Services

Click <Import>

Like previous import – select <Delimited> import – Click <Next>

133
 Introduction to Filesharing Services

Again – choose the “~” as your separator – Click <Next>

Select <In a new table> and create a new table for the data Click <Next>

134
 Introduction to Filesharing Services

Rename “Field2” to “Path” – click <Next>

Choose <No primary key> - Click <Next>

135
 Introduction to Filesharing Services

You have now imported the data into the new table.

To clean out some of the data use the queries shown below

Select <Queries> -> <Create a query in Design view>

Doubleclick the “Export_fileurns” table and click <Close>

136
 Introduction to Filesharing Services

Drag the fields “Path” and “SHA1” to the “Field box”

Click the arrow next to the “View button” and select <SQL View>

137
 Introduction to Filesharing Services

Paste the following text in to the query window

SELECT Mid(Export_fileurns.Path,14) AS Path, Mid(Export_fileurns.SHA1,14,32) AS SHA1 INTO

Cleaned_data FROM Export_fileurns;

Click the read Exclamation mark on the top menu to run the query

Select <Yes>

138
 Introduction to Filesharing Services

You have now cleaned out most of the “clutter” in both fields – but you still need to remove some
data from the “Path” collum

Highlight the “Path” collum – Click <Edit> -> <Replace>

139
 Introduction to Filesharing Services

Type “xsq” ind the “Find What” field

Leave “Replace With” empty

Choose “Any part of field” under “Match”

Click “Replace All”

Click <Yes>

The “clutter data” has now been removed from the table.

You now need to repeat the process to clean out clutter from the “library5.dat” file.

140
 Introduction to Filesharing Services

Select <Queries>-><Create query in Design view>

Choose the “Export_lib5” table – click <Close>

141
 Introduction to Filesharing Services

Click the “View button” to get to the <SQL view>

Paste the following into the query

SELECT Mid(Export_lib5.Path,4) AS Path INTO Cleaned_lib5 FROM Export_lib5;

Click the red exclamation mark in the menu and run the query

Click <Yes>

Open the new table. Highlight the “path” collum

Click <Edit> -><Replace>

142
 Introduction to Filesharing Services

Type in “w \” in the “Find What” field

Choose “Path” in the “Look in” field

“Any part of Field” in “Match”

Click <Replace All>

Click <Yes>

To compare the data you need to create a new query

Select <Queries>-><Create query in Design view> and create a new query

143
 Introduction to Filesharing Services

Select the two tables “Cleaned_data” and “Cleaned_lib5”

You have to create a relationship between the two tables. The data you want to “match” is the
“Path” column in both tables. You create the relationship by selecting the “Path” field from one
column and drag it on to the “Path” field in the other column. The relationship is created, and is
shown by a line between the two fields

From the “Cleaned_data” you select both fields and drag them on to the “Field” field. You have
now created the query. Click the red exclamation mark and run the query. You will now get a
result like below.

144
 Introduction to Filesharing Services

In this query you have now established the connection between the data in “fileurns.cache” and
“library5.dat” and shown what files are shared (If you had chosen to only select files that had the
share bit set to sharing)

Searching for data in unallocated clusters

The mentioned GREP searches can be used in unallocated clusters to find information on deleted
files, previous downloads etc. The search hits can be extracted and “parsed” in the same way as
mentioned above. This gives the possibility to prove earlier possession of the files (if you have a
database of illegal material to compare with).

To prove the sharing of these files is not 100% possible/sure. This relys on the fact, that the user
previously could have changed his “number of uploads at once” to “0”. As mentioned under
“limewire.props” this will result in the creation of the line “HARD_MAX_UPLOADS=0”. It’s possible
to make a GREP search for this line. If you don’t get any hits on this search, it’s quite possible, that
the sharing not has been disabled by turning down the number of uploads – but you can not be
absolutely sure (it depends on the situation, amount of data, size of unallocated clusters etc). The
presence of SHA1 values in “fileurns.cache” entries from unallocated clusters will though
constitute the evidence of, that this particular file previously has been in the “library” and there
for in possession of the user

As the development of clients is ever growing, this is only a “snapshot” in time of what is possible
to find. Some information might not be present in this version, but will be in the next.

The future examination of clients will go on, and all my discoveries will be published at
www.filseshareforensics.org. Join, learn and contribute with your own discoveries. Remember – If
we work together our knowledge increases – and the amount of time we have to use on an
investigation decreases – It’s a real win-win-situation 

Søren Christensen

Detective Inspector – Special Consultant

National High Tech Crime Centre – Denmark
soeren.christensen@nitec.politi.dk
www.fileshareforensics.org

145