FrostWire

P2Pv1

Author: Andrew Rathbun

description

FrostWire

paths

3 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: FrostWire
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # FrostWire Downloads
        $UserPath = "$($_.FullName)\Documents\FrostWire\Torrent Data"
        Collect-Artifact -SourceDir $UserPath -FolderName "FrostWire_Downloads_$UserName"
        # FrostWire AppData
        $UserPath = "$($_.FullName)\.frostwire5"
        Collect-Artifact -SourceDir $UserPath -FileMask "frostwire.props" -FolderName "FrostWire_AppData_$UserName"
        # FrostWire AppData
        $UserPath = "$($_.FullName)\.frostwire5"
        Collect-Artifact -SourceDir $UserPath -FileMask "itunes.props" -FolderName "FrostWire_AppData_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

› cyberchef recipes

URL Decode
Decode URL-encoded strings
open in cyberchef(opens in new tab)

Open in CyberChef to decode values extracted from this artifact.

references

cyberagentsinc.com https://www.cyberagentsinc.com/2017/08/10/frostwire-artifacts/

notes

FrostWire is a Cloud Downloader, BitTorrent Client, and Media Player that's free to download and use.

Despite warnings during install to not perform copyright infringement, this program is used for exactly that, as well as sharing other contraband.

The above location is simply the default. The user can change this in the settings.

FrostWire.props contains the following important values: DEFAULT_TORRENT_DATA_DIR_SETTING=, TORRENTS_DIR_SETTING=, and DIRECTORIES_TO_INCLUDE_FOR_FILES=.

iTunes.prop contains information regarding what files are being shared by the user with the following value: IMPORT_FILES=.

Please note: the AppData-related information doesn't populate until after the program is exited the first time after its installed by the user.

included in collections

P2PClients

// description

// paths

// collection commands

// references

// notes

// included in collections