Limewire is a peer-to-peer (P2P) application that is based around the Gnutella protocol. The Gnutella protocol is a communication protocol that allows a user to connect to a network with no centralized server, every node in a P2P network can talk to every other node. This allows the community to determine content with no supervision, making it ideal for the trading of illegal material.
Limewire files of interest include: library.dat, createtimes.cache, version.xml, fileurns.cache and limewire.props. Taken together the content of these files will give the investigator a picture of the users’ library, what they downloaded, dates and times, SHA1 values, what the user shared and what not.
The downloads.dat file can provide search terms, SHA1 values and the paths of currently or recently downloaded files (which can be found in the ‘incomplete’ folder). downloads.dat is a snapshot of Limewires’ outbound connections and is used by Limewire to reestablish a connection should it go down, either the user
shuts down or Limewire crashes. As a backup in case of crashes it is written and deleted many times.
A search of slack/unallocated space can result in the retrieval of the suspects’ search terms from previous downloads.dat - files with no contamination from external sources.
The last file of interest is the spam.dat file. spam.dat is the database behind the users’ spam filter. A spam filter rates results in an attempt to create a better search result set. The spam filter caches keyword terms and IP addresses and rates them according to the users’ preferences. Terms and IP addresses that result in many downloads get high ratings. Pulling out these ratings will show the investigator the trends behind the users’ searches and more importantly give the investigator IP addresses that were used to download files from.
Where are the files
Limewire installs a number of files under the users’ Documents and Settings folder. The files are separated into two directories: under the <User>\Application Data\Limewire\
directory goes the settings files that determine what is shared, the users’ library and the users’ personal settings, under the <User>\My Documents\Limewire folder goes the users’ default library and the incomplete folder. In older versions by default Limewire downloaded to the shared directory <users>\documents and settings\shared. In 4.16 Limewire separates the default download destination and shares. Instead of moving downloaded files into the ‘shared’ directory, 4.16 moves them to the My Documents\Limewire\Saved directory and then automatically shares the files in the library.dat file.
When Limewire executes a download it downloads the file to a temporary file in the ‘Incomplete’ folder, once completely downloaded the file is copied to its destination. While it is downloading the temporary filename will be the same as the original prefixed with ‘T-<size in bytes>‘. Should the investigator find a file with the ‘Preview-T-<size in bytes>’ prefix it is an indicator that the user previewed the file. To play it while Limewire is downloading, Limewire creates a copy of the first complete segment and puts the ‘Preview-T-<size in bytes>‘ in front to avoid locking the temporary file while downloading.
The library.dat file is an important component of the users’ library as it is the place where exceptions to the general directory sharing structure are made, either excluding or including files/directories.
In essence the new download model means the examiner has to be careful in interpreting entries in the library.dat file as explicit user shares since Limewire now makes entries in there for downloaded files if the file is going to a non-shared directory, which by default the My Documents\Limewire\Saved directory is. On the other hand anything placed in the ‘Shared’ directory in a default install would have been explicitly placed there by the user. There are several variables that the investigator needs to look for in the limewire.props file to determine the users’ configuration. For sharing downloads the default destination is specified by the variable:
DIRECTORY_FOR_SAVING_FILES
The user can specify by file type where downloads go and override DIRECTORY_FOR_SAVING_FILES. In this case the investigator might see the variables:
DIRECTORY_FOR_SAVING_video_FILES
DIRECTORY_FOR_SAVING_audio_FILES
DIRECTORY_FOR_SAVING_image_FILES
If the user has turned off the option to automatically share downloaded files the variable SHARE_DOWNLOADED_FILES_IN_NON_SHARED_DIRECTORIES will be set to false. If this variable is missing or set to true, Limewire will specifically share any downloads.
The users’ shared library is defined in a couple of ways, the user can add whole directories, these will be found under the DIRECTORIES_TO_SEARCH_FOR_FILES variable in the limewire.props file. Limewire also allows the user to share individual files, these shares will be found in the library.dat file under the SPECIAL_FILES_TO_SHARE category.
By default the users’ client is setup to share, Limewire has upload connections available. For the user to turn off upload connections they have to explicitly set the variable HARD_MAX_UPLOADS in the limewire.props file to 0. If the variable is missing or set to anything other than 0 then sharing is enabled.
What do the files tell us
downloads.dat/.bak contain the information needed for Limewire to reestablish any connections for incomplete downloads. It is written periodically as Limewire is downloading, and when it exits with any downloads pending. This enables Limewire to resume downloading when it is restarted. Given that Limewire could be shutdown at any point in the download, each connection may have the following information:
IP address of server;
Proxies;
Host node type (Limewire, Bearshare.);
File SHA1(base 32);
Destination file path;
Temporary Path;
Search terms.
fileurns.cache/.bak is the cache of locally shared files identified by their SHA1.
Available information:
File SHA1(base 32);
File last modified time;
File name.
createtimes.cache is a file that contains a listing of files along with their associated system wide creation time. The system wide creation time is the time that the file hits the Limewire network.
Available information:
File SHA1;
File Limewire system wide creation time.
If the times in this file match the fileurns.cache then this user is introducing the files to the network which could be an indicator of content creation!
library.dat lists the directories and files that a user has specifically shared or excluded. When a file is downloaded by default it goes into the My Documents\Limewire\saved directory and is shared through the library.dat. A point of interest is that when a file is specifically shared the file entry is made in both the library.dat file and the fileurns.cache file, but when a user adds a shared directory the directory contents go into the fileurns.cache file but no entry is made in the library.dat file, the whole directory is shared by placing the directory entry in the limewire.props file (DIRECTORIES_TO_SEARCH_FOR_FILES variable).
limewire.props is the configuration properties file for the client install. This file is a straight text file. Some of the interesting properties include:
HARD_MAX_UPLOADS – Number of connections allowed for uploads. If present and set to 0 uploads are turned off, otherwise uploads are turned on. If it is missing Limewire by default sets the number of upload connections to 20.
CLIENT_ID – Unique identifier for this client.
DIRECTORIES_TO_SEARCH_FOR_FILES – list of directories that Limewire will search for files to share
DIRECTORY_FOR_SAVING_FILES – The directory Limewire uses to place files that have completed downloading.
Version.xml is a plain text file with a portion of an xml document containing the installed version information.
Spam.dat stores the current status of the Limewire spam filter. The spam filter rates keywords, search terms and IP addresses as to how the user perceives them in an attempt to filter the users’ results so that they only get back what they search for.
Available information:
Keywords
spam rating
Download sources
IP and port.
Limewire does not distinguish between a keyword associated with a download and a search term, but the ratings will give the investigator the trends in the users’ activities. Terms that have been searched for or heavily downloaded will receive high ratings. In addition the Spam.dat contains the IP addresses of download sources, this enables the investigator to browse the individual addresses for the users’ contents and see who is distributing any particular file.
Keywords and searches
During an investigation it can be very important to know the keywords the suspect searched for.
Example:
A search for the movie ‘casablanca’ was started by selecting the ‘video’ tab in the search window and typing the term ‘casablanca’ in the input slot. During the test it was noted that all files as they are being downloaded are first placed in the ‘incomplete’ folder and as the files complete the download they aremoved to the ‘saved' folder. Both of these folders by default are located in the users ‘\My Documents\Limewire\’ folder. A file named ‘download.dat’ and its backup ‘download.bak’ maintain the records of the files not completely downloaded to allow Limewire to resume the download when Limewire is restarted. This could be the result of either the user shutting down in the middle of downloading or a system or Limewire crash.
After the search with Limewire the data within the file downloads.dat contained interesting details, starting with SearchInformationMapsq. Here the search term was found that was used to conduct the search for the movie ‘Casablanca’.
A characteristic of the file that can be forensically noteworthy is the continual movement in this file with new files being initially downloaded, completed, and moved to the ‘saved’
folder. The ‘downloads.dat’ file is constantly being refreshed and old data from the file deleted. This process of continually refreshing the file allows for a greater chance of recovery of the deleted files from unallocated space, slack space and from the pagefile.sys.
By analyzing the data in the downloads.dat file in the logical volume, a number of keyword terms were developed that were used successfully to find evidentiary data. Searching the unallocated space, pagefile.sys and slack space of the drive recovered all the search terms that were used to download files. Several fully intact download.dat files were successfully recovered from unallocated space.
Because of the nature of data in unallocated space and the possibility that the deleted downloads.dat files might be partially overwritten by the operating system a number of keywords were used that would be directly related to the search term used by the Limewire users. The following terms were found to have success in finding the search terms:
searchinformationmaps
title=
queryt
Although the term ‘casablanca’ was only used to conduct one search during the test, there were numerous instances of data found in unallocated space of the term that appeared to be complete downloads.dat files. When reviewing data recovered during
a forensic examination, it should not be inferred when recovering search terms that the term was searched for repetitively. The frequency of the data is likely a sign of the refreshing and deleting of the ‘downloads.dat’ file rather than of repeated searches. Search terms that were not used to eventually download files were not found anywhere on the test system.
The search terms were also found in a file spam.dat that is only created when a user completely shuts down Limewire. By default, Limewire is set to run whenever the computer is on. Although this files does contain searches and the results, at this time it cannot be used as a definitive conclusion as to the specific search terms used by the Limewire user because the terms are not clearly delineated in the data from the results of the search. Although no terms were selected to be filtered out nor any search results deemed junk during the test, the spam.dat was created and updated each time the Limewire application was completely shutdown. The researcher noted that the file does not refresh itself but is a cumulative of all searches as long as Limewire is completely shutdown after each use.
Another significant fact revealed in the testing is that only those search terms that were used to download files were found, no terms that were just used to search the network with no subsequent downloading were found!
sources:
www.dfrws.org/2008/proceedings/p96-lewthwaite.pdf
Joseph Lewthwaite / Victoria Smith
Please demonstrate the information provided by the fileurn.cache. In analyzing this file I have not been able to get the date time. can you demonstrate please. Thank you
Posted by: Matt Petersen | July 01, 2010 at 10:42 PM
Very detailed and useful, however the flat assertion that the presence of a "preview" file means that some portion of the file has been observed is not quite accurate in that 1) launching a number of such files results in an overloaded screen where some files may never be seen and 2) sufficient data required to produce an image may not have been acquired?
Posted by: Joseph Sands | April 12, 2013 at 08:19 AM