I have a case where Morpheus was used to download child pornography. Is there a log file that can be viewed to show what search words were used when searching the Gnutella network?
Rob,
http//
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
Guidance software has a webinar on p2p forensics on their website. It's good information even if you are not using Encase.
Greg,
Can you provide us with the link to this at Guidance's site?
Thanks
It's right here
http//
The title of the one I mention is "Distributed File Sharing"
You have to download the Webex player (free) and register prior to downloading, but there's a lot of good material there.
It may be worthwhile looking at Kazalyser by Sanderson Forensics. I am nearly positive that it will decode the data and registry files for an installation of Morpheus as well.
Paul Sanderson will tell you if it does before you buy it should you ask. It is not that expensive and saves an awful lot of manual decoding time.
Failing that look in the user.dat files for the profile you are looking at under software - morpheus and you should find something there.
…it will decode the data and registry files…
Is this something you've tried before? According to the web site for the tool, it is simply a database viewer. Is the information from the database maintained in the Registry, or in a…well…database? 😉
I'm asking, as I have yet to have an investigation that involves P2P.
Failing that look in the user.dat files for the profile you are looking at…
I'm just finishing up an offline Registry parsing tool that, so far, parses the SYSTEM and NTUSER.DAT files very well.
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
yes
it does the dbb files, shared folder etc but if you put the registry files into it you can see all the settings to compare against default - whether he has changed any of them etc -eg which folders are the download folders etc as well as the search terms used (last 20 i think) if that version of the P2P (kazaa) keeps them - user name - e mail address, simultaneous downloads and uploads allowed infact lots of useful titbits.
we use it to go towards proving intent to distribute eg if he is aware enough to change the maximum number of downloads and uploads from default to whatever they are (and most do) then he is capable of disabling sharing but chose not to am,amongst others.
Like I say i know it works in Kazaa and grokster but not sure in Morpheus