±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35615
New Yesterday: 1 Visitors: 152

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Limewire Qu. (fileurns.cache)

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Rich2005
Senior Member
 

Limewire Qu. (fileurns.cache)

Post Posted: Jan 25, 08 17:52

Morning people, just want to see if theres any further information on the fileurns.cache file (for interpreting it) or related files from limewire.
This contains a file i'm interested in, and in combination with the limewire.props file's directory settings being for the relevant directory path, i'm led to believe that the presence of the file in this fileurns.cache means its one of the files which has been made available for sharing by the program, and contains the path and sha1 hash of the file.
Essentially my question is to confirm that: It would be true to say that the presence of the full file path and its sha1 hash in the fileurns means its been hashed by the program for sharing at some point, and that info stored in the fileurns.cache . (Limewire.props pointing to the relevant parent dir's for sharing as mentioned above)
Edit: Been doing a little testing with it, appears fileurns.cache contains files that are downloaded too (and potentially not shared), which is a pain. Although limewire.props still shows the folders being shared i guess which helps.
Cheers,
Rich  
 
  

keydet89
Senior Member
 

Re: Limewire Qu. (fileurns.cache)

Post Posted: Jan 27, 08 18:35

- Rich2005

Essentially my question is to confirm that: It would be true to say that the presence of the full file path and its sha1 hash in the fileurns means its been hashed by the program for sharing at some point, and that info stored in the fileurns.cache


According to a quick 5-sec Google search, yes, this appears to be the case. This file evidently contains hashes for shared files, which LimeWire creates.

There seems to be quite a bit of interest in LimeWire...is this something people are interested in, or is this not really something that comes up a lot? How about other P2P apps? Does there need to be a repository or library of forensic artifacts for these apps?

H  
 
  

Thomas
Member
 

Re: Limewire Qu. (fileurns.cache)

Post Posted: Jan 28, 08 06:04

Although not a straight answer for your question, I think this article should give you good information: dfrws.org/2007/proceed...lstein.pdf
Its about FileMarshal, which should be available at this time to law enforcement at no cost. The tool automates what is currently a manual and labor intensive process. It will determine what clients currently are or have been installed on a machine, and then extracts per-user usage information, specifically a list of peer servers contacted, and files that were shared and downloaded. The tool was designed to perform its actions in a forensically sound way, including maintaining a detailed audit trail of all actions performed. File Marshal is extensible, using a configuration file to specify details about specific peer-to-peer clients (e.g., location of log files and registry keys indicating installation).
_________________
ICT Security Manager, CHFI, CEH, ECSA, Netherlands 
 
  

Rich2005
Senior Member
 

Re: Limewire Qu. (fileurns.cache)

Post Posted: Jan 28, 08 15:36

Harlan: Anything that leaves traces (in things like these CP cases) is gonna be of interest. For showing intent/distribution etc, in addition to the possession. The forensicwiki (.com) is a good start to the effect of that repository, if not exhaustive.

Thomas: I'll have to look into that. Remember reading about it a while ago, but haven't it mentioned around really. (Perhaps this being as police contractor, will have to see if its available for us too, and in circulation now).  
 
  

Chitapett
Senior Member
 

Re: Limewire Qu. (fileurns.cache)

Post Posted: Jul 12, 08 01:34

I've recently conducted a case involving Limewire and thought I'd share my findings here:

1. Just because the file name and Sha1 for a particular file is listed in the fileurns.cache file, doesn't automatically mean it was being shared. The Limewire.props file contains most of the Limewire configuration settings relating to sharing, etc. This file will let you know if a shared directory was set, what that directory is, average and total upload time, auto logon, etc. Most of the times are stored in Unix GMT so you'll have to convert the times using one of those online convertion tools.

2. During my testing I noticed that if a suspect installs Limewire, uses it,
then uninstalls it using the windows uninstaller in Windows XP/Vista, the Limewire folder which contains the Fileurns.cache and limewire.props file is not removed.

3. Finally, the download.dat found in the Incomplete directory is very useful and contains IP Address of people the suspect is downloading from.

I downloaded a nice EnScript that works with EnCase6 which parses data from allocated and unallocated space relating to the fileurns.cache, limewire.props and download.dat files. In addition it searches for query strings and reports user defined queries made from Limewire. Just email me at chitapett @ yahoo.com.  
 
  

ntmd8r3
Newbie
 

Re: Limewire Qu. (fileurns.cache)

Post Posted: Sep 11, 08 19:47

Does anyone know if files stored in the incomplete folder are available for bittorrent sharing/download?  
 
  

Chitapett
Senior Member
 

Re: Limewire Qu. (fileurns.cache)

Post Posted: May 24, 11 04:49

Just checked my old yahoo account and found 10 requests for the limewire enscript. If you still need it please send me a message and I'll send it. Can't seem to find it online anymore but I do have it zipped up??  
 

Page 1 of 2
Page 1, 2  Next