Cyber Securities Technology Logo Cyber Security Technologies Corporation (CST) is the innovation leader in affordable software products for computer investigations. CST was formed by industry veterans who see the need for new investigative tools designed for the changing investigative environment. We are dedicated to delivering technically advanced but easy-to-use software products for corporations, government agencies, service providers and law enforcement, as well as related training and certification. CST is an affiliate of Architecture Technology Corporation, a technology company specializing in software-intensive solutions for complex problems in IT security and high-security network computing applications. Learn more...
Photo

P2P Marshal™ Frequently Asked Questions

  1. Are any help files or documentation available for P2P Marshal Forensic Edition?
    Yes. A copy of the P2P Marshal Documentation is installed along with P2P Marshal. There is a link to it in the P2P Marshal Start Menu group and you can find it in the P2P Marshal directory.

  2. Does the installation of P2P Marshal Forensic Edition Version 2 overwrite Version 1?
    No. Each version stores itself in a directory named (by default) “P2P Marshal XXX” where XXX is the version number (e.g., 2.1.0).

    Both versions may be accessed from the Start Menu. The desktop icon, however, WILL be the shortcut to the new version you install. (You can create a second shortcut to point to an older version.)

  3. Can P2P Marshal Version 2 read data acquired with Version 1?
    No. You need to use Version 1 to read files acquired with Version 1.

  4. Can P2P Marshal Version 2 target E01 files?
    Yes, but not directly. You need to mount the files from EnCase using the physical disk emulator (PDE). The PDE should point to the top directory of the image (i.e., \) and not the directory that contains data (e.g., \Documents and Settings\Suspect\Application Data\LimeWire).

    Mount Image Pro can be used in a similar fashion to present a physical drive to P2P Marshal.

  5. Can P2P Marshal Forensic Edition 2.1 target network shared drives?
    No. The Forensic Edition only supports locally or physically mounted disks.

  6. I've mounted a disk image with EnCase / Mount Image Pro, but P2P Marshal isn't recognizing it, what's going on?
    EnCase and Mount Image Pro can mount a disk image either as a physical disk or as a network share. Make sure you are mounting the disk image as a physical disk (for example, using EnCase's Physical Disk Emulator) and not as a network share.

  7. P2P Marshal doesn't seem to recognize eMule and I know it's installed on the target disk. Am I doing something wrong?
    No, it is not your fault. P2P Marshal does not currently support eMule.

    Supported clients include LimeWire, Frostwire, BitTorrent 5 and 6, uTorrent, and Azereus Vuze. P2P Marshal has limited support for Kazaa.

    If you frequently see a client we don't support, please tell us so that we can put it on our future features list. Send email to support at p2pmarshal dot com.

  8. Does P2P Marshal parse LimeWire spam.dat files? If so, can I run the program on only that file? I have preserved the whole LimeWire folder, but do not have access to the whole image set at this time.
    P2P Marshal does not currently parse and display the contents of the spam.dat file. It appears that LimeWire does not differentiate between keywords that are user-specified search terms and those that are automatically added by the LimeWire spam filter.

  9. I made multiple disk images and placed them on a hard drive and tried to run P2P Marshal on them, but it said no client installations found, yet I could see some P2P client directories with (FTK, EnCase, ProDiscover, iLook, etc.). Why doesn't it work?
    P2P Marshal does not operate directly on image files. You need to use a physical copy of the disk or mount the disk image file so that it appears as a drive on the system (that is, it has its own drive letter). You can do this with EnCase's PDE or with a variety of third-party tools.

    So, for example, if you mount evidence.e01 so that it is available as the Z: drive in Windows, then you would run P2P Marshal, create a new acquisition, and specify the Z: drive as the target to analyze.

  10. P2P Marshal says, "No users found for this P2P client," but I know there is evidence for that client on the disk. How can I fix this?
    You may not have permission to access the appropriate files on the disk or mounted disk image. Try to access files in the user's directory and in the user's Application Data / AppData directory in Windows (not using EnCase or FTK). You must be able to access the contents of these directories for P2P Marshal to function properly.

  11. When I attached P2P Marshal Field Edition (the USB thumb drive) to the suspect's computer, a Windows device manager pop-up appeared saying that drivers were being installed. What is being installed?
    P2P Marshal Field Edition does not install any drivers on the target machine. Windows, however, may automatically install drivers to handle the USB thumb drive, as it would with any USB drive.

    Also note: The data produced by P2P Marshal Field Edition should be stored on a separate evidence disk. If an investigator attaches a generic USB disk for data collection, then the changes to the target system will be similar to the following.

    The following results are from a test using a blank P2P Marshal Field Edition thumb drive attached to a Windows Vista virtual machine test system:

    The P2P Marshal Field Edition USB device uses the USB storage and generic disk storage drivers. On the Vista test system, it also uses the UMBus and WPD drivers, both of which are associated with portable disk devices. If these drivers are not currently active, they will be activated. If the drivers are not currently installed, they will be automatically installed. These drivers are all stock Windows drivers.

    On the test system, both the usbstor and wpdfs drivers are automatically installed, creating USBSTOR.SYS and UMDF\WpdFs.dll drivers in C:\Windows\System32\drivers and PNF files in subdirectories of C:\Windows\System32\DriverStore\FileRepository. The files usbstor.PNF and wpdfs.PNF in C:\Windows\inf are modified. The installation also modifies files in C:\Windows\SoftwareDistribution\DataStore and C:\Windows\System32\wbem\Repository.

    The process of installing drivers, activating drivers, and attaching new hardware writes to various Windows log files.

    Each driver has a registry entry in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class containing information about the driver. The drivers also create or modify the following registry keys:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WUDF\Services\WpdFs
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\UMB\UMB\1&841921d&0&WpdBusEnumRoot
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WUDFRd
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles

    C:\Windows\system32\drivers\USBSTOR.SYS and C:\Windows\system32\DRIVERS\UMDF\WpdFs.dll are added to the list maintained in the registry key, HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\umbus\Enum.

    Information about the USB device itself appears in multiple locations in the registry, partly because it is represented or listed with multiple subsystems. Registry keys or values containing USB device information are created in:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices\Devices
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{EEC5AD98-8080-425F-922A-
    DABF3DE3F69A}\0000\DeviceData
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\WpdBusEnumRoot\UMB
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\USBSTOR\Enum
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WUDFRd\Enum

    The following registry keys are modified to contain information about the USB device:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ecache\Enum
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr\Enum
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\volsnap\Enum
    HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

    In the active user's registry, Explorer and SyncMgr create information about the USB device in the following keys:
    HKEY_USERS\[SID]\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    HKEY_USERS\[SID]_Classes\LocalSettings\Software\Microsoft\Windows\CurrentVersion\
    SyncMgr\HandlerInstances

    The following USB-related keys are created on our test system:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\usbflags\130701630100
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\usbstor\05AC12xx
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\usbstor\05AC13xx

    In addition, the following keys are created on our test system during this process:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host\Description\{8DD4CA8A-
    D5E2-49BE-BDA9-5E5A3B95442F}\UDNMappings\uuid:ea2e2afc-d1a2-4193-89cf-a9457aa5f489
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host\HTTP Server\VROOTS\/upnphost
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
    Reporting\RebootWatch

  12. Does P2P Marshal handle deleted files?
    When P2P Marshal interprets the usage data (e.g., configuration and usage files such as LimeWire's library.dat or fileurns.cache files) from peer-to-peer client software, it reports any information about shared and downloaded files that it finds, regardless of whether the file is still present. If the file is not present, because it has been moved, renamed, or deleted, then the size and modification time fields in the Shared/Downloaded Files table will be blank, and you will not be able to open or acquire the file within P2P Marshal. The other fields, such as Download Status and Sharing Status, will be filled in, as this information is acquired from the client's usage data.

    You can quickly search for deleted (and moved or renamed) files in P2P Marshal by sorting a Shared/Downloaded Files table by size or modification time. The deleted files will sort together with blank "size" and "modification date" fields.

    Once you know the names of the deleted files, you can just search for them on the disk, either directly in Windows, or using a forensic product like EnCase or FTK. If a file isn't found, then it becomes more difficult. An option would be to use a file carving program such as Scalpel or Adroit Photo Forensics and then try to match the recovered file by hand.

    Whether or not a particular deleted file could appear in P2P Marshal depends on why the file would be listed in P2P Marshal and on the behavior of the client itself. For example, in LimeWire, the limewire.props file lists "shared directories" (rather than listing individual shared files).

    In general, all of the files in these directories are listed as "shared" in P2P Marshal. If a file used to be in a shared directory but was moved or deleted, LimeWire may no longer have any reference to this file. P2P Marshal has no evidence that the file used to reside in the shared directory, or even that the file was associated in any way with LimeWire, and so it will not be listed. In contrast, the LimeWire fileurns.cache lists individual shared and downloaded files. All files that appear in fileurns.cache will be listed in P2P Marshal, whether or not they are still present on disk at that location.

  13. Can P2P Marshal Field Edition be used to examine a machine that was booted up using a boot disk?
    The short answer is, yes.

    The Field Edition allows you to turn the Live mode on or off when you create a new acquisition. Live mode is appropriate for live machines where the disk you want to examine is hosting the currently-running operating system. If Live mode is off, Field Edition behaves like the Forensic Edition, but on a portable USB device. If you boot a computer using a forensic boot disk, you can use the non-Live mode of Field Edition to examine the system. Since P2P Marshal is a Windows-based software application, you need to be using a Windows boot disk.

  14. What is the cost of P2P Marshal Forensic Edition and P2P Marshal Field Edition ?
    P2P Marshal Forensic Edition is priced at $995. A 30-day free trial is available by sending us an email using your work e-mail address to sales at p2pmarshal dot com. Please include your company or agency name, your name, your address and your telephone number.

    P2P Marshal Field Edition is priced at $2,495. A trial version of P2P Marshal Field Edition is not available. However, a full refund is available if the product is returned within 30 days of receipt. P2P Marshal Field Edition may be ordered here.


Copyright © 2005-2011 Cyber Security Technologies Corporation, All Rights Reserved. Terms & Conditions