DBB Kazaa Database File - 1^st 9 Fields plus Kazaa Hash Decoded

Viewing the Kazaa DBB File in EnCase

Return to Main Forensics Help Page

Before going into the decoding of database record fields, it is useful to step back first and look at the data in its native state (Kazaa) and then see the database itself as it appears within EnCase.  The first record under examination in the decoding process on the previous page was "Gabriel, Peter - Revenge.mp3"  Seeing it first in Kazaa, we note that the icon is showing that it is shared, whereas the files on either side of it are not shared.  Also sharing must be on globally within Kazaa for this icon to show a "share".  

Note the difference in the icons for shared vs not shared

To view the Kazaa database files (data256.dbb, data1024.dbb, data2048.dbb etc) within EnCase, you need to set up your text styles to view them in a nice, clear view.

Create a new text style for each of the 3 commonly encountered.  Note that the max length will be 8 bytes longer than the size, in other words data256.dbb will be 256 plus 8 or 264, data1024.dbb will be 1024 plus 8 or 1032, etc.

Note that using the custom text style for the data256.dbb forces each record on its own line for easy viewing

The record or file under examination "Gabriel, Peter - Revenge.mp3" is the sixth record of this dbb database file.  While there are more fields, we are only decoding the first 9 fields in this examination to determine whether or not the file is shared within the Kazaa software.

Record # 6 under examination - First 9 data fields are highlighted

Record # 6 under examination - First 9 data fields are highlighted - Hex View Enabled

Each of the first nine fields in the database record are highlighted and described below:

Field #1 - DWORD - Record Signature Label

Field #2 - DWORD - Count of bytes effectively used for this record after this field. Can be NULL.

Field #3 - ANSI variable length - Local name of file - hex00 ends this field, separating it from the field that follows

Field #4 - ANSI variable length - Path to file - hex00 ends this field, separating it from the field that follows

Field #5 - DWORD - File Size in Bytes

Field #6 - DWORD - UNIX 32 Bit Date/Time Value - Datetime file was last modified

time_t, seconds since Epoch (1970-01-01T00:00:00U) UTC/GMT

Field #7 - DWORD - UNIX 32 Bit Date/Time Value - LastDatetime the file was available for sharing - Usually zero

Field #8 - DWORD - Purpose unclear

Field #9 - Share Flag - One Byte - Hex 01 (default) File is Shared - Hex 00 File is NOT Shared

Field #9  in HEX - Share Flag - One Byte - Hex 01 (default) File is Shared - Hex 00 File is NOT Shared - 

This file's share flag is HEX01 and is set to be shared, IF sharing is enabled globally!

To complete the examination process, one must determine if sharing is enabled or disabled globally within the Kazaa software.  

Examine the registry key:  HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DisableSharing 

For the file "Gabriel, Peter - Revenge.mp3" we determined that its DBB record was set to share this file.  If the registry key HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DisableSharing  was set for HEX 00 this file would be shared by Kazaa if Kazaa were running and connected to the internet.

With this understanding of configurating EnCase to view the DBB's and how the fields are configured, along with their properties and descriptors, you can now return to the EnCase report layout and see how EnCase can be used to decode these values.