Fileshareforensics - in depth with P2P

P2P applications => Kazaa Lite => Topic started by: Soren Christensen on May 12, 2007, 05:30:30 AM

Title: Kazaa Lite v. 243 Post by: Soren Christensen on May 12, 2007, 05:30:30 AM Default installation path The program by default installs at "C:\Program Files\Kazaa" and creates the folder "C:\Program Files\Kazaa\My Shared Folder" as being shared with other users Windows registry settings The registry is placed differently in the different versions of Windows. In Win9x systems the registry is placed in the files "USER.DAT" and "SYSTEM.DAT" In WinNT/2000/XP systems, the registry is divided into several files, NTUSER.DAT, SOFTWARE, SECURITY and SAM. "NTUSER.DAT" is found in each userfile (NTUSER.DAT is partially displayed as the HKEY_CURRENT_USER key in Regedit), while "SOFTWARE", "SECURITY" and "SAM" is found in "<root>\Windows\System32\Config" (To view in EnCase - select file - rightclick - view filestructure)" In "HEKY_CURRENT_USER\Software\Kazaa" there is stored a large amount of information's of interest - among other things information's on shares, last used search terms, path to internal database files (dbb-files) etc. "HEKY_CURRENT_USER\Software\Kazaa\transfers" holds among other settings the key * DlDir0 (the folder, where downloaded files are stored - default "C:\Program Files\Kazaa\My Shared Folder") Informations on shares "HEKY_CURRENT_USER\Software\Kazaa\LocalContent" holds among other settings the following keys: * DisableSharing (value 0=sharing, 1=sharing disabled - value is stored in HEX value) * DownloadDir (folder, where downloaded files are stored) * Dir0 (If this key is found. the user has defined new/additional folders as shared (though folders only are shared if sharing is enabled). Userdefined folders uses the prefix "012345") * If "DisableSharing=0" and no "Dir0" is mentioned - the default folder "C:\Program Files\Kazaa\My Shared Folder" will be shared - even if it's not shown in the list

Informations on internal database files (*.dbb-files) "HKEY_LOCAL_MACHINE/Software/Kazaa/LocalContent/DatabaseDir" holds the informations on the *.dbb files By further examination it shows, that the "*.dbb-files" - compared to older versions - has moved from the programfolder to a folder under each userprofile (NT/W2K/XP systems) - e.g. C:\Documents and Settings\[userprofile]\Application Data\Kazaa Lite\Db while under Win9x systems the "*.dbb" files are found at: C:\Windows\Application Data\Kazaa Lite\Db Informations on version of the client There is no separate key in the Kazaa Lite hive that shows the version of the client, but for version based on KMD v. 2.0.2 it's possible to obtain the version number in the following key: "HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Uninstall/Kazalite202_is1/DisplayName" (Kazaa Lite [K++ edition] [build 3 ])

It is also possible to determine the version by copying the file "C:\Program Files\Kazaa Lite\kazaa.exe", right-clicking on the file, and selecting the "Version tab" Information's on last used search terms The last used search terms is stored encrypted in the hive "HKEY_LOCAL_MACHINE/Software/Kazaa/Search" By using the forensic analyze program KaZAlyser it is possible to decrypt up to the last 50 search terms Files of interest The internal files of Kazaa are analyzable through the forensic program KaZAlyser. The analysis can tell the content of the shared resources - both present and past. It is possible to recognize files that earlier has been rated as child pornographic. It is possible to obtain the download source of the files, and it is possible to decrypt the last 50 search terms used in Kazaa For the analysis you need the following files/registry settings * *.dbb files * Registry settings(HKEY_CURRENT_USER/Software/Kazaa (and all the sub hives/keys)) * Content of shared resources ("physical content")

Partially downloaded files is stored in ".dat" format - like "download10884928834468014.dat". It's also possible to examine these files with the free-ware program "K-dat", and obtain info of the real filename, how much of the file has beeb downloaded and one of the source-ip's. Download installfile: Kazaa Lite 2.43 (http://fileshareforensics.org/forum/installfiles/kazaalite/v243/kazaalite243.zip) View flash video of use of Kazaa Lite: Flash video (http://fileshareforensics.org/forum/movieclips/kazaalite243.swf) Download video of use fo Kazaa Lite (better quality) : AVI-video (zipfile) (http://fileshareforensics.org/forum/movieclips/kazaa243.zip) Screenshots: (http://fileshareforensics.org/forum/screenshots/kazaalite/v243/Image1.jpg) (http://fileshareforensics.org/forum/screenshots/kazaalite/v243/Image2.jpg) (http://fileshareforensics.org/forum/screenshots/kazaalite/v243/Image3.jpg) (http://fileshareforensics.org/forum/screenshots/kazaalite/v243/Image4.jpg) (http://fileshareforensics.org/forum/screenshots/kazaalite/v243/Image5.jpg) (http://fileshareforensics.org/forum/screenshots/kazaalite/v243/Image6.jpg) (http://fileshareforensics.org/forum/screenshots/kazaalite/v243/Image7.jpg) [img 800,600]http://fileshareforensics.org/forum/screenshots/kazaalite/v243/Image8.jpg[/img]

Powered by SMF 1.1.11 | SMF 2006-2009, Simple Machines LLC