FrostWire
P2Pv1
Author: Andrew Rathbun
description
FrostWire
paths
3 paths
FileDownloadFrostWire Downloads
C:\Users\%user%\Documents\FrostWire\Torrent DataLocates files downloaded that land in the default location as specified by FrostWire
FileDownloadFrostWire AppData
C:\Users\%user%\.frostwire5frostwire.propsLocates a file that contains important information about the instance of FrostWire on the user's system
FileDownloadFrostWire AppData
C:\Users\%user%\.frostwire5itunes.propsLocates a file that contains important information about the instance of FrostWire on the user's system
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: FrostWire
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle directory creation and copying
function Collect-Artifact {
param (
[string]$SourcePath,
[string]$FolderName
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
if (-not (Test-Path -Path $FullDest)) {
New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
}
Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}
# 1. FrostWire Downloads
$UserPath = Join-Path $env:USERPROFILE "Documents\FrostWire\Torrent Data"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "FrostWire_Downloads"
# 2. FrostWire AppData
$UserPath = Join-Path $env:USERPROFILE ".frostwire5"
Collect-Artifact -SourcePath "$UserPath\frostwire.props" -FolderName "FrostWire_AppData"
# 3. FrostWire AppData
$UserPath = Join-Path $env:USERPROFILE ".frostwire5"
Collect-Artifact -SourcePath "$UserPath\itunes.props" -FolderName "FrostWire_AppData"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes
Open in CyberChef to decode values extracted from this artifact.