eMule Met Viewer To...
 
Notifications
Clear all

eMule Met Viewer Tool

3 Posts
3 Users
0 Likes
1,932 Views
(@cottondale)
Posts: 17
Active Member
Topic starter
 

I am currently working a case involving eMule. The possession charge is solid, but now the question is "did the user actually share files?". Although that is part of the agreement when using eMule, the state won't bite unless we know a file has actually been shared.

I am using eMule MET Viewer ver 1.1.2.0. I see the column for "Last Shared", but the column is blank. Most of the columns with "Requests Total", "Requests Accepted" and "Bytes Uploaded" are populated. Is there a reason no date is written? Does this mean the file was not shared? Or he never had it open for sharing? Or is it something that doesn't get written to?

Please click on the Dropbox link below for a screenshot of what I am seeing.
Link to screenshot from my Dropbox

I also found some entries in the Preferences.in that may be relevant, I am just can't interpret them. There are references to uploads, but I have no idea to their meaning. Here is another Dropbox screen shot.
Dropbox screenshot of Preferences.ini

Thank you

 
Posted : 31/07/2015 12:57 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If I recall correctly there have been several slightly different versions of the known.met file, it is possible that the tool you are using is not parsing correctly that particular field.

I would re-check the RAW hex data and try with other parsers.

Say
https://www.pinguin.lu/scripting
https://github.com/HexBugsAndRocknRoll/Forensic_Emule_Analyzer
http//contentdb.emule-project.net/view.php?pid=173

I don' think the .ini file will give you anything of use, it is a plain "settings" file.

Check also this
http//www.kuiper.de/PeerLab_Documentation/PeerLab_Documentation.pdf

That particular tool/parser seemingly calculates "shared time" by subtracting "last written" from "last posted".

Even the trial should be enough to compare results
http//www.kuiper.de/index.php/en/peerlab

jaclaz

 
Posted : 31/07/2015 2:04 pm
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

send me a message and i can get you my emule tools. it parses pretty much all the artifacts

 
Posted : 01/08/2015 11:00 pm
Share: