FrostWire Artifacts

FrostWire is a popular peer to peer (P2P) file sharing service. It is a fork of LimeWire (which was shut down after losing a legal battle with the music industry) and supports the Gnutella network. Newer versions added BitTorrent client. It is infamously known for the sharing and downloading of illegal and pirated content.

Our task was to find which term a specific user searched for, given access to their device. We began by installing  a fresh copy of Windows 10 build 15063 on a virtual machine (using VMware Workstation Pro v. 12.1.1). Next, we installed FrostWire v. 6.5.1, the latest version at the time. While using a VPN, we then conducted searches and downloads. Finally, we loaded the virtual machine’s hard drive into EnCase 8.04 and began the forensic examination.

After some time, we still could not find the correct expression to locate user entered search terms on the hard drive. Because of this, we decided to take an image of the virtual machine’s memory using FTKimager and loaded that into EnCase. Using EnCase’s built in RawSearch Tool, we searched for the same terms we searched for within FrostWire. Then we developed a Grep expression that would find hits that would match the pattern of a search term. We incorporated the result into an EnScript that would automatically run the Grep expression, parse the results and populate a table that would show the search term and the number of results FrostWire returned to the user.

During our examination, we noticed that terms we did not search for were also stored in the virtual machine’s memory. These other terms ranged from names of textbooks to TV shows. To validate the results and Grep expression, we repeated the previous steps with different media types and search terms.