Peer-to-Peer Networking | Windows Forensics: The Field Guide for Corporate Computer Investigations

Peer-to-peer usage is growing steadily in the corporate world, with products like Kazaa, Morpheus, eMule, and Gnutella providing a new challenge for forensic analysis. These clients connect to other clients using an open or proprietary protocol. Each client can be used to share files and to download files shared by other clients. They vary in complexity, and the clients and underlying protocols are in a state of flux, resulting in the need for continuous vigilance on the part of the forensic examiner to understand the latest hot client. Additionally, the presence of peer-to-peer clients may indicate the presence of spyware on the computer (many clients are ad-supported). SpyBot or similar programs should be run on a read-only copy of the imaged drive to validate what been installed. This may be necessary to refute future claims of "spyware downloaded the pictures without my knowledge."

In addition to client-based forensic analysis, the ability to conduct network sniffing when investigating peer-to-peer clients should not be discounted. Network forensics is beyond the scope of this book, but may be useful in cases involving ongoing peer-to-peer activity, especially in target identification. We frequently detect peer-to-peer clients running through basic traffic analysis and firewall rejections.

The two primary goals of peer-to-peer forensics are to identify files that the suspect downloaded and to identify files that the suspect shared with others. The mechanisms for accomplishing this with the most common clients as of the time of writing are as listed here. In general, the following procedures can be used to obtain this information for new clients:

Load a clean, base image of the target operating system (Microsoft Virtual PC and VMWare are a tremendous help here with the Snapshot feature).
Install and run Filemon and Regmon from Sysinternals.
Download and install the peer-to-peer client software.
Note any directory creation, file creation, and registry key creation using the preceding tools.
Start the client software. View the Options to identify the folder names for default shared folders and download folders.
Create a folder with a unique name on the hard drive (for example, c:\FORENSICSHARE215\) and change the shared folder option to reflect that name .
Create a second folder with a unique name on the hard drive (for example, c:\FORENSICDL215\) and change the downloaded folders to reflect that.
Note any registry key or file changes after clicking Apply or Ok. Close the program and note any changes.
View the changed registry key(s) and note the name. This will be the location to search on the suspect machine.
Run strings or Find on the files that changed to search for the unique folder name:
```
 Find "FORENSICDL215" changedfilename.ext 
```
If the file is ASCII-based, open the file in Quickview or a similar viewer and note the line and any variable name where the previous unique name(s) are located. This is the location to search on the suspect machine.
If the file is binary, open the file in WinHex and search for the name. Note any unique hexadecimal values just prior to the start of the unique name. This is the hex value to search for on the suspect machine to identify the location in that file. If there are multiple hex values that can be considered unique, note the ordinal position of the value you are searching as a reference point.

Additionally, the analyst may want to request the download of similar files or place similar files in the newly created shared folder to identify any library or index files or keys that change for targeting on the suspect machine. In the scenario where illegal content has been downloaded or shared, an innocuous file (for example, one filled with all 0s) with the same name and size can be shared and then downloaded again after it has been propagated to infer further details about the client software.

As a final alternative, a copy of the relevant directories and registry key structures can be copied to a virtual machine or the entire drive image restored with the peer-to-peer software installed and the program opened to determine the configuration options and any files that are currently being downloaded or shared.

As a cautionary note to investigators , the files downloaded may not indicate user intent in downloading their associated content. A file with an innocuous name such as Butterfly.jpg may not contain pictures of a butterfly (or pictures at all). A quick search for a file called Hacker Crackdown (purporting to be a copy of the text of the book by the same name) had the following alternative source names (note the same hash values):

 SimCity 4 crack.exe urn:sha1:AWVV5MAXXB3I7XSPFZUBJYAPZHAMW723 Unreal Tournament 2003 crack.exe urn:sha1:AWVV5MAXXB3I7XSPFZUBJYAPZHAMW723 Wolfenstein 3D crack.exe urn:sha1:AWVV5MAXXB3I7XSPFZUBJYAPZHAMW723 Enemy Territory Aimbot crack.exe urn:sha1:AWVV5MAXXB3I7XSPFZUBJYAPZHAMW723 Angelina Jolie Sex Game crack.exe urn:sha1:AWVV5MAXXB3I7XSPFZUBJYAPZHAMW723

The actual file content could be any of the preceding, or even none of the preceding. A popular tactic for copyright owners is to upload false content to flood the network as a response to piracy. Despite the differing names, in general most peer-to-peer programs name the actual file downloaded after the filename selected, regardless of other hash values. Just as downloading a file called Butterfly.jpg with questionable content does not necessarily imply intent, downloading a file with the name XXX Nude Girls.jpg, even if it contains pictures of a butterfly, likely does indicate intent.

Gnutella Clients

Gnutella-based clients include the original Gnutella program, Limewire, Gnucleus, Bearshare, and Shareaza. The original Gnutella program was released for a single day by Nullsoft, a division of AOL, and became the first dominant peer-to-peer service. Based on the now reverse-engineered Gnutella protocol, individual Gnutella clients communicated exclusively with peers in a no-servers-involved environment. The protocol was implemented by numerous freeware, adware, and shareware-based clients as noted previously. Unfortunately for the forensic examiner, each of these clients implemented a slightly different structure for file sharing and download management.

Bearshare

Bearshare is installed by default in C:\Program Files\Bearshare. The configuration file, which defines download\temp directories and lists usage times, is named FreePeers.ini and is located in this directory. The following are the key FreePeers.ini entries:

 [GNetworkLogic] nSessions = 2 ; Number of times BearShare has run nUptimeTotal = 4101 ; Seconds BearShare has run (across all sessions) nLastDailyUptime = 0 ; Last BearShare average daily uptime in seconds nLastShutdownTime = 1076956236 ; Seconds since Midnight, January 1, 1970 of BearShare last shutdown [Downloads] szDownloadsDir = "C:\My Downloads\BS_Download\" ; Directory where completed downloads are moved szTempDir = "C:\My Downloads\BS_Temp\" ; Directory where partial downloads are kept Downloading. [GNetworkLogic] nSessions = 0 ; Number of times BearShare has run nUptimeTotal = 4101 ; Seconds BearShare has run (across all sessions) nLastDailyUptime = 0 ; Last BearShare average daily uptime in seconds nLastShutdownTime = 1076956236 ; Seconds since Midnight, January 1, 1970 of BearShare last shutdown [Downloads] szDownloadsDir = "C:\My Downloads\BS_Download\" ; Directory where completed downloads are moved szTempDir = "C:\My Downloads\BS_Temp\" ; Directory where partial downloads are kept

Downloading

By default, downloads are located at C:\My Downloads\, and temp files at C:\Program Files\Bearshare\Temp. The Temp directory contains two files for each download: the file name and a DAT file with the same name. The file name contains the incomplete download results. The DAT file contains meta-data on the file being downloaded. This includes both download file name and the hash value of the file using SHA1. The hash file is used to uniquely identify the individual file on the Gnutella network. The file name can be changed by individual users locally or remotely and may not indicate the correct content. To identify the actual hash value of the file, use the strings command and grep:

 C:\Tools\strings Hackers.dat  grep urn: urn:sha1:AEJBSAW6MRXGX573NWIJQHV73GORP6F3

Sharing

Bearshare defaults the shared folder location to C:\My Shared Folder. A listing of all files and directories currently shared is located by default in C:\Program Files\bearshare\db\library.dat, the directory where Bearshare was initially installed. The library.dat file, when located or recovered, can be processed using the strings command to determine which files or folders are being shared.

Tip

If too many non-directories are returned, try increasing the n value. n is the number of characters that need to be found to be considered a string match. Given the standard directory naming convention of drive name, colon , slash (for example, C:\), three characters is the smallest directory name possible and a good starting number for n .

 C:\Tools\strings -n7 library.dat C:\My Downloads\& C:\Program Files\BearShare\AUNIQUENAME C:\My Downloads\ C:\My Downloads\* How to hack Hotmail or Yahoo Passwords.zip C:\My Downloads\ Illegal.wav C:\Program Files\BearShare\AUNIQUENAME\

As noted in the previous return, the directories listed are all shared. The first entry with the directory name indicates the specific directory that has been shared. The second occurrence of the name is followed by any individual file names that were indexed and shared. They are located in the directory whose name precedes the file name. In the preceding example, the files How to hack Hotmail or Yahoo Passwords.zip and Illegal.wav were shared from C:\My Downloads\, and there were no files shared from C:\Program Files\Bear-Share\AUNIQUENAME\ the last time the program was run. If files or directories were deleted without running Bearshare again, the names will still appear.

Other Information

Like many peer-to-peer clients, BearShare allows for the integration of chat functionality. Under the [Chat] heading in FreePeers.ini are potential targets for keyword searches or Instant Messenger investigations:

 szNickname = "" ; chat nickname desired szEmail = "" ; email address  szAIM = "" ; AmericaOnline IM screenname szYIM = "" ; Yahoo IM screenname szMSN = "" ; MSN IM screenname szICQ = "" ; ICQ user ID

Limewire

Limewire provides a Java-based alternative to Bearshare and also uses the Gnutella network and protocols. It installs the latest Java Runtime Environment on the target machine if not already installed. Limewire installs by default into C:\Program Files\Limewire\version\ where version is the current version number of the client. The install directory can be found in the registry under HKLM\Software\Limewire\InstallDir. Additional configuration information can be found under the .Limewire directory in the limewire.props, including download and temporary directories. Sample items from this file are as follows :

 DOWNLOAD_SNAPSHOT_BACKUP_FILE=C\:\Incomplete\downloads.bak DIRECTORIES_TO_SEARCH_FOR_FILES=C\:\My Downloads SESSIONS=2 DIRECTORY_FOR_SAVING_FILES=C\:\My Downloads CLIENT_ID=148A0511222E2E6EFF4CDC50A8A05A00 DOWNLOAD_SNAPSHOT_FILE=C\:\Incomplete\downloads.dat TOTAL_UPTIME=1401 INCOMPLETE_DIRECTORY=C\:\Incomplete

The CLIENT_ID is used to uniquely identify the client on the Limewire network. The SNAPSHOT and SNAPSHOT_BACKUP files contain information on files that are in the process of being downloaded. DIRECTORIES_TO_SEARCH_FOR_FILES is a list of all shared directories that will be searched for files to share at startup.

In addition, the installation.props file, located in the same directory as the limewire.props file, contains the timestamp with the exact time of software installation:

 #LimeWire Properties IO Test #LimeWire installs file #Mon Feb 16 14:43:13 EST 2004

The createtimes.cache and fileurns.cache files contain the creation times of individual files (download times) and information on downloaded files, respectively. These are a secondary source of information, should the shared or incomplete directories be removed.

Downloading

The default directory for both downloads and sharing with Limewire is the directory C:\Program Files\LimeWire\Shared. Incomplete files are stored by default in C:\Program Files\LimeWire\Incomplete. When a file is selected for download, a placeholder with the same name is stored in the Incomplete directory and the content downloaded directly to that file. When complete, the file is moved to the Shared directory.

Limewire stores download-specific information on files currently being downloaded in the downloads.dat and downloads.bak files. These files are in a binary format, but using the strings command will reveal individual file names in the process of being downloaded and their unique SHA1 hashes:

 C:\Tools\ strings -n20 downloads.dat  grep -v java  grep -v limegroup dloaderManagerThreadt incompleteFileManagert (EBook) Hackers Handbook.pdft )urn:sha1:PNGOBTIM67K66XM7MTRX5GZHUN4KH3AGsr :ebook-pdf-Hacking-Hugo Cornwall-The Hacker's Handbook .pdft )urn:sha1:PNGOBTIM67K66XM7MTRX5GZHUN4KH3AGq 2C:\Incomplete\T-3845832-(EBook) Hacker's Guide.pdfw 3C:\Incomplete\T-284717-(EBook) Hackers Handbook.pdfw 3C:\Incomplete\T-284717-(EBook) Hackers Handbook.pdfw )urn:sha1:AGUKGXRNRH6E5R2NZ34I7RGWQBC7FWDZq 2C:\Incomplete\T-3845832-(EBook) Hacker's Guide.pdfw (EBook) Hacker's Guide.pdfq +ebook-pdf-Hacking-German-Hacker's Guide.pdfq )urn:sha1:AGUKGXRNRH6E5R2NZ34I7RGWQBC7FWDZq

As shown, the downloads.dat output is less than clean. Postprocessing to remove artifacts can be done, but the basics are shown previously. Individual file names of items to be downloaded are listed, along with their respective hash functions. (Note that the final q in the hash is not part of the hash itself but a termination character.) This data can likewise be viewed with WinHex.

Sharing

Limewire automatically searches for information to share in the limewire.props file under DIRECTORIES_TO_SEARCH_FOR_FILES . Any files in the listed directories will be shared as part of network. By default, the download directory is shared. Others are shared by user action.

FastTrack Clients

FastTrack clients are collectively the most popular clients at the time of this writing. They share a common protocol (the FastTrack protocol, developed by what is now Sharman Networks), and are based on the older Gnutella protocol. FastTrack clients include Kazaa, Kazaa Lite, iMesh, Morpheus, and Grokster. The protocol itself uses HTML to transfer files, and can be detected listening on a number of ports. A favorite trick is to tunnel these clients over another port with outbound/inbound access, such as 80 or 443.

FastTrack clients send files over HTML using standard HTTP headers with a few extensions. The custom HTTP headers added by the protocol generally begin with X-Kazaa-, making this a good search string for drive searches to detect the presence of these clients, even after removal.

Of key importance to investigators is the ContentHash. This is an MD5-based hash of the file's content, and it is how FastTrack uniquely identifies files on its network, even those with different names. By searching for that hash function in another FastTrack client, the true content of a deleted file can be obtained from elsewhere (the forensic examiner's dream: an endless supply of offsite backup copies that are readily accessible and provable to be the same as the shared file).

The FastTrack clients have two areas of interest: the DAT files and the DBB files.

DAT files. These files represent actual content in the process of being downloaded. The files are generally named download-XXXXXXXXXXXXXXXXXX.dat, where the Xs represent a unique local file name. In the case of partial downloads, file repair techniques can be used to view the current portion of the content that has been downloaded. Since FastTrack clients rely on a pull model, these files have been actively selected and downloaded by the user of the machine or an application running locally. Searching for strings within the file will yield the file name and some basic file details. A full analysis can be performed using a tool called KaZALyser. Full details on the DAT format are at http://www.home.hetnet.nl/mr_6/237/frejon55/ft/KazaaFileFormats.html.
DBB files. These files contain the metadata regarding files that are currently or have previously been shared by the local machine. The content in DBB files is broken up based on record length:
- data256.dbb holds meta records that fit in 8+256 bytes.
- data1024.dbb holds meta records that fit in 8+1024 bytes.
- data2048.dbb holds meta records that fit in 8+2048 bytes.
- data4096.dbb holds meta records that fit in 8+4096 bytes.

Each record can be viewed with a hex editor, but KaZALyser, noted previously, is highly recommended. Individual file names, last shared times, and other specifics on files made available on the client machine can be obtained from these files. To view them in hex, each record will be the size dictated by the preceding file (for example, a record in data1024.dbb will be 8+1024 or 1032 bytes in size). The layout of the initial fields in each records of interest to the forensic examiner is shown in Table 12-2.

Table 12-2: FastTrack Client Fields
FIELD	SIZE (IN BYTES)	DESCRIPTION
Label	4	Record start label to indicate a new record, always "1331" ( `6C 33 33 6Ch` )
Length	4	Byte count of record starting at this location.
Filename	Varies	Local name of the file ( terminated with `00h` )
Foldername	Varies	Local directory where the file is stored (terminated with `00h` )
Filesize	4	Size of the file in bytes
Filetime	4	Last modified time of the file (in Unix time)
Sharetime	4	The time the file was last available for sharing (can indicate deletion time)
Reserved	4	Kazaa reserved bytes
Shared Flag	1	`01h` indicates file is shared; `00h` file is not shared

Note	In the case of Kazaa, the file is shared only if the shared bit is set globally as well in the registry (that is, if HKCU\Software\Kazaa\LocalContent\ DisableSharing is set to `00h` sharing is enabled globally; if it is set to `00h` it is disabled).

Overnet, eMule, and eDonkey2000 Clients

Overnet and eDonkey2000 are a pair of clients that are part of a competitive network to the FastTrack and Gnutella protocols listed previously. The primary difference between the clients is that the eDonkey client utilizes a server-based infrastructure to connect and perform file searches, while the Overnet client is fully distributed. Both contain the same file structures noted.

The default installation directory for Overnet clients is C:\Program Files\Overnet, and the configuration files are located under this directory. Overnet uses individual configuration files for each piece of information stored. The files are ASCII text, and the key items of configuration interest are as follows:

Pref.met. This is the main preferences file. Running strings on the file and searching for temp and incoming will return the temporary download directory and the directory in which files are saved, respectively. The -A1 option returns the next row, which contains the actual directory names. By default, the incoming directory is C:\Program Files\Overnet\Incoming and the temp directory C:\Program Files\Overnet\temp. The commands to obtain this information are as follows:
```
 C:\Tools\ strings pref.met  grep -A1 temp temp C:\Program Files\Overnet\temp C:\Tools\ strings pref.met  grep -A1 incoming incoming C:\Incomplete 
```
Share.dat. Lists the directories and files being shared. The list of directories and files shared can be found by running strings on the file:
```
 C:\Tools\ strings share.dat C:\Program Files\Overnet\incoming C:\Incomplete 
```
Known.met. Stores hashes of all known, shared files. Files that were previously available may be present in this file or its backup. To find names of files that are or were shared, strings can be used:
```
 C:\Tools\ strings known.met Terminator 3.mpg Speed.mpg Star Trek 2 - The Wrath of Khan.mpg Star Wars Episode I - The Phantom Menace.mpg 
```
Friend.met. Contains the user names and IDs of individuals placed on the suspect's Friends list. These individuals are likely to be frequent download and chat sources with the suspect. To find the names of individuals, strings can again be used:
```
 C:\Tools\ strings friend.met kbuseme onetdemon111 movieripperx 
```
Uploadq.met. Contains a list of individuals who have recently been queued to upload files from the user. To find the names of individuals, strings can again be used:
```
 C:\Tools\ strings uploadq.dat SJbSC l'agent rlnmt 
```

Log.txt. Potentially the most useful to investigators, log.txt contains a log of all Overnet download and upload activity. Additionally, start and stop times are noted:

 C:\Tools\ cat log.txt [ Tue Feb 17 09:15:27 2004 ]: Start Overnet v0.52 [ Tue Feb 17 09:15:28 2004 ]: Start Old Download: Leaked Star Wars Episode 3 Foo tage.avi [ Tue Feb 17 09:15:28 2004 ]: Start Old Download: Star Wars - Episode II - Attac k of the Clones 1 of 2 (DVDRip, XviD, Rus).avi [ Tue Feb 17 09:15:29 2004 ]: Start Old Download: Star.Wars.Ep.II.DvD.Ripp.Fr.Ex Q(Video.EN. .Son.Fr).Shared.by.Bill.Gatez.CD1.avi [ Tue Feb 17 09:16:53 2004 ]: End Upload: Star.Wars.Ep.II.DvD.Ripp.Fr.ExQ(Video. EN. .Son.Fr).Shared.by.Bill.Gatez.CD1.avi

Downloading

By default, files are downloaded to the Incomplete directory noted previously. Logs of the download are added to the logs.txt file, and a subdirectory under Temp with the file name is created. Within this subdirectory are a meta file and its backup (for example, 1.part.met, 1.part.met.bak), and individual pieces of the content which are downloaded separately.

Overnet, unlike most of the other peer-to-peer programs, allows for content to be downloaded out-of-order. Additionally, as parts of the content are stored locally, they are shared with other users for download. The files are labeled 1.1.part through 1. x .part, and contain pieces of the actual content. The meta file details which pieces are downloaded and which are still needed, and allows for reassembly. The MET file provides details on the file and times the content was last seen on Overnet within the first several lines:

 C:\Tools\strings  1.part.met Leaked Star Wars Episode 3 Footage.avi Video codec  length 0: 0 Last Seen Complete Tue Feb 17 09:17:22 2004

When a download is complete, the pieces are re- assembled and placed in the Incoming directory. The logs.txt file, noted previously, is the best source of previous downloads that have been moved.

Sharing

Files in Overnet are shared while they are being downloaded by default. Individual file parts are shared as soon as they have been stored in the Temp directory, and files are downloaded piecemeal from a number of individual users, any of which may or may not have the complete content themselves .

Additionally, the Incoming directory with complete file names is shared by default. Additional folders may be shared as well by selecting them within the GUI and will be noted in share.dat. Previously shared files may still be listed in logs.txt as well as known.met and known.met.bak. These sources should be searched for evidence of activity.