As digital forensic practitioners, we are faced regularly with users utilizing the internet to swop and download copyrighted and contraband material. Peer to peer (P2P) applications are commonly used for this purpose, and like any software application, they is ever changing, and ever evolving.
This paper will discuss how the P2P software application, FrostWire v.5, functions and what artifacts can be found and examined for forensic purposes. The software application mentioned is one of the more popular P2P, applications.
P2P downloading of copyrighted media and contraband is a significant problem. The sheer proliferation of these applications in various forms, requires digital forensic examiners to be aware of the potential evidential artifacts that can exist in them.
With developers constantly changing and evolving their software, the artifacts change, and they find new ways to make it more protected for their users. The problem discussed in this paper, is what evidential artifacts are left by using FrostWire v.5, and what evidential value do they contain.
The research was conducted by way of practical experimentation making use of the following experimental protocols.
The hard drive on the laptop used in the experiment was forensically sanitized and validated .
The Windows 7 Standard operating system was installed on the laptop used, with default settings selected.
FrostWire v.5 was installed on the laptop, and was downloaded from www.FrostWire.com.
FrostWire v.5 was installed using the standard method and keeping the default settings.
The test laptop was connected to the internet and FrostWire v.5 was executed and a search was conducted for various Linux distributions.
Based on the results of Step 5, various files were selected and downloaded using FrostWire v.5 and once completed it was shut down.
The test laptop was shut down and the hard drive forensically imaged.
The forensic image made of the test laptop was loaded into FTK 4.0 with default automatic data carving enabled. Once completed the image was examined and all artifacts identified as being linked to FrostWire v.5 documented.
Data Artifacts Found and Examined
This folder contains five subfolders that contain the actual .torrent files and the actual media that has been downloaded. The subfolders contained within the abovementioned folder are:
- Incomplete: Within this folder, the temporary tracker of the media is saved while in the process of being downloaded, this is the metaphorical bookmark that enables the software to stop and start as the user wishes.
- Saved: This folder contains the artifacts of .torrent files that the user wishes to save- to be able to download at another time.
- Shared: This folder contains all the .torrent trackers that the user has uploaded or created. FrostWirev.5 enables the creation of .torrent trackers.
- Torrent Data: Possibly one of the most important folders, this is where the software saves the actual downloaded media.This is a system automated process, which remains standard.
- Torrent: This folder contains the actual .torrent tracker file, which is the tracker and that is created to download the requested item. For each item downloaded, two entries are created -A .torrent file is created that contain the creation time, the SHA 1 value of the downloaded item, and from where it was downloaded. The second entry created is in unallocated space, which contains the exact same information.
This folder essentially contains a few very important artifacts, which contain important evidentiary information on what was downloaded.
- Createtimes.cache: This cache file contains the SHA-1 value that is assigned to all uploaded media when a .torrent file is created and uploaded to the distribution websites. The SHA-1 value is that of the whole file when it was originally uploaded.This is verified once the item has been downloaded to ensure that the right and complete item has been downloaded.
- Download.dat: This database file contains all the names, identification SHA-1 values of all the files and media downloaded by the user using FrostWire v.5. This can be used to identify what was downloaded when the actual physical items are no longer on the machine.
- Fileurns.cache & Fileurns.bak: These two files essentially contain the same information. When a download is started the software logs the SHA-1 value of the file to ensure that the completed file is downloaded. The SHA-1 value can be used to identify whether a certain item matched the online version of the said file.
- FrostWire.props: This property file contains the selection made by the user upon installation. Here you can determine what changes have been made to the default settings of FrostWire v.5.
- Hostiles.txt: This contains a log of all subnet Masks currently running on the FrostWire v.5 network.
- Library.dat: This database is of all media that is saved by the user to the FrostWire v.5 library, even if it was not physically downloaded onto the machine.
The registry keys SOFTWARE, SECURITY,SYSTEM and the Ntuser.dat were examined and the following artifacts or changes were identified:
HKEY/LOCAL MACHINE/SOFTWARE/Current Version: (These changes can be seen in the NTUSER.DAT as well)
This contained the following relevant information of the software FrostWire v.5:
- Display Name
- Help Link
- URL Info
- Display Version
- Uninstall Command
HKEY/LOCAL MACHINE/SOFTWARE/Classes: This contained the following relevant information of the software FrostWire v.5:
- FrostWire Toolbar
- FrostWire.exe files location.
This contained the following relevant information of the software FrostWire v.5:
- The executable command used to access and run FrostWire v.5.
- HKEY/LOCAL MACHINE/SOFTWARE/Tracing:This contained the following relevant information of the software FrostWire v.5:
- This contains two tracing mechanisms that Microsoft uses to manage and monitor software, which is the Rasapi 32 command and the RASMANCS command. The information saved is saved in [root]/ProgramData/Microsoft/Search/Data/Applications/Windows/GatherLogs/SystemIndex/SystemIndex.gthr:
For FrostWire v.5 to be able to function, a change has to be made within how the system operates:
When installing FrostWire v.5, the software automatically change the FireWall policy to create an exception to allow communication from FrostWire v.5 and the downloading servers, thus bypassing the firewall completely.
- HKEY/LOCAL MACHINE/SECURITY:
- No changes could be identified within this registry key.
Identifying Searches Done Using FrostWire v.5:
When a user searches for a specific item to download, that search is stored in various places on the local machine:
- [root]/$Logfile: Contains the search term searched for, where it was found along with the SHA-1 identification hash value.
- [root]/ProgramData/Microsoft/Search/Data/Applications/Windows/GatherLogs/SystemIndex/SystemIndex.gthr: The header information contained within this gather log, is the search term and how the system and the software communicated.This information is gathered by the two tracing protocols mentioned early Rasapi 32 and RASMANCS.
- [root]users/xxx/.FrostWire/search_db.h2.db :This is the database that FrostWire v.5 uses to record all searches done by the users.The information recorded is the following:
- URL Details, where the .torrent file is residing.
- The search term searched.
- The magnet link and corresponding SHA-1 hash value.
- The creation date in Unix that .torrent tracker was created.
- [root]users/xxx/.FrostWire/search_db/search_db/_28.tii: This is the actual entry in the database for each search term done by the user.This contained what the search term was and the corresponding file ID.
- [root]users/xxx/.FrostWire/search_db_searchdb__28.tis:This is a record of the search results for the particular search term, meaning that for every .tii file a corresponding .tis file can be found.
Examining a .torrent File and the Artifacts Found:
The file header for .torrent files in hex is:
0x64 38 3A 61 6E 6E 6F 6F 63 65 35 39 (As viewed in hex)
d8:announce59 (As viewed in text)
Contained in this .torrent file is the following information:
The website that the .torrent file was uploaded to and stored on
The initial port used to communicate to the website initially.
The IP address communicated with along with the port used for downloading.
Unix creation date of the torrent.
The name of the item downloaded.
Identification SHA-1 hash value.
FrostWire v.5 contains a number of potential evidential artifacts that can prove useful in an investigation in proving what has taken place on a computer using this P2P application.
A key observation, is that the artifacts that are generated when using FrostWire v.5 illustrate the Locard Principle in relation to P2P application, in that for every interaction, there will be a trace left behind.