±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36595
New Yesterday: 0 Visitors: 80

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Kazaa Search Term Encoding

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

jlloyd
Member
 

Kazaa Search Term Encoding

Post Posted: Jan 11, 06 20:18

Hi people,

Anyone know how Kazaa search terms are encoded (as located in the following hive)?
\NTUSER.DAT\NTRegistry\$$$PROTO.HIV\Software\Kazaa\Search\

I just want to verify the accuracy of Kazaalyser.

Thanks,

Justin.  
 
  

dc1743
Senior Member
 

Re: Kazaa Search Term Encoding

Post Posted: Jan 12, 06 14:04

Justin,

Without knowing exactly how the search terms are encoded there are (at least) three generally accepted ways of viewing the search terms in plain text.

1. Import Registry Hive into Kazalyser
2. View registry with Access Data Registry Viewer which decodes them for you
3. Substitute the registry keys into a new Kazza install and use Kazaa.

My preferred method is using Access Data Registry viewer (and using Kazalyser to check results)

Regards Richard  
 
  

jlloyd
Member
 

Re: Kazaa Search Term Encoding

Post Posted: Jan 12, 06 14:37

Hey Richard,


Thanks for that, good to see someone I know on here Smile

A bit more background might be useful here.
I've had an unusual case come in where I have simply been asked to comment on a number of reports provided by other experts (both sides) but will not be conducting my own independent investigation and so will not have access to the encase images or original drives.
The reports provide a Kazaalyser breakdown including search terms and the Hex code contents of the relevant registry keys have also been provided. I want to confirm, and explain, that Kazaalyser has correctly transformed the registry keys.
Now, what I've done so far is to recreate the Kazaa setup on a virtual machine, enter the keywords provided in the report, and then document the contents of the registry keys. That, naturally, allows me to confirm that Kazaalyser has correctly transformed the keys - but it doesn't allow me to explain the transform process.
For the purposes of the case the confirmation work I've done so far is probably enough but I'd just like to be able to provide a full explanation as to the encoding algorithm.
In essence I'd just like to understand how Kazaalyser does what it does Smile
I should probably just call Paul Sanderson but as it's a commercial product I hesitate to try to pick his brains.

Hope you're well,

Justin.  
 
  

Andy
Senior Member
 

Re: Kazaa Search Term Encoding

Post Posted: Jan 12, 06 15:13

Justin, (we met when you visted Richard recently). The Kazaa encoded search terms in the registry are some kind of cypher text (a type of Caesar cypher). I did a little research on it a while ago, but have misplaced my notes.

From what I can remember it uses the ASCII table with a mathematical algorithm taken from the characters positioning sequence, to offset to characters in the ASCII table. For example if you type a word 'apple' the first character in the word is the lower case letter a=0x61- the software encodes this by +7 on the ASCII table, and changes it to the character 0x68 (h). I imagine someone with a Cryptography background will pick up on this and explain it better.

I use Paul's excellent KaZalyser, and it does the job nicely.

I hope this helps?

Andy  

Last edited by Andy on Jan 13, 06 00:48; edited 2 times in total
 
  

keydet89
Senior Member
 

Re: Kazaa Search Term Encoding

Post Posted: Jan 12, 06 16:57

Interesting discussion.

I'm very interested in this for obvious reasons, most particularly b/c it doesn't seem to be documented anywhere.

In my Registry Parser code, I've included code to handle the Rot-13 "encryption" that MS puts on a couple of keys. The regular expression I used could easily be redone to transform these values as well.

So...what is the complete path to the Kazaa search terms, and how are they listed within the Registry? Are they REG_SZ data types?

Harlan  
 
  

jlloyd
Member
 

Re: Kazaa Search Term Encoding

Post Posted: Jan 16, 06 19:09

Hey guys,

Andy, give me a call the next time you're in the Midlands, I'll take you out for that beer you missed in Devon.

Right, I've started making some progression notes relating to the byte values stored within the reg keys in order to try to pin down the encoding sequence and offset. At first glance it looks to be fairly simplistic up until the third character entry, but I've yet to sit down with a hex calculator to have a good look at the patterns. I'll let you know what I find unless I decide to ditch it and do something more productive instead Smile

Justin.

All the keys are of type REG_SZ and are located within HKEY_CURRENT_USER\Software\Kazaa\Search

The progressions I have noted so far are:


a 66 00 00 00
b 65 00 00 00
c 64 00 00 00
d 63 00 00 00
e 62 00 00 00
f 61 00 00 00
g 60 00 00 00
h 6F 00 00 00
i 6E 00 00 00
j 6D 00 00 00
k 6C 00 00 00
l 6B 00 00 00
m 6A 00 00 00
n 69 00 00 00
o 68 00 00 00
p 77 00 00 00
q 76 00 00 00
r 75 00 00 00
s 74 00 00 00
t 73 00 00 00
u 72 00 00 00
v 71 00 00 00
w 70 00 00 00
x 7F 00 00 00
y 7E 00 00 00
z 7D 00 00 00

A 46 00 00 00
O 48 00 00 00
Z 5D 00 00 00

aa 66 00 06 00 00 00
ab 66 00 05 00 00 00
ac 66 00 04 00 00 00
af 66 00 01 00 00 00
ag 66 00 67 00 00 00
ah 66 00 0F 00 00 00
ai 66 00 0E 00 00 00
am 66 00 0A 00 00 00
an 66 00 09 00 00 00
ao 66 00 08 00 00 00
ap 66 00 17 00 00 00
av 66 00 11 00 00 00
aw 66 00 10 00 00 00
ax 66 00 1F 00 00 00
az 66 00 1D 00 00 00

aA 66 00 26 00 00 00
aZ 66 00 3D 00 00 00

aaa 66 00 06 00 7F 00 00 00
aab 66 00 06 00 7C 00 00 00
aac 66 00 06 00 7D 00 00 00
aad 66 00 06 00 7A 00 00 00
aae 66 00 06 00 7B 00 00 00
aaf 66 00 06 00 78 00 00 00
aag 66 00 06 00 79 00 00 00
aah 66 00 06 00 76 00 00 00
aai 66 00 06 00 77 00 00 00
aaj 66 00 06 00 74 00 00 00
aak 66 00 06 00 75 00 00 00
aal 66 00 06 00 72 00 00 00
aam 66 00 06 00 73 00 00 00
aan 66 00 06 00 70 00 00 00
aao 66 00 06 00 71 00 00 00
aap 66 00 06 00 6E 00 00 00
aaq 66 00 06 00 6F 00 00 00
aar 66 00 06 00 6C 00 00 00
aas 66 00 06 00 6D 00 00 00
aat 66 00 06 00 6A 00 00 00
aau 66 00 06 00 6B 00 00 00
aav 66 00 06 00 68 00 00 00
aaw 66 00 06 00 69 00 00 00
aax 66 00 06 00 66 00 00 00
aay 66 00 06 00 67 00 00 00
aaz 66 00 06 00 64 00 00 00  
 

Page 1 of 1