Analysis of Internet Download Manager for Collection of Digital Forensic Artefacts

Home , Download manager, Free Download Manager

digital investigation 7 (2010) 90e94

available at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/diin

Analysis of Internet Download Manager for collection of digital forensic artefacts

Muhammad Yasin*, Ahmad R. Cheema, Firdous Kausar

National University of Sciences and Technology (NUST), Islamabad, Pakistan article info abstract

Article history: Internet Download Manager (IDM) provides accelerated download speed and flexibility in Received 15 February 2010 features. Its attractiveness lies behind video content processing and automatic handling of Received in revised form downloads. This paper analyzes IDM activities recorded across multiple files that includes 21 August 2010 Windows Registry, history and log files from artefacts collection view point. The tools and Accepted 30 August 2010 techniques used for extracting evidence are also elaborated. In case of download managers, the foremost concerns are installation location, download path, downloaded Keywords: file, URL address, login credentials for password protected websites, date and time the Digital forensics activity was performed. This enables digital forensic investigators to envisage and deduce Download manager suspicious activities. Forensic artefacts ª 2010 Elsevier Ltd. All rights reserved. Internet Download Manager Password Cracking Windows registry analysis IDM

1. Introduction this paper accentuates the footprints of IDM. The research is accomplished on IDM versions 5.16 and 5.18 running on IDM is a widely used download manager that runs on Windows Microsoft Windows XP platform. The test cases are carried out operating systems. It supports HTTP, HTTPS, FTP and MMS at multiple machines to acquire better results. The forensic protocols. IDM file management system maintains multiple dissection characterizes the information about user (Installer categories of downloaded files depending on their file type. of IDM), downloaded files (complete or incomplete) history, IDM provides seamless integration with most popular web login credentials (password protected websites/servers and browsers. The unorthodox support of downloading webpage FTP/HTTP proxy servers), blocked websites/servers, URL embedded videos distinguishes it from other standard down- addresses and search keywords history. Moreover, it provides load managers. Along with all these characteristics, IDM soft- precise detail of password encryption/encoding technique used ware does not provide checksum verification (Internet by IDM to secure the user login credentials. The analysis covers Download Manager, 2010). windows registry examination, History and log files analysis to This analysis follows on from the preceding research that gather the fertile evidences from the intended system. examined the forensic artefacts left behind by Download This paper is organized into five sections. The first section Accelerator Plus (Yasin et al., 2009a) and Free Download introduces IDM and how this endeavor accommodates digital Manager (Yasin et al., 2009b). The examination carried out in forensic investigators with considerable information. The

* Corresponding author. Tel.: þ92 3005170839. E-mail address: [email protected] (M. Yasin). 1742-2876/$ e see front matter ª 2010 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2010.08.005 digital investigation 7 (2010) 90e94 91 second section performs windows registry examination. The 2.1. Proxy settings third section gives details on history and log files analysis to cite an encompassing representation of the downloaded activities. IDM holds proxy setting information under ‘DownloadManager’ The forth section emphasizes the method used to encrypt registry key. Which contains proxy address, port number, passwords by IDM. The paper is concluded in the last section. username and password for FTP, HTTP and HTTPS proxies as illustrated in Fig. 2. These UseFtpProxy, UseHttpProxy and UseHttpsProxy key values hold information whether user takes 2. Windows registry examination advantage of these FTP, HTTP and HTTPS proxies or not as portrayed in Fig. 3. IDM does not store passwords of these Windows registry is a splendid repository for digital forensic proxies in clear text, rather encrypted with their own devel- investigators to examine, investigate and collect evidence oped encryption technique. The IDM encryption technique is from Windows operating systems (Carvey, 2005; Farmer, 2007; explained in Section 4. Vivienne et al., 2006). A key to access registry information is to understand structure of the registry itself (Carvey, 2005). The 2.2. History of downloaded files information collected from registry and file system can be correlated to display a magnificent sketch of downloaded IDM organizes downloaded files by their file types in several activities. There are numerous freely obtainable tools for default and user created categories. The default categories for extracting information from the registry such as RegEdit downloading files are Music, Compressed Documents, Video (Microsoft Windows default Registry Editor), Registrar Lite and Programs. In Fig. 1 ‘Hacking Tools’, name of user created (Resplendence, 2008) and Registry Viewer (Access Data, 2010). category. It has conspicuous and imperative information These tools have been used to analyze windows registry to about the user interests and download activities for an trace the activities performed by IDM. investigator when inspecting dubious system. Windows Windows registry contains download activity entries, registry manages category settings within sub-keys under especially related to IDM, under HKEY_CURRENT_USER\Soft- ‘FoldersTree’ as depicted in Fig. 1. It is comprised of category ware\DownloadManager branch. Fig. 1 depicts the logical view name as the title of sub-key, supported extensions, unique of IDM in windows registry using RegEdit. The left pane Identity and download directory path. Each download file contains hierarchical tree structure of sub-keys of Internet contains a key value ‘categoryID’ which represents the unique Download Manager and right pane presents the key values of ID of category. Unique ID can be accustomed to relate the category type ‘Compressed’. This section highlights essential category of each downloaded file. Table 1 on next page registry keys and delineates how these keys can be useful and describes the corresponding ID’s of categories. It is worth beneficial to investigate download activities on suspicious mentioning that the user created category unique ID starts computer. from 64 onward. The default registry key ‘DownloadManager’ contains Windows Registry keeps information about all downloaded crucial and evident information regarding the configuration files. It maintains each downloaded file as sub-key of ‘Down- and user settings. Investigators can acquire information about loadManager’. For example 3, 4, 5 and 6 are the downloaded the execution path of IDM, its version, connection speed, Path files by the user as illustrated in Fig. 1. Each downloaded file is of folder used for maintaining logs, history of download represented with a File ID for instance ‘6’. The sequence of File activities, last URL address used to download a file, download ID starts from three rather than one. The value ‘6’ represents destination path and temporary folder information. Further- that user has downloaded forth file. The File ID is incremented more, it keeps proxy setting for IDM. with value one for each new file. The invaluable and essential

Fig. 1 e IDM Registry view. 92 digital investigation 7 (2010) 90e94

Fig. 2 e HTTP and HTTPS proxy settings of IDM in Windows Registry. key values of downloaded files are file name, file size, date of passwords in clear text, rather in encrypted form. The IDM adding a URL address to IDM for downloading a file, URL encryption technique is explained in Section 4. address, login credentials, download directory path, Category ID and status of file. By default IDM uses ‘anonymous’as 2.6. Site Grabber username and ‘IEUser’ as password for user that does not provide login credentials. The site grabber of IDM is used to download a complete website or required files for offline browsing. IDM maintains 2.3. Files requested to download these downloaded files separately from the normal downloaded files under ‘GrabberSts\Projects’ branch. The ‘maxID’ sub-key contains maximum File ID that provides total number of files requested to download using IDM as 2.7. Uninstall location shown in Fig. 4. The value name ‘maxID’ contains hexadecimal and numeric value formats. In this case the total number of Each registry key stores particular information under its sub- files requested by user is 34. This number is irrespective of the keys. For example the ‘Uninstall’ branch sub-keys indirectly files successfully downloaded or still incomplete. indicate all the installed programs. The ‘Internet Download Manager’ key under the ‘Uninstall’ branch contains execution 2.4. Incomplete download files path, program name and uninstall path of IDM. This information is contained under the following path in Windows Queue The sub-key ‘ ’ contains File ID’s of all incomplete register:‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft downloaded files which are interrupted during downloading \Windows\CurrentVersion\Uninstall\Internet Download Manager’. as illustrated in Fig. 5. The value name ‘Queue’ contains File IDs’ of 3 27, 33 and 34 that are still queued. 3. Log files analysis 2.5. Password protected websites

IDM maintains history and log files under user profile: The enumeration of all password protected websites and ‘C:\Documents and Settings\User Profile\Application Data\IDM\’ servers is kept under ‘Passwords’ key. Each sub-key labeled with website address that holds login credentials as depicted in Fig. 6. As illustrated in the fig below IDM does not store Table 1 e Category Title with their coresponding ID. Category Title Category ID

Programs 1 Music 2 Video 3 Documents 5 Compressed 7 Fig. 3 e FTP, HTTP and HTTPS proxies enable/disable Hacking Tools 64 Registry Keys. digital investigation 7 (2010) 90e94 93

Fig. 6 e Password protected websites. Fig. 4 e maxID.

The uninstall process does not scrub up the footprints of folder as a default location. IDM keeps user activities in log those log files which are logged at user specified path. The files in a chronological order. It keeps record of downloaded searching of keywords such as ‘DwnlData’ and ‘GrabberData’ data of each user under ‘DwnlData\User Account name’ folder can lead to these log files. IDM retains all log files under and archives history of grabbed websites under ‘Grabber’ a directory whose name look-alike Login ID. Investigators can folder. IDM permits its users to change the path manually of look for Login ID such as ‘Administrator’ to acquire log files. temporary directory of log files. The ‘UrlHistory.txt’ file Additionally, it keeps log files of all other users at their default comprises of URL addresses of the downloaded files. WinHex locations after un-installation by Administrator. For instance, (X-ways, 2009) is used to analyze and evaluate the log files. if Administrator installs IDM, use it to download files, and then uninstall it completely. This merely clears the log files of 3.1. Downloaded files Administrator. In intervening period of time, other users are also using IDM for downloading files on that system. Their log The log of each downloaded file is kept in a separate file files are persistent and are maintained separately. They do not having ‘Filename_FileID.log’ name. The log files of IDM are intermingle with Administrator logs. sufficiently vivid but passwords are concealed with ‘xxx’. The forensic examiner can collect downloading start time, URL address used to download a file, download directory path, username, and proxy server address. IDM also holds the log of 4. Password encryption technique all events performed during downloading, starts with ‘CO:’. IDM neither keeps track of encrypted passwords in log files 3.2. Site Grabber nor in protected storage area of the Windows registry. In log files, it possesses ‘xxx’ instead of encrypted passwords. The Site grabber keeps track of all the projects in ‘project.dat’ file Download Manager archives encrypted passwords of HTTP, and establishes user setting in ‘projectGrabberID.igp’ such as HTTPS and FTP proxies essential for downloading files under project2.igp. The ‘tempFolder’ folder contains paths of ‘HKEY_CURRENT_USER\Software\DownloadManager’ branch in currently downloaded web pages through grabbed websites. Windows Registry. It retains login credentials of password IDM removes the history of temporary files after the comple- protected websites under ‘Passwords’ sub-key of the ‘Down- tion of grabbed website. Even though, the footprints of grab- loadManager’ branch. Fig. 7 portrays the encrypted password of bed website are found in temporary directory extensively. HTTP proxy. The encryption technique used by IDM is analyzed by 3.3. Un-installation process selecting random password strings, only few of them are lis- ted in Table 2 on next page. These password strings are picked During un-installation process, IDM is provisioned with off precisely to describe the encryption method. It is perceived ‘Default’ and ‘Complete’ preferences to opt. After selection, that the last byte of encrypted password is always ‘00’. The a message prompts to restart a computer for completion of encrypted password has one extra byte of ‘00’ than the orig- un-installation process. The default option only erases inal password. The first password string is ‘AAAAaaaa’ whose executable files of IDM and detaches the integration of IDM hexadecimal value is ‘41 41 41 41 61 61 61 61’ are obtained from with web browser. Generally users use default option to Fig. 8. The generated encrypted password is ‘NNNNnnnn’ uninstall IDM. In default case, IDM conserves the history of whose hexadecimal value is ‘4E 4E 4E 4E 6E 6E 6E 6E 00’. The IDM in Windows registry and log files. This assists the digital analysis of passwords substantiate that the encryption tech- forensics investigator to gather vital artefacts from suspected nique is awfully weak as it is simply substituting ‘N’ with ‘A’ system. In case of user selecting complete option, the uninstall and ‘n’ with ‘a’. process wipes out the history of completely downloaded files, pending files, configuration and user settings collectively from Windows registry and log files.

Fig. 7 e Hexadecimal and ASCII values of encrypted Fig. 5 e Queue. password for HTTP proxy. 94 digital investigation 7 (2010) 90e94

Table 2 e Analysis results. Plaintext Hexadecimal Value Encrypted Password Hexadecimal Value

AAAAaaaa 41 41 41 41 61 61 61 61 NNNNnnnn 4E 4E 4E 4E 6E 6E 6E 6E 00 NNNNnnnn 4E 4E 4E 4E 6E 6E 6E 6E AAAAaaaa 41 41 41 41 61 61 61 61 00 0123456789:; <¼>?303132.3D 3E 3F ?>¼<;:9876543210 3F 3E 3D.32 31 30 00 C0MP13Xp@$$w0rd 43 30 4D 50 31 33 58 70 40 24 24 77 30 72 64 L?B_>

The former outcome ‘NNNNnnnn’ is selected as a new K ¼ 00001111/0F/SI (6) password string to inspect and verify the encryption tech- Therefore, from Eq. (6) it is observed that key is ‘SI’ as shown nique. Thus, the encrypted result is similar to the previous in Fig. 8. chosen password string ‘AAAAaaaa’. It is veriﬁed that IDM is only performing linear substitution and is lacking permuta- tion process. Another hexadecimal string ‘30 31.3E 3F’ is taken as a new password. Its encrypted value ‘3F 3E.31 30 00’ is according to the expectation. Finally, the real world 5. Conclusion complex password ‘C0MP13Xp@$$w0rd’ is chosen as password string whose hexadecimal string is ‘43 30 4D 50 31 33 58 Artefacts of downloaded activities are grouped together in 70 40 24 24 77 30 72 64’ is chosen, which gives encrypted string a hierarchy under a root tree. This layout can be seen both ‘L?B_>

Eq. (2) and (3) are obtained from Table 2 Access Data. Registry viewer. Access data Corp, http://www. P ¼ A/41/01000001 (3) accessdata.com/products/rv/; 2010. Carvey H. The windows registry as a forensic resource. Digital e E ¼ N/4E/01001110 (4) Investigations 2005;2:201 5. Farmer DJ. A forensic analysis of the Windows registry, http:// Put Eqs. (3) and (4) in Eq. (2) eptuners.com/forensics/Index.htm; 2007. Internet Download Manager. Internet download manager 01000001401001110 ¼ 00001111 (5) features. Internet download manager corp, http://www. internetdownloadmanager.com/features.html; January 2010. Resplendence. Registrar lite. Resplendence software projects Sp, http://www.resplendence.com; 2008. Vivienne Mee, Theodore Tryfonas, Iain Sutherland. The windows registry as a forensic artefact: illustrating evidence collection for Internet usage. Digital Investigation 2006;3(3):166e73. X-Ways. WinHex 15.4, X-Ways software technology AG, http:// www.x-ways.net/winhex.zip; 2009. Yasin M, Wahla MA, Kausar F. Analysis of download accelerator plus (DAP) for forensic artefacts. In: Proceedings of the 5th International Conference on IT Security Incident management and IT forensics (IMF ‘09), Stuttgart, Germany. pp. 142e152. Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp? arnumber¼5277879&isnumber¼5277834; September 2009a. Yasin M, Wahla MA, Kausar F. Analysis of free download manager for forensic artefacts. In. Proceedings of the digital forensics and Cyber Crime ﬁrst International ICST Conference, ICDF2C 2009b, Albany, NY, USA. pp. 59e68. Available at: http:// www.springerlink.com/content/u740q85rv08k744q/; October Fig. 8 e ASCII/Hexadecimal conversion table in WinHex. 2009b.