• Have questions about this item?

  • Contact us

Description

This script parses eMule preferences.dat, client.met, and client.met.bak files.

The main reason for parsing each preferences.dat file is to extract the 16-byte user-hash used to identify the associated user on the eMule network.

The hash is generated randomly albeit the 6th and 15th bytes are then set to 0x0e and 0x6f respectively.

Each eMule client tracks the total number of bytes uploaded to, and downloaded, from remote clients.

This information is written to the client.met file and its backup, client.met.bak, as a sequence of entries.

Each entry will contain the user-hash of one client together with the total number of bytes uploaded/downloaded to/from that client and the time the client was last seen.

EMule's calculation of the total number of bytes uploaded/downloaded is non-trivial. It cannot, for example, be validated simply by summing the logical sizes of the files that have been transferred - data compression and other factors are taken into account.

Accordingly if Client A uploads a file to Client B after any existing client.met file has been deleted, the uploaded value stored by Client A may well differ to the downloaded value stored by Client B. Furthermore, both values are likely to differ from the size of the file that was transferred.

Where possible, the script will include the associated user-hash of each client.met file in its bookmark.

For this to be successful, each client.met file and its associated preferences.dat file must be present in the same folder. Typically this will be the original eMule config folder, in which case there shouldn't be a problem.

However, if one adds multiple preferences.dat and client.met files to the root folder of the current case's Single Files object, this functionality will not work and the script may create incomplete/invalid bookmarks as result.

Output is to the console, bookmarks, and a tab-delimited spreadsheet file. The latter will contain the entries parsed from client.met files.

Timestamps are produced in an unadjusted format. The raw hex value of each timestamp can be inspected using the bookmarks created by the script.

This script was developed for use in EnCase training. For more details, please click the following link:

Releases

Release
Date
eMule User Hash and Clients.met Parser 1.0
Jan 18, 2024
More info Less info
Details
Product compatibility
EnCase™ Endpoint Investigator
Version 22.3 · 22.4
Version 23.2 · 23.3 · 23.4
EnCase™ Forensic
Version 22.3 · 22.4
Version 23.2 · 23.3 · 23.4
Release notes

First release.

Languages
English

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.
Unsubscribe Cancel

Marketplace Terms of Service

In order to continue, you must accept the updated Marketplace Terms of Service
Since you are downloading an app from the OpenText Marketplace, you need to accept the updated Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service" box below and click accept to continue your download.


Accept Cancel
Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2024-5-1-6172 | Mon Jun 24 04:52:54 PDT 2024