FROSTWIRE 4.17.

0

***Frostwire in identical to Limewire in everyway except for name and treats its file in the exact same fashion***

Change in Default Directories for Downloads/Shares
Changes in the default directories for downloads and sharing led to changes in: C:\Documents and Settings\user\Application Data\FrostWire\library.dat C:\Documents and Settings\user\Application Data\FrostWire\installation.props C:\Documents and Settings\user\Application Data\FrostWire\tables.props C:\Documents and Settings\user\Application Data\FrostWire\questions.props C:\Documents and Settings\user\Application Data\FrostWire\frostwire.props C:\Documents and Settings\user\Application Data\FrostWire\mojito.props After confirming the changes, the same above files were written to as well.

Downloads in Frostwire
When a download is initiated in Frostwire, for example and MP3 the following things occur -Downloads.bak is created (if it’s the first ever download within frostwire) and written to. -C:\D&S\User\My Documents\Frostwire\Chicos Saved\Incomplete\T-2926592-Dave Mathwes Band – The Space Between.mp3 is created and updated throughout the download. One the download is completed the following things occur: -C:\....Frostwire\downloads.bak is written to/updated (this file is where Frostwire tracks its current downloads in the exact same way Limewire does) - C:\....Frostwire\xml\data\audio.sxml2 is created and is a database that provides Frostwire with the info displayed when other P2P users search your shared files - C:\...Frostwire\library.dat is written to - C:\...Frostwire\Fileurns.cache is written to and contains an index of shared files and their paths. This enables sharing of the files when user logs onto the network. - C:\...Frostwire\Createtimes.cache is written to

Evidence Media Played in Built in Media Player
Using Frostwires’ built in media player wrote to the registry: HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\HDAUDIO\FUNC_01&VEN_10EC&DEV_0883&SUB SYS_1043829E&REV_1000\4&B3DDC6A&0&0001\DirectSound\Speaker Configuration\Speaker Configuration

PROPS Examination
FrostWire has been described as “LimeWire Pro for free”. It behaves like LimeWire and contains many similarly named files. It is a peer-to-peer file sharing program that uses the Gnutella and BitTorrent networks.

Examined C:\Documents and Settings\{user}\Application Data\FrostWire, which was created in the default installation. EnCase was used to conduct the examination. FrostWire.props file contained: #FrostWire properties file #Tue Nov 04 14:20:18 EST 2008 LAST_FILECHOOSER_DIR=C\:\\Program Files\\FrostWire INTRO_LOCAL_LINK=http\://vimeo.com/1397400?pg\=embed&sec\=1397400 LAST_EXPIRE_TIME=1225826399474 PORT=36326 EXTENSIONS_TO_SEARCH_FOR=m4a;mpg;tif;mpe;rmvp;wma;ogm;cue;swf;shn;arc;ogg;rpm;ccd;arj ;tiff;kar;wmv;mpeg;iso;gz;wm;mod;toast;mov;pyc;asf;pf;taz;pl;mpa;tar;mime;bin;cdg;gif;sxw;aif;srt;jpe; deb;midi;tbz;pmf;7z;dvi;c;m;h;jpg;sit;jve;png;ua;mp2v;mid;z;rmj;rmi;jpeg;bz;img;mlv;l6t;jar;avi;htm;fla; dmg;gzip;aifc;mkv;pkg;nsv;xml;aiff;flac;tex;exe;med;lwtp;sub;pyo;rm;mp4;wax;mp3;wav;rar;asx;txt;ra; mpv2;pyz;bz2;qt;snd;lit;zip;idx;sea;lqt;ace;au;dcr;py;ram;hqx;java;html;smi;tgz;ps DIRECTORY_FOR_SAVING_FILES=C\:\\Documents and Settings\\user\\My Documents\\FrostWire\\Saved CLIENT_ID=4498CCD8BD75199A9CC622F39EB29900 CHAT_IRC_NICK= TEMPLATE_FOR_SAVING_LWS_FILES= INSTALLED=true EXTENSIONS_LIST_UNSHARED=pdf;doc;rtf DIRETORY_FOR_SAVING_LWS_FILES=C\:\\Documents and Settings\\user\\My Documents\\FrostWire\\Store Purchased INTRO_URL=http\://static.frostwire.com/images/overlays/default.png EXTENSIONS_MIGRATE=false DIRECTORIES_TO_SEARCH_FOR_FILES=C\:\\Documents and Settings\\user\\My Documents\\FrostWire\\Shared INTRO_NETWORK_LINK=http\://vimeo.com/1397400?pg\=embed&sec\=1397400 COUNTRY= MAX_SIM_DOWNLOAD=8 WINDOW_Y=112

WINDOW_X=220 The user’s GUID is contained within CLIENT_ID=. As you can see, other important info such as the directory where files are saved and the directory that is shared are contained. To determine when the client was installed, the installation.props file was examined: #FrostWire installs file #Tue Nov 04 14:20:18 EST 2008 LANGUAGE_CHOICE=true FILTER_OPTION=true EXTENSION_OPTION=true SCAN_FILES=true LAST_EXPIRE_TIME=1225826401895 FIREWALL_WARNING=true SAVE_DIRECTORY=true ASSOCIATION_OPTION=2 START_STARTUP=true SPEED=true The date and time marked at the top of this file is one second later than the Created date within EnCase for this file. Also visible is that FrostWire was set to autostart. The default path for FrostWire’s storage is: C:\Documents and Settings\{user}\My Documents\FrostWire and contains four folders: • Incomplete – where the incomplete files are stored in a default installation. They are prefixed with “T-{total number of bites for complete download}” unless they have been previewed, in which case they are prefixed with “Preview-T-{total number of bites for complete download}” • Saved – where the complete downloaded files are stored in a default installation • Shared – the default shared folder; by default all downloaded files are also shared (checkbox in Tools->Options->Sharing) • Store Purchased - where purchased content would be saved While in LimeWire, the downloads.bak and downloads.dat files are stored in the Incomplete folder, these files within FrostWire are stored by default at C:\Documents and Settings\{user}\Application Data\FrostWire. A search was conducted for the name “ridiculousness”. Returns were obtained with “ridiculousness” listed as the album title for some mp3 files. One of these files was downloaded. The FrostWire folders created during installation were then imported into EnCase for examination. A keyword search was conducted for the term “ridiculousness” using the default text and Unicode. The only hits were contained within the downloaded audio file and the audio.sxml2 file, where it showed that album=”Ridiculousness”. It appeared that the search term was not stored in any other file.

Sign up to vote on this title
UsefulNot useful