Kazaa DBB Database File - 9 Fields plus Kazaa Hash Decoded
Using EnCase to Decode DBB Record Field Values
|
||||||||||||||||||||||||||||||||||||||||||||||
Return to Main Forensics Help Page
|
||||||||||||||||||||||||||||||||||||||||||||||
|
Important Note: Before reading the contents of this page, it is useful to first digress and understand how to view the Kazaa database file within EnCase and to understand the structure of each of the DBB record fields. After doing so, return to this page and its contents will be much more understandable! Go here first!
Supplemental Information: That which follows is not part of the EnCase analysis.
Rather, it is illustrated supplemental information regarding
sharing within the Kazaa software.
The above screenshot shows that file sharing has been
disabled globally within Kazaa. When
this occurs, the registry key: HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DisableSharing
will have a hex value of 01.
Normally, (default - sharing permitted), this value will be hex 00.
Note that the icons depict that the file sharing is not occurring.
Even though file sharing has been turned off globally,
the bit flag in the dbb file still shows the default value of 01, which
means sharing is permitted for the file as long as file sharing globally
is enabled, which is currently not the case.
Restoring global file sharing back to its default
condition, which enables file sharing, the icons change to indicate file
sharing is enabled. The icons
change to show arrows that depict sharing.
When in this default condition (global file sharing permitted), the
registry key: HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DisableSharing
will have a hex value of 00.
Selecting a file (or group of files) and right clicking
provides the user with the option to “Stop Sharing” or alternatively
to “Start Sharing” if sharing had been stop for a file or files.
Upon stopping the sharing of a file or group of files,
the icon changes of those files as shown above.
Concurrent with the icon change, the share bit flag in
the dbb is set to hex 00, indicating that the file is no longer available
for sharing. Another example: To further exemplify this feature, two identical files
were added to the Kazaa “My Shared Folder”.
One was named 1.gif while the other was 2.gif. The default sharing was “stopped” for 2.gif.
Below are the hex value streams for the first nine fields in the
dbb records for these two files. Field 1
Field 2 Field 3
Field 4
Field 5
Field 6 Field 7
Field 8
Field 9 6C33336C
AA000000 312E676966
00 433A5C4D792053686172656420466F6C646572 00 2D510100 C46B8A3F 00000000
0A210000 01
1
.
g
i
f
Shared
by default
6C33336C
AA000000 322E676966
00 433A5C4D792053686172656420466F6C646572 00 2D510100 C46B8A3F 00000000
0A210000 00
2
.
g
i
f
Share
turned off
Red
denotes values that are different (file name 1 or 2 and share on or off) Note: 2.gif is the same file used in example #2 above for a file whose sharing has been stopped. Summary: Thus to determine if a file is being shared by the
Kazaa user, one must first ascertain if sharing is enabled globally. HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DisableSharing
= hex 00 then sharing is globally permitted If HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DisableSharing = hex 00, then you must examine the dbb file record for the file in question. If the share bit flag for that file is the default value of hex 01, then that file is being shared. If the share bit flag value for that file is hex 00, then the user has intentionally turned off sharing for that file. For a file to be shared,
HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DisableSharing
must equal hex 00 AND the file’s share bit flag value (dbb record field #9)
must be set to the default value hex 01. HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DisableSharing
= hex 01 then sharing is globally turned off – no sharing of
files within the Kazaa software is being permitted at that time regardless
of their bit flag setting in the dbb record. Testing and validation conducted Monday, December 15, 2003 using EnCase 4.16a, WinHex V 11.15, and Kazaa K++ 2.4.3 running under Windows XP. To further validate these raw data values, several files were selected and had their file share byte flags changed from what they were (00's were changed to 01's and 01's were changed to 00's). The system was restarted to avoid "data resident in RAM" issues. Upon restart, those with changed share values were detected as changed within Kazaa. Furthermore, the DBB files were evaluated by Kazaalyzer. All results were cross-checked and validated between Kazaalyser and Kazaa after having been altered in Win Hex. Individual examiners are strongly encouraged to test and validate these settings and procedures in their own environment to assure they achieve similar results and to be able to testify first hand as to their findings. If anyone discovers significantly different findings from what is presented here, please advise me at once so we can determine why there is a difference and report the results of any discrepancies, errors, or omissions. Thanks . . . . Steve |
||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||
This web site was created to provide assistance to computer forensics examiners engaging in cyber-crime investigations. This field is rapidly evolving and changing as technology marches forward. It is, therefore, intended to be a growing and evolving resource. As you conduct your examinations and investigations, if you encounter information, links, or have suggestions that would help others, please let me know so I can add it to this site. My email address is sbunting@udel.edu . Thank you.
This site created and maintained by:
|
||
Steve Bunting |
||
Email: sbunting@udel.edu
|
