Hi Mike,
Other than that, as suggest above, carving the library.dat files from Limewire is a good way to go. A quick Google search should see you right.
Mike,
Start here;
http//
Cheers,
DM
Well, I would hash the movies and get a SHA1 value (BASE32) and then I'd query the drive for those SHA1 values…you might get lucky and find some good fileurns.cache fragments or downloads.dat fragments….in a version of LW that old (less than 4.17.X), if you find a downloads.dat fragment, you'll likely have the search term he used to find the file(s) to begin with, and the time he started the download.
In fileurns.cache, you'll locate the name of the file attributed to the SHA1, along with the modified date of the file (8 bytes, big Endian - JAVA TIME - should match the time in fileurns.cache for the completed download)…..I can almost guarantee you that the CP files won't be called "walt_disney_mickey_mouse_and_goofy_posing.mpg".
It'll likely have a vile filename that is highly indicative of CP - and that would certainly pose a problem for a suspect here in Canada, because we have an "accessing CP" law here.
I'm not sure how the laws work in your state, but with a vile filename like the ones we see repeatedly, "knowledge" can sometimes be implied, especially with a quantity, but you don't appear to have a quantity. "Control" is the other problem in your case…..Does he have "control" after he deletes it? How long does he have to have "control" to constitute possession?
You indicate that "he would query, get a list, select download all" - what was he querying? 😯
When you attempt to duplicate what the accused was doing, make sure you install the same exact version of LimeWire, and read all the screens that you go through for installation. It's pretty evident what LimeWire is for, and most versions actually tell you, clearly, that you will be sharing what you download. I have seen that defense fail often.
The disclosure file in P2P Cases should be quite thick with lots of paper - if you have a thin file, the case is pretty thin. Just my two cents….
My laptop hard drive crashed one day and I took it to be fixed at the IT shop. They told me my hard drive needed to be recovered. I asked Rapid to see what they could do for me and they gave a 40% recovery chance. They suggested Fields, a sister company. I didn’t choose them at first because I thought they would be too expensive, but they could give me more data back. It helps that Rapid didn’t charge me anything, so the expensive recovery was worth it.
Could you please expand on your statement "vile filename like the ones we see repeatedly, "knowledge" can sometimes be implied, "
Well, I would hash the movies and get a SHA1 value (BASE32) and then I'd query the drive for those SHA1 values…you might get lucky and find some good fileurns.cache fragments or downloads.dat fragments….in a version of LW that old (less than 4.17.X), if you find a downloads.dat fragment, you'll likely have the search term he used to find the file(s) to begin with, and the time he started the download.
In fileurns.cache, you'll locate the name of the file attributed to the SHA1, along with the modified date of the file (8 bytes, big Endian - JAVA TIME - should match the time in fileurns.cache for the completed download)…..I can almost guarantee you that the CP files won't be called "walt_disney_mickey_mouse_and_goofy_posing.mpg".
It'll likely have a vile filename that is highly indicative of CP - and that would certainly pose a problem for a suspect here in Canada, because we have an "accessing CP" law here.
I'm not sure how the laws work in your state, but with a vile filename like the ones we see repeatedly, "knowledge" can sometimes be implied, especially with a quantity, but you don't appear to have a quantity. "Control" is the other problem in your case…..Does he have "control" after he deletes it? How long does he have to have "control" to constitute possession?
You indicate that "he would query, get a list, select download all" - what was he querying? 😯
When you attempt to duplicate what the accused was doing, make sure you install the same exact version of LimeWire, and read all the screens that you go through for installation. It's pretty evident what LimeWire is for, and most versions actually tell you, clearly, that you will be sharing what you download. I have seen that defense fail often.
The disclosure file in P2P Cases should be quite thick with lots of paper - if you have a thin file, the case is pretty thin. Just my two cents….
I realize this is coming in several months since the last post, but I wanted to add a few bits of information.
1. Last Access Times are not updated by default in Vista or 7 when a file is accessed and the data nor metadata is not changed. You can look at this key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
2a. If there is contraband (child pornography) on the hard drive in question (which there is in this case), I would think long and hard about wanting to take possession of a piece of digital media like this. I am not aware of any law which gives an exception to a private forensic examiner to possess this material for any reason. Law enforcement is not going to give it to you anyway.
2b. If you haven't performed a forensic exam on the system in question, this sounds like a good point to arrange an examination of the system on the site of government (i.e. sheriff's office, state attorney's office, etc).
3. Forensicakb suggested to re-image the original hard drives. I would consider at the very least, to examine the acquisition report of the original hard drives. If you do perform an exam, make sure you re-verify the E01/dd set to ensure it matches the original acquisition.
4. As mentioned earlier, you should have all of the investigative reports, forensic reports, search warrants, etc. You might want to make sure that the GUID (found in the limewire.props file) matches the one LE initially targeted as having possessed the files (prior to search warrant). This can be important, especially when there are multiple computers in a residence.
5. With no formal computer forensics training, you may have a difficult time having your opinion heard, if this goes to trial.
Good luck.