Data stealing with emule

Why shared folders should be properly configured

Article published on 21 September 2010
last modification on 23 September 2010

by Jeremie Goldberg
In order to prove how insecure edonkey (emule) user's systems may be, I will show you how easy it is to enter these people's privacy without them knowing it and with no hacking abilities.

The basis of this method is that some people do not realize what happens when they share their entire disk with P2P and the fact that MS Windows XP and Vista stores every thumbnails of your system in system files.
These special files can be :
  • thumbs.db file in each folder under XP3
  • thumbcache_xxx.db, where xxx in 96, 256 or 1024 for the whole system on Windows Vista
  • thumb.dat
  • thumb.lib
That means someone who can access these special files with the adapted tool have a pretty good view of your personal life.
To extract images from db files I use the JPGR forensic tool that you can find here (I warn you, the link is in french!).
Now open your favorite P2P sofware (Edonkey in our example) and search for these files on the edonkey network. Than you can extract the pictures from those files using JPGR.exe.

Method to extract images from thumb files using JPGR on Windows:
1 - Open Windows command line (cmd)
2 - Go to the directory where the file is located
cd \PATH\TO\FOLDER
3 - Use JPGR to extract images
jpgr -a <DISK or ARCHIVE_FILE> [-s <NB_SECTOR>] -c <GRAB_PATTERN>

Examples (from http://volvox.wordpress.com/2007/11/24/logiciel-jpgr-recuperation-des-images-jpg ) :
Grab all images on the local C: disk (indexed this way : 1.jpg, 2.jpg, etc)
jpgr -a=\\.\C: -s=512 -c=%d.jpg
Note : With this method you grab all jpg images on the C: disk, even erased one, that makes JPRG a nice forensic tool.
Grab all images on C: and put them in G: disk
jpgr -a=\\.\C: -s=512 -c=G:\%d.jpg
Grab images inside a thumbs.db archive file
jpgr -a=thumbs.db -c=d:\images\%d.jpg

Method to extract images from thumbs files using JPGR on Linux:
JPGR works fine on GNU Linux using wine
Example :
wine jpgr.exe -a=thumbs.db -c=/home/user/%d.jpg
If you do that kind of thing on emule, the result is that you will see the entire life of people!
Warning : You might easily look at things people don't want you to see, and furthermore, thing YOU don't want to see, like child pornography. You cannot look into people life lightly... In the child pornography case, you may want to gather some piece of info about the computer and send everything to police. But It's hard to know if what you want to do is legal. It depends on the country where you and the other machine are located.

Another file name you can search for is « new document.txt ». You know, sometime, when you have something to write or to copy from somewhere, you just create a text file on your desktop and copy everything in it. You don't give any name to this file and it stays with the default one. It can be an MSN chat, the name of a song, your online bank credentials, or anything which can be very useful for anyone wanting to steal money or information from you...
Every type of file with default naming can be search for. For example pictures with the « DSCN » or « DSCF » in their names or any other default name given by any software. You can also search for extensions of any type with sensitive pieces of information.

In fact bad P2P settings allows everyone to proceed to some kind of “distant forensic”. When using this kind of soft you should remember to be careful when configuring your shared folder.
An interesting question (and I don't have the answer) is “Is it legal or is it data stealing?”. On one hand it should be considered legal because the user shared these folders, but on the other hand they didn't do it on purpose. The answer to this question might be very different from one country to another.