Kazaa Shared Files Viewed in Browser
Using Local Loopback and Kazaa Port to View Kazaa Shared Files in Browser
|
||||||||||||
Return to Main Forensics Help Page
|
||||||||||||
|
Recently an examiner encountered a strange URL in an index.dat file that appeared to be related to a file shared by Kazaa and inquired as to its origin. The URL found was http://127.0.0.1:1214/.download/1174153103/kiddieporn.mpeg (clicking this URL does nothing). The defendant was running Kazaa and the file "kiddieporn.mpeg" was in his "My Shared Files" folder. The question was what action on behalf of the defendant caused this URL and what was the significance of this URL to his case, if any.
Explanation:A little known feature of Kazaa is that you can, in your own browser, view and access the files that you are sharing via Kazaa (or other FastTrak clients such as Grokster, iMesh, K++). To do so, you must first have enabled global sharing, which is not a big deal as global sharing is enabled by default. Secondly, Kazaa must be running, again no big deal. The third criteria is knowing on which port Kazaa is listening. This separates the casual user from the more knowledgeable user as netstat provides port and IP address information, but doesn't provide the associated application or process bound to the port. Other tools are necessary, or some guesswork coupled with some trial and error from the netstat response. In either event, a program named "CommView" has an enhanced "NetStat" feature showing to which process / application a port / IP address is bound. From the below screen shot, we can see that Kazaa is listening on port "1295". In the example above, Kazaa would have been listening on port "1214", which was the common port for Kazaa until it was so often blocked that other ports became necessary for it to function.
With the above features enabled (Kazaa running with global sharing enabled), and the knowledge of the listening port, a user can construct a URL to place in their browser. The URL will take the form of : http:// (local loopback IP):(Kazaa Port), thus the following IP would be used in this case: http://127.0.0.1:1295 . The IP address 127.0.0.1 is a reserved IP address for pointing back to the local host and using it here causing the browser to address your computer and in this case specifically to the process / application using port 1295, which is Kazaa. The Kazaa client software will serve up a list of files being shared on the host machine. In the case of K++ V2.4.3 the information is served in the format of file name and file size in bytes. Other versions may vary in how they serve this information. The below screenshot is an "excerpt" of an example of how this appears to the user. Note the URL in the address window and the resultant browser view window.
So far, the user has only displayed the files he/she is sharing via Kazaa and that act alone is significant as it demonstrates above average user knowledge and skills and it shows they had knowledge that they were sharing and the file names they were sharing. Also the URL date information shows on which date they did this act and also that they were sharing out files on that date. As the displayed files are hyper-linked, they can be accessed through the browser. Thus clicking on any file on the list will cause the file to launch in the registered application for that file's extension. The added result of such an action is a URL entry for each file accessed through this method. Thus a URL similar to the above with a file name appended indicates the user launched the "shared file" through their browser and can be reasonable presumed to have knowledge of the file's contents, having done so. The below screen shot shows MSIE display of files being "shared" by Kazaa and shows that several have been "accessed" via "clicking" on them as their hyper-link color has changed. An overlay of the resultant internet history is also shown in which there is a resultant URL for each of those files accessed.
Thus a URL of http://127.0.0.1:1295 indicates the user viewed the files they were sharing on the date/time indicated by the URL. If the URL takes the form http://127.0.0.1:1295/2811/Jaws.wmv it indicates the user accessed this file (Jaws.wmv) through the browser and it was launched in its registered application. The data appearing between the local loopback IP: Kazaa port and the file name appears differently between FastTrak clients and perhaps versions. In the example submitted by the examiner, the data was /.download/1174153103/ while in my test examples the data was different each time and appeared to be random numbers, ( /7761/, /2811/, and /15572/). They may be virtual port numbers used by Kazaa, but they appear as insignificant data, at least at this point. In summary, the finding of a URL entry such as described herein has the following implications for your case:
If anyone discovers significantly different findings from what is presented here, please advise me at once so we can determine why there is a difference and report the results of any discrepancies, errors, or omissions. Our purpose here is to share accurate information. To the extent that this information can be expanded, or corrected if found in error, ,is greatly appreciated by everyone. Thanks . . . . Steve |
||||||||||||
|
|
||||||||||||
This web site was created to provide assistance to computer forensics examiners engaging in cyber-crime investigations. This field is rapidly evolving and changing as technology marches forward. It is, therefore, intended to be a growing and evolving resource. As you conduct your examinations and investigations, if you encounter information, links, or have suggestions that would help others, please let me know so I can add it to this site. My email address is sbunting@udel.edu . Thank you.
This site created and maintained by:
|
||
Steve Bunting |
||
Email: sbunting@udel.edu
|
