Frostwire 4.17.2 Forensic Examination 2b1e20
This document was ed by and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this report form. Report 3b7i
Overview 3e4r5l
& View Frostwire 4.17.2 Forensic Examination as PDF for free.
More details w3441
- Words: 678
- Pages: 11
PRESENTATION GROUP 3
FROSTWIRE v4.17.2 PRESENTED BY: Daniel Kral Bruce Hunter Pierre-Jean Tessier Ray Valiquette
FROSTWIRE v4.17.2 P2P group project Registry changes monitored with InCtrl5: (Very few changes) Keys ignored: 0 Keys added: 5 Keys deleted: 4 Values added: 12 Values deleted: 10 Values changed: 13 Configuration files of Frostwire: Location: C:\Documents and Settings\\Application Data\Frostwire • Where is the GUID? (3 pts) C:\Documents and Settings\\Application Data\FrostWire\frostwire.props #FrostWire properties file #Tue Mar 31 15:12:44 EDT 2009 AFTER_SEARCH_NETWORK_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire INTRO_TORRENT_LINK=http\://www.frostclick.com/torrents/audio/music/Tiara_Wiles__Thi s_is_Tiara__frostclick.com_frostwire.com__MP3_192k_2009_03_26.torrent LAST_FILECHOOSER_DIR=C\:\\Program Files\\FrostWire INTRO_LOCAL_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debut-releasefrom-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ LAST_EXPIRE_TIME=1238526426781 PORT=24762 EXTENSIONS_TO_SEARCH_FOR=m4a;mpg;tif;mpe;rmvp;wma;ogm;cue;swf;shn;arc;ogg;rpm;ccd;a rj;tiff;kar;wmv;mpeg;iso;gz;wm;mod;toast;mov;pyc;asf;pf;taz;pl;mpa;tar;mime;bin;cdg ;gif;sxw;aif;srt;jpe;deb;midi;tbz;pmf;7z;dvi;c;m;h;jpg;sit;jve;png;ua;mp2v;mid;z;rm j;rmi;jpeg;bz;img;mlv;l6t;jar;avi;htm;fla;dmg;gzip;aifc;mkv;pkg;nsv;xml;aiff;flac;t ex;exe;med;lwtp;sub;pyo;rm;mp4;wax;mp3;wav;rar;asx;txt;ra;mpv2;pyz;bz2;qt;snd;lit;z ip;idx;sea;lqt;ace;au;dcr;py;ram;hqx;java;html;smi;tgz;ps DIRECTORY_FOR_SAVING_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Saved CLIENT_ID=73100A06A73ECBA5DF58ECF885864D00
CHAT_IRC_NICK= TEMPLATE_FOR_SAVING_LWS_FILES= INSTALLED=true EXTENSIONS_LIST_UNSHARED=pdf;doc;rtf DIRETORY_FOR_SAVING_LWS_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Store Purchased INTRO_URL=http\://static.frostwire.com/images/overlays/tiara_wiles_overlay.jpg AFTER_SEARCH_URL=http\://static.frostwire.com/images/overlays/default.png AFTER_SEARCH_LOCAL_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire EXTENSIONS_MIGRATE=false DIRECTORIES_TO_SEARCH_FOR_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Shared INTRO_NETWORK_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debutrelease-from-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ COUNTRY= MAX_SIM_=8 WINDOW_Y=212 WINDOW_X=128
The GUID number is the same as the CLIENT ID. • Is sharing enabled by default (3 pts) Yes, displayed when program is first run.
This information is also located in: C:\Documents and Settings\\Application Data\FrostWire\frostwire.props #FrostWire properties file #Tue Mar 31 15:12:44 EDT 2009 AFTER_SEARCH_NETWORK_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire INTRO_TORRENT_LINK=http\://www.frostclick.com/torrents/audio/music/Tiara_Wiles__Thi s_is_Tiara__frostclick.com_frostwire.com__MP3_192k_2009_03_26.torrent LAST_FILECHOOSER_DIR=C\:\\Program Files\\FrostWire INTRO_LOCAL_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debut-releasefrom-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ LAST_EXPIRE_TIME=1238526426781 PORT=24762 EXTENSIONS_TO_SEARCH_FOR=m4a;mpg;tif;mpe;rmvp;wma;ogm;cue;swf;shn;arc;ogg;rpm;ccd;a rj;tiff;kar;wmv;mpeg;iso;gz;wm;mod;toast;mov;pyc;asf;pf;taz;pl;mpa;tar;mime;bin;cdg ;gif;sxw;aif;srt;jpe;deb;midi;tbz;pmf;7z;dvi;c;m;h;jpg;sit;jve;png;ua;mp2v;mid;z;rm j;rmi;jpeg;bz;img;mlv;l6t;jar;avi;htm;fla;dmg;gzip;aifc;mkv;pkg;nsv;xml;aiff;flac;t ex;exe;med;lwtp;sub;pyo;rm;mp4;wax;mp3;wav;rar;asx;txt;ra;mpv2;pyz;bz2;qt;snd;lit;z ip;idx;sea;lqt;ace;au;dcr;py;ram;hqx;java;html;smi;tgz;ps
DIRECTORY_FOR_SAVING_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Saved CLIENT_ID=73100A06A73ECBA5DF58ECF885864D00 CHAT_IRC_NICK= TEMPLATE_FOR_SAVING_LWS_FILES= INSTALLED=true EXTENSIONS_LIST_UNSHARED=pdf;doc;rtf DIRETORY_FOR_SAVING_LWS_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Store Purchased INTRO_URL=http\://static.frostwire.com/images/overlays/tiara_wiles_overlay.jpg AFTER_SEARCH_URL=http\://static.frostwire.com/images/overlays/default.png AFTER_SEARCH_LOCAL_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire EXTENSIONS_MIGRATE=false DIRECTORIES_TO_SEARCH_FOR_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Shared INTRO_NETWORK_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debutrelease-from-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ COUNTRY= MAX_SIM_=8 WINDOW_Y=212 WINDOW_X=128
• How can you tell if the application is sharing? (3 pts) The information about which folders are being shared is contained in: C:\Documents and Settings\\Application Data\FrostWire\frostwire.props #FrostWire properties file #Tue Mar 31 15:12:44 EDT 2009 AFTER_SEARCH_NETWORK_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire INTRO_TORRENT_LINK=http\://www.frostclick.com/torrents/audio/music/Tiara_Wiles__Thi s_is_Tiara__frostclick.com_frostwire.com__MP3_192k_2009_03_26.torrent LAST_FILECHOOSER_DIR=C\:\\Program Files\\FrostWire INTRO_LOCAL_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debut-releasefrom-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ LAST_EXPIRE_TIME=1238526426781 PORT=24762 EXTENSIONS_TO_SEARCH_FOR=m4a;mpg;tif;mpe;rmvp;wma;ogm;cue;swf;shn;arc;ogg;rpm;ccd;a rj;tiff;kar;wmv;mpeg;iso;gz;wm;mod;toast;mov;pyc;asf;pf;taz;pl;mpa;tar;mime;bin;cdg ;gif;sxw;aif;srt;jpe;deb;midi;tbz;pmf;7z;dvi;c;m;h;jpg;sit;jve;png;ua;mp2v;mid;z;rm j;rmi;jpeg;bz;img;mlv;l6t;jar;avi;htm;fla;dmg;gzip;aifc;mkv;pkg;nsv;xml;aiff;flac;t ex;exe;med;lwtp;sub;pyo;rm;mp4;wax;mp3;wav;rar;asx;txt;ra;mpv2;pyz;bz2;qt;snd;lit;z ip;idx;sea;lqt;ace;au;dcr;py;ram;hqx;java;html;smi;tgz;ps DIRECTORY_FOR_SAVING_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Saved CLIENT_ID=73100A06A73ECBA5DF58ECF885864D00 CHAT_IRC_NICK= TEMPLATE_FOR_SAVING_LWS_FILES= INSTALLED=true EXTENSIONS_LIST_UNSHARED=pdf;doc;rtf DIRETORY_FOR_SAVING_LWS_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Store Purchased INTRO_URL=http\://static.frostwire.com/images/overlays/tiara_wiles_overlay.jpg
AFTER_SEARCH_URL=http\://static.frostwire.com/images/overlays/default.png AFTER_SEARCH_LOCAL_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire EXTENSIONS_MIGRATE=false DIRECTORIES_TO_SEARCH_FOR_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Shared INTRO_NETWORK_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debutrelease-from-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ COUNTRY= MAX_SIM_=8 WINDOW_Y=212 WINDOW_X=128
The above highlighted item will be removed if the sharing for that folder is revoked! The information about specific individual files, which are being shared or not shared is dynamically tracked in: C:\Documents and Settings\\Application Data\FrostWire\library.dat ¬í··sr··java.util.HashMap··ÚÁ÷`Ñ···F· loadFactorI· thresholdxp?@······w·········t··SPECIAL_FILES_TO_SHAREsr··java.util.HashSetºD…•– ¸·4···xpw·····?@······sr··java.io.File·-¤E· äÿ···L··patht··Ljava/lang/String;xpt·AC:\Documents and Settings\\Desktop\The Who - Baba O'Riley.mp3w··\xxt··FILES_NOT_TO_SHAREsq·~··w·····?@······xt··SPECIAL_STORE_FILES sq·~··w·····?@······xt·"SENSITIVE_DIRECTORIES_NOT_TO_SHAREsq·~··w·····?@······xt·· DIRECTORIES_NOT_TO_SHAREsq·~··w·····?@······xt··SENSITIVE_DIRECTORIES_VALID ATEDsq·~··w·····?@······xx
• What is being shared? (3 pts) The information about which folders are being shared is contained in: C:\Documents and Settings\\Application Data\FrostWire\frostwire.props #FrostWire properties file #Tue Mar 31 15:12:44 EDT 2009 AFTER_SEARCH_NETWORK_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire INTRO_TORRENT_LINK=http\://www.frostclick.com/torrents/audio/music/Tiara_Wiles__Thi s_is_Tiara__frostclick.com_frostwire.com__MP3_192k_2009_03_26.torrent
LAST_FILECHOOSER_DIR=C\:\\Program Files\\FrostWire INTRO_LOCAL_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debut-releasefrom-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ LAST_EXPIRE_TIME=1238526426781 PORT=24762 EXTENSIONS_TO_SEARCH_FOR=m4a;mpg;tif;mpe;rmvp;wma;ogm;cue;swf;shn;arc;ogg;rpm;ccd;a rj;tiff;kar;wmv;mpeg;iso;gz;wm;mod;toast;mov;pyc;asf;pf;taz;pl;mpa;tar;mime;bin;cdg ;gif;sxw;aif;srt;jpe;deb;midi;tbz;pmf;7z;dvi;c;m;h;jpg;sit;jve;png;ua;mp2v;mid;z;rm j;rmi;jpeg;bz;img;mlv;l6t;jar;avi;htm;fla;dmg;gzip;aifc;mkv;pkg;nsv;xml;aiff;flac;t ex;exe;med;lwtp;sub;pyo;rm;mp4;wax;mp3;wav;rar;asx;txt;ra;mpv2;pyz;bz2;qt;snd;lit;z ip;idx;sea;lqt;ace;au;dcr;py;ram;hqx;java;html;smi;tgz;ps DIRECTORY_FOR_SAVING_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Saved CLIENT_ID=73100A06A73ECBA5DF58ECF885864D00 CHAT_IRC_NICK= TEMPLATE_FOR_SAVING_LWS_FILES= INSTALLED=true EXTENSIONS_LIST_UNSHARED=pdf;doc;rtf DIRETORY_FOR_SAVING_LWS_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Store Purchased INTRO_URL=http\://static.frostwire.com/images/overlays/tiara_wiles_overlay.jpg AFTER_SEARCH_URL=http\://static.frostwire.com/images/overlays/default.png AFTER_SEARCH_LOCAL_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire EXTENSIONS_MIGRATE=false DIRECTORIES_TO_SEARCH_FOR_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Shared INTRO_NETWORK_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debutrelease-from-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ COUNTRY= MAX_SIM_=8 WINDOW_Y=212 WINDOW_X=128
The information about specific individual files, which are being shared or not shared is dynamically tracked in: C:\Documents and Settings\\Application Data\FrostWire\library.dat ¬í··sr··java.util.HashMap··ÚÁ÷`Ñ···F· loadFactorI· thresholdxp?@······w·········t··SPECIAL_FILES_TO_SHAREsr··java.util.HashSetºD…•– ¸·4···xpw·····?@······sr··java.io.File·-¤E· äÿ···L··patht··Ljava/lang/String;xpt·AC:\Documents and Settings\\Desktop\The Who - Baba O'Riley.mp3w··\xxt··FILES_NOT_TO_SHAREsq·~··w·····?@······xt··SPECIAL_STORE_FILES sq·~··w·····?@······xt·"SENSITIVE_DIRECTORIES_NOT_TO_SHAREsq·~··w·····?@······xt·· DIRECTORIES_NOT_TO_SHAREsq·~··w·····?@······xt··SENSITIVE_DIRECTORIES_VALID ATEDsq·~··w·····?@······xx
Additional information about files which were shared at
some point is located in: C:\Documents and Settings\\Application Data\FrostWire\fileurns.cache ¬í··sr··java.util.HashMap··ÚÁ÷`Ñ···F· loadFactorI· thresholdxp?@······w·········sr·)com.limegroup.gnutella.UrnCache$UrnSetKeyœP·8¿gO····xp w···· ^·"Xt·AC:\Documents and Settings\\Desktop\The Who - Baba O'Riley.mp3xsr·%java.util.Collections$UnmodifiableSet€·’Ñ ›€U···xr·,java.util.Collections$Unm odifiableCollection·B·€Ë^÷····L··ct··Ljava/util/Collection;xpsr··com.limegroup.gnutella.UrnSetñ7 YG9ß±4···L··sha1t··Lcom/limegroup/gnutella/URN;L··ttrootq·~· xpsr··com.limegroup.gnutella.URN«übt·Ro····xpw+·)urn:sha1:QLEK3Z7KPOPHJHKRVOY4WP MIOG24C5JB~r··com.limegroup.gnutella.URN$Type···········xr··java.lang.Enum···········xpt··S HA1xsq·~··w4·2urn:ttroot:WIPBWESCYLJ5EYHL5IBL3CCHQV2OJQJSGJ22PWI~q·~··t··TTR OOTxsq·~··w···· ]ñÖ÷t·aC:\Documents and Settings\\My Documents\FrostWire\Saved\Rolling Stones - Honky Tonk Woman.mp3xsq·~··sq·~· sq·~··w+·)urn:sha1:PFFPTB5UOKPJ5UA4X6RMBJLPEDH5CZ3Yq·~··xsq·~··w4·2urn:ttroot :MX56FVOJVNXLUHNZH7BSRKVF52CYGD7N2GNMPTYq·~··xsq·~··w···· ^··¥t·bC:\Documents and Settings\\My Documents\FrostWire\Saved\the beatles - beetles - love me do.mp3xsq·~··sq·~· sq·~··w+·)urn:sha1:FHT7FGPKQI2BSLKHI2YOX3XBT6YXFPWGq·~··xsq·~··w4·2urn:ttro ot:PZPCTTSQXTRX43DWVA35O76ZEMITDPTG5LDIAUQq·~··xsq·~··w···· ]õ‘ t·\C:\Documents and Settings\\My Documents\FrostWire\Saved\Simpsons - Halloween Special.mpgxsq·~··sq·~· sq·~··w+·)urn:sha1:2TYCGLU3LHB4DL3FORWWF3AW6ZWGH5ORq·~··xsq·~··w4·2urn:tt root:OEXSNKPIJUMKUHYRTPEDHJQPTNF3FNKASZW4KPQq·~··xx
• Where are s saved? (3 pts) This information is also located in: C:\Documents and Settings\\Application Data\FrostWire\frostwire.props #FrostWire properties file #Tue Mar 31 15:12:44 EDT 2009 AFTER_SEARCH_NETWORK_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire INTRO_TORRENT_LINK=http\://www.frostclick.com/torrents/audio/music/Tiara_Wiles__Thi s_is_Tiara__frostclick.com_frostwire.com__MP3_192k_2009_03_26.torrent LAST_FILECHOOSER_DIR=C\:\\Program Files\\FrostWire INTRO_LOCAL_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debut-releasefrom-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ LAST_EXPIRE_TIME=1238526426781 PORT=24762 EXTENSIONS_TO_SEARCH_FOR=m4a;mpg;tif;mpe;rmvp;wma;ogm;cue;swf;shn;arc;ogg;rpm;ccd;a rj;tiff;kar;wmv;mpeg;iso;gz;wm;mod;toast;mov;pyc;asf;pf;taz;pl;mpa;tar;mime;bin;cdg ;gif;sxw;aif;srt;jpe;deb;midi;tbz;pmf;7z;dvi;c;m;h;jpg;sit;jve;png;ua;mp2v;mid;z;rm j;rmi;jpeg;bz;img;mlv;l6t;jar;avi;htm;fla;dmg;gzip;aifc;mkv;pkg;nsv;xml;aiff;flac;t
ex;exe;med;lwtp;sub;pyo;rm;mp4;wax;mp3;wav;rar;asx;txt;ra;mpv2;pyz;bz2;qt;snd;lit;z ip;idx;sea;lqt;ace;au;dcr;py;ram;hqx;java;html;smi;tgz;ps DIRECTORY_FOR_SAVING_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Saved CLIENT_ID=73100A06A73ECBA5DF58ECF885864D00 CHAT_IRC_NICK= TEMPLATE_FOR_SAVING_LWS_FILES= INSTALLED=true EXTENSIONS_LIST_UNSHARED=pdf;doc;rtf DIRETORY_FOR_SAVING_LWS_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Store Purchased INTRO_URL=http\://static.frostwire.com/images/overlays/tiara_wiles_overlay.jpg AFTER_SEARCH_URL=http\://static.frostwire.com/images/overlays/default.png AFTER_SEARCH_LOCAL_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire EXTENSIONS_MIGRATE=false DIRECTORIES_TO_SEARCH_FOR_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Shared INTRO_NETWORK_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debutrelease-from-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ COUNTRY= MAX_SIM_=8 WINDOW_Y=212 WINDOW_X=128
• What was ed Incompletes folder– We can say for sure that it came from the Frostwire application. Fileurns.cache file– may have come from Frostwire or from anywhere else. • Sharing exceptions – where do we find them library.dat file– see content above • Search – are they stored anywhere? Any risk of cross contamination? No, not stored anywhere. Maybe in RAM or in pagefile.sys. • Evidence of previewing?
No evidence of preview files in s.dat!!!!
• Evidence of incomplete s? This is found in the s.dat: Dcom.limegroup.gnutella.er.serial.GnutellaMementoImpl·ø·K6Æ“´···L·
serialObjectsq·~··xpsq·~··?@······w········ q·~··sq·~··t·jC:\Documents and Settings\\My Documents\FrostWire\Incomplete\T-5349208-Britney Spears - Womanizer .mp3w··\xq·~··sq·~······w·····sq·~·M··…w····sq·~·M· %w····sq·~·M· Uw· ··sq·~·M··Šï····xq·~··sq·~··w+·)urn:sha1:GWGVPKRKJIKAGCEU3OZQFIDQAWZ7N4q·~·· xq·~··~q·~··t··MANAGEDq·~· t··Britney Spears - Womanizer .mp3q·~·"sq·~·#w·····?@······sr
FROSTWIRE v4.17.2 PRESENTED BY: Daniel Kral Bruce Hunter Pierre-Jean Tessier Ray Valiquette
FROSTWIRE v4.17.2 P2P group project Registry changes monitored with InCtrl5: (Very few changes) Keys ignored: 0 Keys added: 5 Keys deleted: 4 Values added: 12 Values deleted: 10 Values changed: 13 Configuration files of Frostwire: Location: C:\Documents and Settings\\Application Data\Frostwire • Where is the GUID? (3 pts) C:\Documents and Settings\\Application Data\FrostWire\frostwire.props #FrostWire properties file #Tue Mar 31 15:12:44 EDT 2009 AFTER_SEARCH_NETWORK_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire INTRO_TORRENT_LINK=http\://www.frostclick.com/torrents/audio/music/Tiara_Wiles__Thi s_is_Tiara__frostclick.com_frostwire.com__MP3_192k_2009_03_26.torrent LAST_FILECHOOSER_DIR=C\:\\Program Files\\FrostWire INTRO_LOCAL_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debut-releasefrom-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ LAST_EXPIRE_TIME=1238526426781 PORT=24762 EXTENSIONS_TO_SEARCH_FOR=m4a;mpg;tif;mpe;rmvp;wma;ogm;cue;swf;shn;arc;ogg;rpm;ccd;a rj;tiff;kar;wmv;mpeg;iso;gz;wm;mod;toast;mov;pyc;asf;pf;taz;pl;mpa;tar;mime;bin;cdg ;gif;sxw;aif;srt;jpe;deb;midi;tbz;pmf;7z;dvi;c;m;h;jpg;sit;jve;png;ua;mp2v;mid;z;rm j;rmi;jpeg;bz;img;mlv;l6t;jar;avi;htm;fla;dmg;gzip;aifc;mkv;pkg;nsv;xml;aiff;flac;t ex;exe;med;lwtp;sub;pyo;rm;mp4;wax;mp3;wav;rar;asx;txt;ra;mpv2;pyz;bz2;qt;snd;lit;z ip;idx;sea;lqt;ace;au;dcr;py;ram;hqx;java;html;smi;tgz;ps DIRECTORY_FOR_SAVING_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Saved CLIENT_ID=73100A06A73ECBA5DF58ECF885864D00
CHAT_IRC_NICK= TEMPLATE_FOR_SAVING_LWS_FILES= INSTALLED=true EXTENSIONS_LIST_UNSHARED=pdf;doc;rtf DIRETORY_FOR_SAVING_LWS_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Store Purchased INTRO_URL=http\://static.frostwire.com/images/overlays/tiara_wiles_overlay.jpg AFTER_SEARCH_URL=http\://static.frostwire.com/images/overlays/default.png AFTER_SEARCH_LOCAL_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire EXTENSIONS_MIGRATE=false DIRECTORIES_TO_SEARCH_FOR_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Shared INTRO_NETWORK_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debutrelease-from-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ COUNTRY= MAX_SIM_=8 WINDOW_Y=212 WINDOW_X=128
The GUID number is the same as the CLIENT ID. • Is sharing enabled by default (3 pts) Yes, displayed when program is first run.
This information is also located in: C:\Documents and Settings\\Application Data\FrostWire\frostwire.props #FrostWire properties file #Tue Mar 31 15:12:44 EDT 2009 AFTER_SEARCH_NETWORK_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire INTRO_TORRENT_LINK=http\://www.frostclick.com/torrents/audio/music/Tiara_Wiles__Thi s_is_Tiara__frostclick.com_frostwire.com__MP3_192k_2009_03_26.torrent LAST_FILECHOOSER_DIR=C\:\\Program Files\\FrostWire INTRO_LOCAL_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debut-releasefrom-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ LAST_EXPIRE_TIME=1238526426781 PORT=24762 EXTENSIONS_TO_SEARCH_FOR=m4a;mpg;tif;mpe;rmvp;wma;ogm;cue;swf;shn;arc;ogg;rpm;ccd;a rj;tiff;kar;wmv;mpeg;iso;gz;wm;mod;toast;mov;pyc;asf;pf;taz;pl;mpa;tar;mime;bin;cdg ;gif;sxw;aif;srt;jpe;deb;midi;tbz;pmf;7z;dvi;c;m;h;jpg;sit;jve;png;ua;mp2v;mid;z;rm j;rmi;jpeg;bz;img;mlv;l6t;jar;avi;htm;fla;dmg;gzip;aifc;mkv;pkg;nsv;xml;aiff;flac;t ex;exe;med;lwtp;sub;pyo;rm;mp4;wax;mp3;wav;rar;asx;txt;ra;mpv2;pyz;bz2;qt;snd;lit;z ip;idx;sea;lqt;ace;au;dcr;py;ram;hqx;java;html;smi;tgz;ps
DIRECTORY_FOR_SAVING_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Saved CLIENT_ID=73100A06A73ECBA5DF58ECF885864D00 CHAT_IRC_NICK= TEMPLATE_FOR_SAVING_LWS_FILES= INSTALLED=true EXTENSIONS_LIST_UNSHARED=pdf;doc;rtf DIRETORY_FOR_SAVING_LWS_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Store Purchased INTRO_URL=http\://static.frostwire.com/images/overlays/tiara_wiles_overlay.jpg AFTER_SEARCH_URL=http\://static.frostwire.com/images/overlays/default.png AFTER_SEARCH_LOCAL_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire EXTENSIONS_MIGRATE=false DIRECTORIES_TO_SEARCH_FOR_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Shared INTRO_NETWORK_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debutrelease-from-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ COUNTRY= MAX_SIM_=8 WINDOW_Y=212 WINDOW_X=128
• How can you tell if the application is sharing? (3 pts) The information about which folders are being shared is contained in: C:\Documents and Settings\\Application Data\FrostWire\frostwire.props #FrostWire properties file #Tue Mar 31 15:12:44 EDT 2009 AFTER_SEARCH_NETWORK_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire INTRO_TORRENT_LINK=http\://www.frostclick.com/torrents/audio/music/Tiara_Wiles__Thi s_is_Tiara__frostclick.com_frostwire.com__MP3_192k_2009_03_26.torrent LAST_FILECHOOSER_DIR=C\:\\Program Files\\FrostWire INTRO_LOCAL_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debut-releasefrom-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ LAST_EXPIRE_TIME=1238526426781 PORT=24762 EXTENSIONS_TO_SEARCH_FOR=m4a;mpg;tif;mpe;rmvp;wma;ogm;cue;swf;shn;arc;ogg;rpm;ccd;a rj;tiff;kar;wmv;mpeg;iso;gz;wm;mod;toast;mov;pyc;asf;pf;taz;pl;mpa;tar;mime;bin;cdg ;gif;sxw;aif;srt;jpe;deb;midi;tbz;pmf;7z;dvi;c;m;h;jpg;sit;jve;png;ua;mp2v;mid;z;rm j;rmi;jpeg;bz;img;mlv;l6t;jar;avi;htm;fla;dmg;gzip;aifc;mkv;pkg;nsv;xml;aiff;flac;t ex;exe;med;lwtp;sub;pyo;rm;mp4;wax;mp3;wav;rar;asx;txt;ra;mpv2;pyz;bz2;qt;snd;lit;z ip;idx;sea;lqt;ace;au;dcr;py;ram;hqx;java;html;smi;tgz;ps DIRECTORY_FOR_SAVING_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Saved CLIENT_ID=73100A06A73ECBA5DF58ECF885864D00 CHAT_IRC_NICK= TEMPLATE_FOR_SAVING_LWS_FILES= INSTALLED=true EXTENSIONS_LIST_UNSHARED=pdf;doc;rtf DIRETORY_FOR_SAVING_LWS_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Store Purchased INTRO_URL=http\://static.frostwire.com/images/overlays/tiara_wiles_overlay.jpg
AFTER_SEARCH_URL=http\://static.frostwire.com/images/overlays/default.png AFTER_SEARCH_LOCAL_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire EXTENSIONS_MIGRATE=false DIRECTORIES_TO_SEARCH_FOR_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Shared INTRO_NETWORK_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debutrelease-from-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ COUNTRY= MAX_SIM_=8 WINDOW_Y=212 WINDOW_X=128
The above highlighted item will be removed if the sharing for that folder is revoked! The information about specific individual files, which are being shared or not shared is dynamically tracked in: C:\Documents and Settings\\Application Data\FrostWire\library.dat ¬í··sr··java.util.HashMap··ÚÁ÷`Ñ···F· loadFactorI· thresholdxp?@······w·········t··SPECIAL_FILES_TO_SHAREsr··java.util.HashSetºD…•– ¸·4···xpw·····?@······sr··java.io.File·-¤E· äÿ···L··patht··Ljava/lang/String;xpt·AC:\Documents and Settings\\Desktop\The Who - Baba O'Riley.mp3w··\xxt··FILES_NOT_TO_SHAREsq·~··w·····?@······xt··SPECIAL_STORE_FILES sq·~··w·····?@······xt·"SENSITIVE_DIRECTORIES_NOT_TO_SHAREsq·~··w·····?@······xt·· DIRECTORIES_NOT_TO_SHAREsq·~··w·····?@······xt··SENSITIVE_DIRECTORIES_VALID ATEDsq·~··w·····?@······xx
• What is being shared? (3 pts) The information about which folders are being shared is contained in: C:\Documents and Settings\\Application Data\FrostWire\frostwire.props #FrostWire properties file #Tue Mar 31 15:12:44 EDT 2009 AFTER_SEARCH_NETWORK_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire INTRO_TORRENT_LINK=http\://www.frostclick.com/torrents/audio/music/Tiara_Wiles__Thi s_is_Tiara__frostclick.com_frostwire.com__MP3_192k_2009_03_26.torrent
LAST_FILECHOOSER_DIR=C\:\\Program Files\\FrostWire INTRO_LOCAL_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debut-releasefrom-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ LAST_EXPIRE_TIME=1238526426781 PORT=24762 EXTENSIONS_TO_SEARCH_FOR=m4a;mpg;tif;mpe;rmvp;wma;ogm;cue;swf;shn;arc;ogg;rpm;ccd;a rj;tiff;kar;wmv;mpeg;iso;gz;wm;mod;toast;mov;pyc;asf;pf;taz;pl;mpa;tar;mime;bin;cdg ;gif;sxw;aif;srt;jpe;deb;midi;tbz;pmf;7z;dvi;c;m;h;jpg;sit;jve;png;ua;mp2v;mid;z;rm j;rmi;jpeg;bz;img;mlv;l6t;jar;avi;htm;fla;dmg;gzip;aifc;mkv;pkg;nsv;xml;aiff;flac;t ex;exe;med;lwtp;sub;pyo;rm;mp4;wax;mp3;wav;rar;asx;txt;ra;mpv2;pyz;bz2;qt;snd;lit;z ip;idx;sea;lqt;ace;au;dcr;py;ram;hqx;java;html;smi;tgz;ps DIRECTORY_FOR_SAVING_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Saved CLIENT_ID=73100A06A73ECBA5DF58ECF885864D00 CHAT_IRC_NICK= TEMPLATE_FOR_SAVING_LWS_FILES= INSTALLED=true EXTENSIONS_LIST_UNSHARED=pdf;doc;rtf DIRETORY_FOR_SAVING_LWS_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Store Purchased INTRO_URL=http\://static.frostwire.com/images/overlays/tiara_wiles_overlay.jpg AFTER_SEARCH_URL=http\://static.frostwire.com/images/overlays/default.png AFTER_SEARCH_LOCAL_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire EXTENSIONS_MIGRATE=false DIRECTORIES_TO_SEARCH_FOR_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Shared INTRO_NETWORK_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debutrelease-from-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ COUNTRY= MAX_SIM_=8 WINDOW_Y=212 WINDOW_X=128
The information about specific individual files, which are being shared or not shared is dynamically tracked in: C:\Documents and Settings\\Application Data\FrostWire\library.dat ¬í··sr··java.util.HashMap··ÚÁ÷`Ñ···F· loadFactorI· thresholdxp?@······w·········t··SPECIAL_FILES_TO_SHAREsr··java.util.HashSetºD…•– ¸·4···xpw·····?@······sr··java.io.File·-¤E· äÿ···L··patht··Ljava/lang/String;xpt·AC:\Documents and Settings\\Desktop\The Who - Baba O'Riley.mp3w··\xxt··FILES_NOT_TO_SHAREsq·~··w·····?@······xt··SPECIAL_STORE_FILES sq·~··w·····?@······xt·"SENSITIVE_DIRECTORIES_NOT_TO_SHAREsq·~··w·····?@······xt·· DIRECTORIES_NOT_TO_SHAREsq·~··w·····?@······xt··SENSITIVE_DIRECTORIES_VALID ATEDsq·~··w·····?@······xx
Additional information about files which were shared at
some point is located in: C:\Documents and Settings\\Application Data\FrostWire\fileurns.cache ¬í··sr··java.util.HashMap··ÚÁ÷`Ñ···F· loadFactorI· thresholdxp?@······w·········sr·)com.limegroup.gnutella.UrnCache$UrnSetKeyœP·8¿gO····xp w···· ^·"Xt·AC:\Documents and Settings\\Desktop\The Who - Baba O'Riley.mp3xsr·%java.util.Collections$UnmodifiableSet€·’Ñ ›€U···xr·,java.util.Collections$Unm odifiableCollection·B·€Ë^÷····L··ct··Ljava/util/Collection;xpsr··com.limegroup.gnutella.UrnSetñ7 YG9ß±4···L··sha1t··Lcom/limegroup/gnutella/URN;L··ttrootq·~· xpsr··com.limegroup.gnutella.URN«übt·Ro····xpw+·)urn:sha1:QLEK3Z7KPOPHJHKRVOY4WP MIOG24C5JB~r··com.limegroup.gnutella.URN$Type···········xr··java.lang.Enum···········xpt··S HA1xsq·~··w4·2urn:ttroot:WIPBWESCYLJ5EYHL5IBL3CCHQV2OJQJSGJ22PWI~q·~··t··TTR OOTxsq·~··w···· ]ñÖ÷t·aC:\Documents and Settings\\My Documents\FrostWire\Saved\Rolling Stones - Honky Tonk Woman.mp3xsq·~··sq·~· sq·~··w+·)urn:sha1:PFFPTB5UOKPJ5UA4X6RMBJLPEDH5CZ3Yq·~··xsq·~··w4·2urn:ttroot :MX56FVOJVNXLUHNZH7BSRKVF52CYGD7N2GNMPTYq·~··xsq·~··w···· ^··¥t·bC:\Documents and Settings\\My Documents\FrostWire\Saved\the beatles - beetles - love me do.mp3xsq·~··sq·~· sq·~··w+·)urn:sha1:FHT7FGPKQI2BSLKHI2YOX3XBT6YXFPWGq·~··xsq·~··w4·2urn:ttro ot:PZPCTTSQXTRX43DWVA35O76ZEMITDPTG5LDIAUQq·~··xsq·~··w···· ]õ‘ t·\C:\Documents and Settings\\My Documents\FrostWire\Saved\Simpsons - Halloween Special.mpgxsq·~··sq·~· sq·~··w+·)urn:sha1:2TYCGLU3LHB4DL3FORWWF3AW6ZWGH5ORq·~··xsq·~··w4·2urn:tt root:OEXSNKPIJUMKUHYRTPEDHJQPTNF3FNKASZW4KPQq·~··xx
• Where are s saved? (3 pts) This information is also located in: C:\Documents and Settings\\Application Data\FrostWire\frostwire.props #FrostWire properties file #Tue Mar 31 15:12:44 EDT 2009 AFTER_SEARCH_NETWORK_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire INTRO_TORRENT_LINK=http\://www.frostclick.com/torrents/audio/music/Tiara_Wiles__Thi s_is_Tiara__frostclick.com_frostwire.com__MP3_192k_2009_03_26.torrent LAST_FILECHOOSER_DIR=C\:\\Program Files\\FrostWire INTRO_LOCAL_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debut-releasefrom-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ LAST_EXPIRE_TIME=1238526426781 PORT=24762 EXTENSIONS_TO_SEARCH_FOR=m4a;mpg;tif;mpe;rmvp;wma;ogm;cue;swf;shn;arc;ogg;rpm;ccd;a rj;tiff;kar;wmv;mpeg;iso;gz;wm;mod;toast;mov;pyc;asf;pf;taz;pl;mpa;tar;mime;bin;cdg ;gif;sxw;aif;srt;jpe;deb;midi;tbz;pmf;7z;dvi;c;m;h;jpg;sit;jve;png;ua;mp2v;mid;z;rm j;rmi;jpeg;bz;img;mlv;l6t;jar;avi;htm;fla;dmg;gzip;aifc;mkv;pkg;nsv;xml;aiff;flac;t
ex;exe;med;lwtp;sub;pyo;rm;mp4;wax;mp3;wav;rar;asx;txt;ra;mpv2;pyz;bz2;qt;snd;lit;z ip;idx;sea;lqt;ace;au;dcr;py;ram;hqx;java;html;smi;tgz;ps DIRECTORY_FOR_SAVING_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Saved CLIENT_ID=73100A06A73ECBA5DF58ECF885864D00 CHAT_IRC_NICK= TEMPLATE_FOR_SAVING_LWS_FILES= INSTALLED=true EXTENSIONS_LIST_UNSHARED=pdf;doc;rtf DIRETORY_FOR_SAVING_LWS_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Store Purchased INTRO_URL=http\://static.frostwire.com/images/overlays/tiara_wiles_overlay.jpg AFTER_SEARCH_URL=http\://static.frostwire.com/images/overlays/default.png AFTER_SEARCH_LOCAL_LINK=http\://www.frostwire.com/?id\=linkus&from\=frostwire EXTENSIONS_MIGRATE=false DIRECTORIES_TO_SEARCH_FOR_FILES=C\:\\Documents and Settings\\\\My Documents\\FrostWire\\Shared INTRO_NETWORK_LINK=http\://www.frostclick.com/wp/index.php/2009/03/26/debutrelease-from-tiara-wiles-this-is-tiara-featured-now-on-frostwire/ COUNTRY= MAX_SIM_=8 WINDOW_Y=212 WINDOW_X=128
• What was ed Incompletes folder– We can say for sure that it came from the Frostwire application. Fileurns.cache file– may have come from Frostwire or from anywhere else. • Sharing exceptions – where do we find them library.dat file– see content above • Search – are they stored anywhere? Any risk of cross contamination? No, not stored anywhere. Maybe in RAM or in pagefile.sys. • Evidence of previewing?
No evidence of preview files in s.dat!!!!
• Evidence of incomplete s? This is found in the s.dat: Dcom.limegroup.gnutella.er.serial.GnutellaMementoImpl·ø·K6Æ“´···L·
serialObjectsq·~··xpsq·~··?@······w········ q·~··sq·~··t·jC:\Documents and Settings\\My Documents\FrostWire\Incomplete\T-5349208-Britney Spears - Womanizer .mp3w··\xq·~··sq·~······w·····sq·~·M··…w····sq·~·M· %w····sq·~·M· Uw· ··sq·~·M··Šï····xq·~··sq·~··w+·)urn:sha1:GWGVPKRKJIKAGCEU3OZQFIDQAWZ7N4q·~·· xq·~··~q·~··t··MANAGEDq·~· t··Britney Spears - Womanizer .mp3q·~·"sq·~·#w·····?@······sr
Related Documents 3m3m1z
Frostwire 4.17.2 Forensic Examination 2b1e20
October 2019 41
Forensic Examination Of Fibres Chromatography 3k5vg
December 2020 0
An Examination Of Digital Forensic Models 2d416c
November 2019 37
Forensic 51b5k
November 2019 97
Frostwire 5 Forensics 5192z
October 2019 25