I have a case at the moment involving a user who has downloaded abusive images of children using EMule and Limewire. However what I'm interested in is the fact that I've come across Virtualdub and TVersity, both of which have traces of some of the pictures downloaded by the user from the P2P clients.
Has anyone examined either of these two applications before in such circumstances. It appears that he has used both programmes to view the pictures and the images have been "retained" without the knowledge of the user in data folders.
Thanks
Jim
I wonder if Virtual Dub is being used to convert or transcode the files ? Downloaded in one format, stored in another. This program can also be used to create frame grabs, ie. still images from portions of a movie file. There will be settings that show where these export to, it could very well be to one of the Virtual Dub folders by default.
Depending on how many times this app has been run I would think it be would worth looking for indications of this kind of use. I can't see that this program would be used as just a media player.
My money would be Virtual Dub being used in transcoding into a format that can stream with Tversity. <sigh> so many better uses for technology. Here's where I'd be looking
- Tversity, like most streaming software, probably has an SQLite db or something like that in the back end that keeps indexing a folder or set of folders to manage the lists of media it can stream. Find that and you probably have a gold mine. FTK 3 handles SQLite dbs really nicely now.
- Check the registry for MRU lists
- Look for log files for both programs
But Limewire is probably where you'll be focussing most of your attention since it's the scene of the crime so to speak. For this there's P2P Marshall, Internet Evidence Finder and Cacheback just added some nice support too.
When the TVersity Media Server directory is viewed, there is a sub directory named "Data" in which there are full versions of the picture files.
Another sub directory named " "db" you can see a file named "medialib.db" when viewed with SQLite Database viewer you can see that one of the tables is named "Prop Value", which is indeed a Goldmine with full filepath to the images. Also in the same directory is an "admin.db" file containing metadata. When viewed with SQLite Database viewer, you can see that one of the sources is the users My Pictures Folder.
With Virtualdub full images have been cached in the Virtualdub\plugins\AVI Plugins\images directory, and Interestingly a "Virtualdub\plugins\AVI Plugins\New Folder" directory.
With Virtualdub full images have been cached in the Virtualdub\plugins\AVI Plugins\images directory, and Interestingly a "Virtualdub\plugins\AVI Plugins\New Folder" directory.
I installed virtualdub on a VM and was able to show that both of these directories were user created.