Any P2P CP experien...
 
Notifications
Clear all

Any P2P CP experienced examiners? Know Addax? Please read.  

  RSS
informatika
(@informatika)
New Member

Hi,
I am investigating a laptop used in CP file sharing. The software is called Addax, a Gnutella client.

Here's my problem. For over a year, the government reports that they could see the files being shared from this computer, but could not download them, ever.

I was given the computer EO1 file and asked to find out how it's possible that someone could see files and hashes but not download them. (This is a function of "browse host" in Gnutella clients, and the government software used.)

Well, the first way would be if the settings for Addax have limited the upload slots to 0.
In my testing, I found that the directory c\users\(username)\appdata\roaming\addax has a file called addax.props that shows the number of upload slots. If you set it to 0, it means no one can download from you, and it shows up here. It's just a plaintext file.

The first problem is that on the client machine, there is no reference to upload slots in this file. Just no reference at all. So I can't see how many upload slots were defined. I'm not aware of any other location that Addax sets its upload files. This would be a version of Addax from 2012 or 2013. I've looked in the registry and found nothing. Addax is a java app. I've emailed the developers but don't expect to hear back from them. They seem a little shady.

The second problem is, finding out the state of firewall software on the computer. I can look at the Windows Registry and see that a commercial security suite was installed, and that it had a service to auto-run, but I can't see if it was running at the time. I can only inspect the E01. I can see timestamps which might help for the product.

What I have access to now are all the registry keys, and some Addax info.
I can get to the E01 file by requesting access, it's a little difficult as it involves contraband.

My question is, is there some way to find out the Addax upload slots and/or the firewall state at the time the computer was imaged, other than buying VFC and running the E01 as a VM? I understand that LiveView doesn't work for Windows 8. Is there a free alternative?

Any help or comments would be appreciated. I feel stuck.

Thanks

Quote
Posted : 13/03/2015 5:42 am
Rampage
(@rampage)
Active Member

Hello,
i've never worked on that specific application's artifacts, so i cant get in depth with it.

i'll let you handle (sorry) the task of figuring out the client configuration at the time of seizing/imaging.

The firewall configuration for the windows OS is in the registry, you should be able to find them in these kayes

HKLM\SYSTEM\ControlSet001\services\SharedAccess \Parameters\FirewallPolicy
HKLM\SYSTEM\ControlSet002\services\SharedAccess \Parameters\FirewallPolicy
HKLM\SYSTEM\CurrentControlSet\services\ SharedAccess\Parameters\FirewallPolicy


maybe you can parse them with proper software like regripper and such.

If you want to run the system as a VM, i haven't tried it with windows 8, but with linux + xmount you can create a virtual VMDK file out off the E01 image, and use it with vmware.

The image stays untouched and xmount takes care of using a cache file for handling the system activity.

ReplyQuote
Posted : 14/03/2015 2:56 am
athulin
(@athulin)
Community Legend

… asked to find out how it's possible that someone could see files and hashes but not download them.

You've already covered upload slot configuration, but you don't seem to have make a chart over what configuration affect uploads, what the defaults are applied when these configurations aren't present, and in what order they are applied. At least some p2p software – I've never examined addax myself – allow for additional controls, such as time-of-day behaviour, client status (friend or unknown), upload bandwidth allocation, and if the files involved have been completely downloaded or not (some clients refuse to share partially downloaded files), refusal to allow a 'leecher' (or freeloader) to download anything (i.e. if the client doesn't share any files themselves, don't allow them access you those you share) , etc., etc.

To that can be added such things as having a share folder that the p2p program isn't allowed to read from, and other file-level configuration.

Also, look for more than one p2p client. They one you're looking at just might be for show.

My question is, is there some way to find out the Addax upload slots and/or the firewall state at the time the computer was imaged, other than buying VFC and running the E01 as a VM? I understand that LiveView doesn't work for Windows 8. Is there a free alternative?

Best approach is probably to install Addax on some throw-away computers, and experiment with the settings it provides, and identify where they are stored, and when and under what conditions downloading is allowed. If you can find a release that's the same as they one you're investigating, so much the better.

There is software designed for p2p examination that may simplify parts of the investigation p2p marshal, internet evidence finder, etc.

ReplyQuote
Posted : 14/03/2015 12:16 pm
Share: