I am dealing with a case where there are no active or deleted images, however there are some files within emules temp folder that when these are viewed in text the latter parts appear to show what the file will/would be called upon completeion of download, not unlike limewire/Kazaa. My questions are
Is this the case?
Does emule retain search details? if so how do I retrieve them can i retrieve them?
What is the significance of the met files 'KNOWN' and 'PART'.
? 😯
http//
I dont know about the searches but eMule is a gold-mine with its "known.met". This file gives you information about all files the user ever shared. This includes the hash-value and the amount of data transfered. I can point you to a neat tool doing all this. Cheers.
You should try here
http//fileshareforensics.org/
Does anyone know how to decrypt the known.met file ?
I dont know about the searches but eMule is a gold-mine with its "known.met". This file gives you information about all files the user ever shared. This includes the hash-value and the amount of data transfered. I can point you to a neat tool doing all this. Cheers.
can you point us to that neat tool?
it's really interesting )
"Medmedic", "known.met viewer" are 2 free tools which decode the known.met. Metmedic gives you a lot more information.
At present I am developing a tool called "PeerLab" which works like a virus-scanner but scans for P2P-applications, usenet-clients and webdisks. It is also able to decode a few p2p-databases like the known.met
i'm trying to use metmedic but it looks to have some problems parsing some kind of known.met files
maybe the structure changed in some versions/mods of emule?
You should try here
http//fileshareforensics.org/
Too bad it's LE only…
I tried metviewer for decoding known.met and the result is OK.
But i don't find a soft to decod key_index.dat