Limewire Qu. (fileu...
 
Notifications
Clear all

Limewire Qu. (fileurns.cache)

8 Posts
6 Users
0 Likes
796 Views
(@rich2005)
Posts: 535
Honorable Member
Topic starter
 

Morning people, just want to see if theres any further information on the fileurns.cache file (for interpreting it) or related files from limewire.
This contains a file i'm interested in, and in combination with the limewire.props file's directory settings being for the relevant directory path, i'm led to believe that the presence of the file in this fileurns.cache means its one of the files which has been made available for sharing by the program, and contains the path and sha1 hash of the file.
Essentially my question is to confirm that It would be true to say that the presence of the full file path and its sha1 hash in the fileurns means its been hashed by the program for sharing at some point, and that info stored in the fileurns.cache . (Limewire.props pointing to the relevant parent dir's for sharing as mentioned above)
Edit Been doing a little testing with it, appears fileurns.cache contains files that are downloaded too (and potentially not shared), which is a pain. Although limewire.props still shows the folders being shared i guess which helps.
Cheers,
Rich

 
Posted : 25/01/2008 4:52 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Essentially my question is to confirm that It would be true to say that the presence of the full file path and its sha1 hash in the fileurns means its been hashed by the program for sharing at some point, and that info stored in the fileurns.cache

According to a quick 5-sec Google search, yes, this appears to be the case. This file evidently contains hashes for shared files, which LimeWire creates.

There seems to be quite a bit of interest in LimeWire…is this something people are interested in, or is this not really something that comes up a lot? How about other P2P apps? Does there need to be a repository or library of forensic artifacts for these apps?

H

 
Posted : 27/01/2008 5:35 pm
Thomas
(@thomas)
Posts: 59
Trusted Member
 

Although not a straight answer for your question, I think this article should give you good information http//dfrws.org/2007/proceedings/p43-adelstein.pdf
Its about FileMarshal, which should be available at this time to law enforcement at no cost. The tool automates what is currently a manual and labor intensive process. It will determine what clients currently are or have been installed on a machine, and then extracts per-user usage information, specifically a list of peer servers contacted, and files that were shared and downloaded. The tool was designed to perform its actions in a forensically sound way, including maintaining a detailed audit trail of all actions performed. File Marshal is extensible, using a configuration file to specify details about specific peer-to-peer clients (e.g., location of log files and registry keys indicating installation).

 
Posted : 28/01/2008 5:04 am
(@rich2005)
Posts: 535
Honorable Member
Topic starter
 

Harlan Anything that leaves traces (in things like these CP cases) is gonna be of interest. For showing intent/distribution etc, in addition to the possession. The forensicwiki (.com) is a good start to the effect of that repository, if not exhaustive.

Thomas I'll have to look into that. Remember reading about it a while ago, but haven't it mentioned around really. (Perhaps this being as police contractor, will have to see if its available for us too, and in circulation now).

 
Posted : 28/01/2008 2:36 pm
(@chitapett)
Posts: 76
Estimable Member
 

I've recently conducted a case involving Limewire and thought I'd share my findings here

1. Just because the file name and Sha1 for a particular file is listed in the fileurns.cache file, doesn't automatically mean it was being shared. The Limewire.props file contains most of the Limewire configuration settings relating to sharing, etc. This file will let you know if a shared directory was set, what that directory is, average and total upload time, auto logon, etc. Most of the times are stored in Unix GMT so you'll have to convert the times using one of those online convertion tools.

2. During my testing I noticed that if a suspect installs Limewire, uses it,
then uninstalls it using the windows uninstaller in Windows XP/Vista, the Limewire folder which contains the Fileurns.cache and limewire.props file is not removed.

3. Finally, the download.dat found in the Incomplete directory is very useful and contains IP Address of people the suspect is downloading from.

I downloaded a nice EnScript that works with EnCase6 which parses data from allocated and unallocated space relating to the fileurns.cache, limewire.props and download.dat files. In addition it searches for query strings and reports user defined queries made from Limewire. Just email me at chitapett @ yahoo.com.

 
Posted : 12/07/2008 1:34 am
(@ntmd8r3)
Posts: 1
New Member
 

Does anyone know if files stored in the incomplete folder are available for bittorrent sharing/download?

 
Posted : 11/09/2008 7:47 pm
(@chitapett)
Posts: 76
Estimable Member
 

Just checked my old yahoo account and found 10 requests for the limewire enscript. If you still need it please send me a message and I'll send it. Can't seem to find it online anymore but I do have it zipped up??

 
Posted : 24/05/2011 4:49 am
(@rche001)
Posts: 7
Active Member
 

I have a question on limewire data acquistion and need expert help on this topic. Created a discussion. Who can help?

http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=7884

Thanks,
Reuben

 
Posted : 08/07/2011 9:07 pm
Share: