Why shared folders should be properly configured
by Jeremie Goldberg
The basis of this method is that some people do not realize what happens when they share their entire disk with P2P and the fact that MS Windows XP and Vista stores every thumbnails of your system in system files.
These special files can be :
- thumbs.db file in each folder under XP3
- thumbcache_xxx.db, where xxx in 96, 256 or 1024 for the whole system on Windows Vista
To extract images from db files I use the JPGR forensic tool that you can find here (I warn you, the link is in french!).
Now open your favorite P2P sofware (Edonkey in our example) and search for these files on the edonkey network. Than you can extract the pictures from those files using JPGR.exe.
Method to extract images from thumb files using JPGR on Windows:
1 - Open Windows command line (cmd)
2 - Go to the directory where the file is located
3 - Use JPGR to extract images
jpgr -a <DISK or ARCHIVE_FILE> [-s <NB_SECTOR>] -c <GRAB_PATTERN>
Examples (from http://volvox.wordpress.com/2007/11/24/logiciel-jpgr-recuperation-des-images-jpg ) :
Grab all images on the local C: disk (indexed this way : 1.jpg, 2.jpg, etc)
jpgr -a=\\.\C: -s=512 -c=%d.jpg
jpgr -a=\\.\C: -s=512 -c=G:\%d.jpg
Grab images inside a thumbs.db archive file
jpgr -a=thumbs.db -c=d:\images\%d.jpg
Method to extract images from thumbs files using JPGR on Linux:
JPGR works fine on GNU Linux using wine
wine jpgr.exe -a=thumbs.db -c=/home/user/%d.jpg
If you do that kind of thing on emule, the result is that you will see the entire life of people!
Another file name you can search for is « new document.txt ». You know, sometime, when you have something to write or to copy from somewhere, you just create a text file on your desktop and copy everything in it. You don't give any name to this file and it stays with the default one. It can be an MSN chat, the name of a song, your online bank credentials, or anything which can be very useful for anyone wanting to steal money or information from you...
Every type of file with default naming can be search for. For example pictures with the « DSCN » or « DSCF » in their names or any other default name given by any software. You can also search for extensions of any type with sensitive pieces of information.
In fact bad P2P settings allows everyone to proceed to some kind of “distant forensic”. When using this kind of soft you should remember to be careful when configuring your shared folder.
An interesting question (and I don't have the answer) is “Is it legal or is it data stealing?”. On one hand it should be considered legal because the user shared these folders, but on the other hand they didn't do it on purpose. The answer to this question might be very different from one country to another.