Many times, law enforcement will have a need for information concerning specific applications. In some cases, those specific applications are P2P file sharing clients. Recently on another list, someone asked about Morpheus, and I thought I'd take a look. After all, you never know when you're going to have that same question yourself.
I got a copy of the P2P client application and installed it. I opened and then minimized the application. I ran the first half of the "two-phase mode" for InControl5. I ran a couple of searches in the client, then completed the "two-phase mode" for InControl5, and took a look at the report. As I suspected, the search terms were not kept in a file, but were instead maintained in the Registry, in the following key:
[HKCU|HKEY_USERS]\Software\Morpheus\GUI\SearchRecent
The LastWrite time on this key will tell the investigator when the key was last written to, ie, when the last search term was added to the list.
I'm sure that more comprehensive testing could be done; in fact, it might be of benefit to compile information about several P2P clients, such as where search terms are maintained, etc.
Anyone out there need or have this info? What are the specific P2P/file sharing clients that you're running across, and what information are you looking for about them?
4 comments:
Understanding how a variety of P2P clients work would be a great asset for both law enforcement and the private sector. Especially since the MPAA announced in November of 2004 they were going to target illegal distribution of movies. Combine this with the RIAA's efforts and P2P is a hot topic. A recent posting to Slashdot highlighted the fact that those involved with file sharing switch tools/programs when legal issues target a particular program/method. The article mentions how users have moved to eDonkey after legal pressure targeted bitTorrent. Information that would be helpful would include a listing of the tools that are used, including any obscure ones. What remnants are left on a system? - If someone deletes a file and then wipes UC, it would be helpful to be able to find info in the registry or other locations that would show that the file once existed on the system. dDonkey and eMule are tools we have come across. Another product that looks like it might be helpful to P2P folks is Faststream Netfile Server - ftp client and server app.
Understanding how a variety of P2P clients work would be a great asset for both law enforcement and the private sector.
I'm sure that's the case...but what info do different individuals want? For example, I can imagine that folks who work with imaged systems (ie, cops) would want informaiton that's different from folks who work with live systems connected to networks. Maybe. Maybe not.
Interesting point and one that I had not thought of since I work mainly with imaged systems (private sector). The projects I have worked with simply involved trying to determine the level of use of P2P software. Because the civil litigation process provides the opportunity for people to try to cover their tracks, being able to find "residual" information in the registry would be extremely helpful - such as items left over when people try to uninstall/delete P2P software. Knowing where the search terms can be found would be helpful as well.
For you Movie Lovers out there! If any of your bloggers are interested in P2P Software for free music and movie downloading, go see my P2P related site. Links to The Top 12 P2P Softwares are here.
Post a Comment