Hi all,
Just wondering, I have ran IEF over an image and it pulled out a load of 'Shared Files' from Ares. The data was pulled from the 'ShareL.dat' file.
So I'm wondering is that ShareL.dat file reliable to say that this user has successfully shared files?
Cheers! )
why not install ares, share some files, then use IEF on your own machine?
Yeah that was my next plan, just thought id save some time if someone already knew.
The ShareL.dat file contains information about what the user is currently sharing and ShareH.dat contains information about current and previously shared files, including files that were excluded from sharin. The existence of a ShareL.dat file does not guarantee that the user actually transferred all or part of a file to anyone else. It is automatically rebuilt whenever the program starts or a download is completed (the downloads folder is shared by default). It does indicate that the files were available on the Ares network, but if you looking for evidence that a person distributed contraband, you probably need more than that.
-tracedf
hey cb26foensics,
Both the shareH and shareL files are encrypted so IEF will decrypt them for you and display the results.
The shareH.dat file will list the files downloaded by the user but without filenames and should have a “shared” flag which we display as “Available for Download by Other Users”
The shareL.dat will contain a list of the shared files including paths so you may see some duplicates in both the shareH and shareL files (actually sometimes these files are the exact same if the user downloaded the file and then kept it in the default share directory).
Your analysis/interpretation might depend on whether your suspect was using Ares version 2 or 3 so I would verify that as well. IEF will also carve these files from unallocated space so you may get some historical data as well so I would verify the source of where IEF found the files to be sure. Usually if it decrypted correctly then the data is valid but obviously you'll want to verify your own data.
Matt McFadden from Guidance did a good talk at US CyberCrime 2014
http//
Also, here’s a video done by Lance Mueller on Ares analysis in IEF. It’s from 2013 but the info about the artifact still applies.
http//
Hope this helps, feel free to reach out if you have any additional questions.
Jamie
jamie dot mcquaid at magnetforensics dot com
Thanks very much guys for the answers! )