Adium
This search will parse files used by
the P2P file sharing application Amule. It will parse the following files:
known.met, emfriends.met, clients.met, StoredSearches.met, sharedfiles.dat,
shareddir.dat, and AC_SearchStrings.dat. Information recovered varies from file
to file, but all fields available in each file format are recovered. Of
particular evidential interest are the known.met, emfriends.met,
StoredSearches.met, and AC_SearchStrings.dat files.
Ares P2P Search Keywords
This search will carve and parse
search keywords entered by a user in the P2P file sharing application called
Ares. These keywords are stored in the Windows registry but can be found in
other locations even after being deleted. Just the keywords are stored without
any other metadata by Ares.
eMule
This search will parse files used by
the P2P file sharing application Emule. It will parse the following files:
known.met, emfriends.met, clients.met, StoredSearches.met, sharedfiles.dat,
shareddir.dat, and AC_SearchStrings.dat. Information recovered varies from file
to file, but all fields available in each file format are recovered. Of
particular evidential interest are the known.met, emfriends.met,
StoredSearches.met, and AC_SearchStrings.dat files.
Frostwire.prop Files
This search finds fragments of
Frostwire.props files. These files contain configuration data for the
Frostwire® peer to peer file sharing client and can include geo-locations,
recent downloads, and many other useful items.
Gigatribe Chat Messages
This search will recover Gigatribe
chat messages saved by Gigatribe® (versions 2 and 3). These logs are created
when a user uses the chat feature of Gigatribe. Due to the way the software
searches for these chat messages, they can be recovered even if the log file
has been deleted or a portion of the log file has been corrupted or
overwritten. The chat messages can also be recovered from live memory dumps.
Limerunner/Luckywire
The software provides deeper support
for Limewire and its variants: Frostwire, Limerunner, and Luckywire. It can
determine the following information for files shared using these applications:
the file name, the shared type, the Base32 hash value as well as the SHA1 hash
value of the file, and the last modified date time for the file.
Limewire Search History (v5.2.8 –
v5.5.16)
Search keywords left behind in live
memory by Limewire® (tested with Limewire® v5.2.8 – v5.5.16). Search
keywords/terms that are recovered have an associated number indicating how many
search results were returned for that search term at the time the keyword was
left in memory. The recovered search terms are search keywords that were
entered by the local user. Other search keywords that were passed through the
client (“Incoming Searches”) from other clients on the P2P network are not
recovered.
Limewire.props files
This search finds fragments of
Limewire.props files. These files contain configuration data for the Limewire®
peer to peer file sharing client and can include geo-locations, recent
downloads, and many other useful items.
Limewire and Frostwire Search Keywords
Search keywords left behind in live
memory by version 4 of Limewire® and Frostwire® (tested with most
Limewire/Frostwire v4 clients). Search keywords/terms that are recovered have
an associated number indicating how many search results were returned for that
search term at the time the keyword was left in memory. The recovered search
terms are search keywords that were entered by the local user. Other search
keywords that were passed through the client (“Incoming Searches”) from other
clients on the P2P network are not recovered.
Shareaza Search Keywords
This search will carve and parse
search keywords entered by a user in the P2P file sharing application called
Shareaza. These searches are stored in a file called “Searches.dat” but can be
carved from live RAM captures and unallocated clusters, etc.
Torrent File Artifacts
This search will carve and parse data
from .torrent files used to download “torrents” on various networks on the
Internet. The data can be parsed from live files or carved from live memory
captures, unallocated space, etc. Information recovered includes the name of
the Torrent, the date/time the torrent file was originally created, and the
names of the files included in the torrent.
Usenet Binary Files (Newsgroup
Messages)
This search will recover yEnc/uuencoded encoded files
that are used to transfer files on newsgroups/USENET. These files can have a
number of header information like to/from, subject, date/time, etc. and can be
split into multiple files. Rebuildable recovered files can be reconstructed.