FORENSIC ANALYSIS OF ARES GALAXY PEER-TO-PEER

NETWORK
Frank Kolenbrander
Politieacademie
7334 AC Apeldoorn,The Netherlands
[email protected]
Nhien-An Le-Khac, M-Tahar Kechadi,
University College Dublin
Dublin 4, Ireland
{an.lekhac, tahar.kechadi}@ucd.ie

ABSTRACT
Child Abuse Material (CAM) is widely available on P2P networks. Over the last decade several tools were
made for 24/7 monitoring of peer-to-peer (p2p) networks to discover suspects that use these networks for
downloading and distribution of CAM. For some countries the amount of cases generated by these tools is so
great that Law Enforcement (LE) just cannot handle them all. This is not only leading to backlogs and
prioritizing of cases but also leading to discussions about the possibility of disrupting these networks and
sending warning messages to potential CAM offenders. Recently, investigators are reporting that they are
creating more serious cases on Ares Galaxy (Ares) than on other open p2p networks. Little has been done on
automatic prioritization of cases with the information obtained from data that is available on P2P networks.
Cases are mostly selected based on the highest number of CAM, while studies indicate that the abusers are
most likely to be found not within that top user list. What kind of information can we use to prioritize cases
in another way? Is it possible to disturb the network by sending warning messages and sharing fake material?
Although the past years have seen a lot of successful CAM cases, generated in several countries, there is still
little known about the Ares network. Although Ares network is open source, the protocol is not documented
and the program does not come with serious documentation or support. In this paper, we present first of all a
forensic analysis of using of Ares network in relation with the distribution of CAM. We then describe forensic
artefacts found on an Ares computer involved in CAM.

Keywords: P2P network forensics, Ares Galaxy network, Child Abuse Material, forensic artefacts, registry
dencryption

called decentralized networks [4] because the

1. INTRODUCTION
servers (supernodes) are not owned by a centralized
Ares started as a P2P [1] Gnutella client in 2002, but company or person. This makes it harder to hold
after 6 months [2] they started with their own new them responsible for the contents that are being
network. This Ares network used a system where a shared on the network, unlike a centralized system,
client (clientnode) in normal user mode could be like Napster, that was easily held responsible and
promoted to a client that also acts as a server called forbidden [5].
supernode, the same methodology and name that
Even though the Ares network does not keep
was used by Fasttrack [3], a closed source P2P
statistics it is reasonable to assume that the network
network. A server (supernode) keeps records of
consists of hundreds of Ares supernodes and a
connected clientnodes and their shared files and this
couple of million Ares clientnodes. The clientnode
information is used by the supernodes for handling
hold a list of available supernodes and connects to a
searches of connected nodes. Systems like this are

1
maximum of 5 of them. Each supernode can handle also often likely to discourage the exchange of
a maximum of 400 clientnodes. copyrighted or illegal material. There are also clients
that deliberately respond to searches, by reporting
Ares is used all over the world for the exchange of
that the files are found, and then generate fake files
all kinds of files, including copyrighted material,
on the fly with the search phrase in a part of the
like music and movies. Ares can be moreover used
filename. A lot of these generated files are zip files,
for accessing existing chatrooms and users can start
containing .wmv (windows media file). These .wmv
their own public or even private chatrooms. These
files redirect the user to websites that spread
chatrooms look like the traditional IRC channels.
malware. The author has also seen generated fake
In order to make it more difficult for users to be files containing advertisements, for example for
tracked by for example the music and movie ringtones.
industry, countermeasures are used in Ares network.
In this paper, we present a forensic analysis of using
In fact, this network does not provide statistics about
Ares network world-wide in relation with the
the number of users and the numbers of their shared
distribution of CAM. We also moreover contribute a
files. Searching is automatically limited by the
comprehensive description of traces on a computer
system by countermeasures in both the normal user
running Ares. The rest of this paper is structured as
mode and the supernode mode. On the used
follows: Section 2 shows the background of this
computer, users can easily wipe the history of
research including related work in this domain. We
previous searches and information about shared files
present the analysis the use of Ares network in
is stored in encrypted data-files. Other information
relation with CAM in Section 3. We describe and
such as the last time connected, first time used, time
discuss on experiment results of analyzing the
online are encrypted before they are saved into the
forensic artefacts in the computer of using Ares in
registry.
Section 4. We conclude and discuss on future work
For a very long time, Ares was not disturbed by fake in Section 5.
files, over the past few years this has changed, but
the developers wrote detecting modules and 2. RELATED WORK
succeeded in limiting the effects. The software is
In literature, there are very few programs dealing
probably not owned by a company but maintained
with forensic artefacts in a computer running Ares.
by private developers and therefore more difficult to
There is moreover almost no information on how to
approach by investigators. This all makes Ares a
process these artefacts with other alternative
network that is very suitable for people that want to
programs for justifying the evidence.
exchange CAM. On the discussion page at the
SourceForge community [6] a developer offered his On the other hand, several studies have been
assistance to block CAM on Ares but it doesn’t look performed over the past decade on the relationship
like his offer was accepted. One of the forum between CAM and active sex offenders as well as
members responded: “Ares uses a decentralized the distribution of CAM on P2P networks. However,
protocol for it is searches and downloads and there is still very little research on this subject when
developers can't be held responsible for what users it comes to the Ares Network. In [7], they describe
share on the network”. that the proportion of Child Pornography Possession
(CP) arrestees who were identified as child
As mentioned above, Ares does not support
molesters in cases that started out as CP
statistics, which makes is difficult to estimate how
investigations dropped from 16% in 2006 to 10% in
many users involved in CAM, how many CAM files
2009, while there was some surprisingly increase in
are shared on this network. On top of this, there are
the proportion of arrested CP possessors that have
a lot of clients on Ares that share fake files, files
images depicting young children and sexual
from which the real content has nothing to do with
violence. They suggest that this maybe caused
the indication that the filename, title and other meta-
because some in law enforcement may be targeting
information would suggest. Some of them are just
those with more extreme images in the belief that
files with other content shared with deliberately
these offenders are also more likely to be molesters.
wrong filenames, title and other meta- information.
Unfortunately they cannot speak confidently to the
Sometimes just as a joke or maybe by mistake but

2
issue of exactly how law enforcement should documented [13], giFT has no documentation about
prioritize CP investigations if they want to catch the under-laying Ares protocol.
active molesters. They say that this does not mean
For traces on the computer the gathered data and
that those priorities are inappropriate for the goal of
information was checked by reading the open source
protecting children since child pornography
and checking results with a simple hex editor and
possession has its own corrosive dynamics. But it
calculator. We also used AresDecrypter [14] based
should spur the search for additional data to evaluate
on the information found in the open source.
the best police strategies for protecting children.
AresDecrypter was validated and approved for use
Authors in [8] concluded “Noncontact offenders by the FBI's Computer Analysis Response Team.
anchored on lower-SAP-level indecent images of Furthermore, Encase 7 and 2 special enscripts (Ares
children (IIOC), with no preference in terms of the Dat File Decryptor (V1.3.1).EnPack and Ares
age, gender, or sexual action. In contrast, dual Registry Report (V1.1.0).enpack) [15] were used to
offenders preferred higher SAP (Sentencing compare the results. We also modified the original
Advisory Panel) levels and also possessed IIOC client and forced it to write information into logfiles.
within a smaller age range, which tended to match This was done for incoming and outgoing data on the
their sexual contact victim in terms of age and network and read and written data to the operating
gender. Moreover, the more severe the contact child system (registry and files). In case data was being
sexual offense committed, the higher the proportion encrypted or decrypted the data was written
of penetrative IIOC possessed.” encrypted and unencrypted to these logfiles. This
information was compared with network data
In [9], authors describe that systematically gathered
captured with Wireshark [16] and the information
and analyzed data on p2p can give an idea of the
that was retrieved with the mentioned tools above.
scope and characteristics of CAM on P2P networks
and that such measurement can be used to combat
3.1 Statistics by country
the problem. They also mentioned that investigative
tools can be used to help law enforcement with Statistical information was gathered by searching for
prioritizing cases. In [10], authors report that their CAM related keywords and known CAM hashes.
results suggest a homology between Internet This was done worldwide with the use of the
behaviors, indecent images of children (IIOC) Roundup Investigative Tool over a period of 4
possession and victim selection. months, from September 2014 until January 2015.
Only results for files with hashes that were already
3. ANALYSING THE USE OF ARES identified were gathered. The number for (known
NETWORK IN RELATION WITH CAM hashes) the database of known hashes, was
approximately 4,1 million. This resulted in
In this section we describe first of all the worldwide
3,568,462 unique IP-addresses worldwide. To
use of Ares network in relation with the distribution
exclude possible “accidental downloads”, IP-
and downloading of CAM. This was done by
addresses with less than 3 results were dropped,
gathering data with a search and monitoring tool
which resulted in 1,553,222 unique IP-addresses.
based on the original program. This information is
The IP-addresses were matched to a country with the
used for the statistics by country and language. In
free GeoIP table from Maxmind.com[17] and with
order to analyze Ares network, we used two different
information from several sources on the internet
Ares clients to gather information. For the most
found with Google the countries were matched with
significant part of the examinations, the original
their spoken languages. The percentage of the
latest Ares Galaxy Sourceforge client was used. It
country population and the percentage of the (IP
was used to gather information about traces on the
population) total number of Internet users for the
computer and traces and statistics on the Ares
country, was calculated with information from the
network. In addition an alternative client KCeasy
CIA factbook [18]. The CIA factbook information
[11] and the under-laying giFT protocol [12] was
for country population was from 2014 and the IP
used to gather traces and statistics on the Ares
population was from 2009. With this measurement
network. Although the giFT protocol itself is
we have to take into account that countries with high
numbers of dynamic IP-addresses will score

3
relatively higher than countries with high numbers hashes used were mainly collected in investigations
of static IP-addresses (Figure 1 and Figure 2). We situated in the United States.
also have to take into account that the searches were
only done in the English language and the known

Figure 1 Absolute num of IP –address sharing at least 3 CAM files

Figure 2 Percentage of IP population sharing at least 3 CAM files

4
 Figure 3 Match countries for IP addresses of ARES Chatrooms

experiment, 10 unique identified fake files were

downloaded and investigated. They all had nothing
to do with CAM, eight of them were related to
There was another measurement done on the malware and two files were related to
available chatrooms. This was done on 3 different advertisements.
days by starting Ares and starting the Chatroom pane
and counting the advertised languages for the 3.3 Gathering information as a supernode
available chatrooms and then matching the IP-
Normally a clientnode can become a supernode
addresses of the chatrooms with the Maxmind GeoIP
automatically, but only if it meets minimum system
table. From these statistics we can see that there is
requirements like the speed of the processor and
definitely a close relationship between the popularity
connection, amount of memory, total uptime and
of Ares, the Spanish language and the region Latin
also a network connection that is not firewalled.
America. It is obvious that the region Latin America
is strongly represented in the absolute numbers of We changed the code and promoted our clientnode
CAM, followed by the United States and Europe. to supernode manually. Also the used TCP and UDP
(Figure 3) port on the NAT router is forwarded to the IP-
address used by this supernode.
If we take a closer look and take into account the
internet population for each country then we can see In our experiment, in the period from May 31 2015
that after Spanish speaking countries, the Arabic to June 6 2015 during approximately 87 hours, we
speaking countries come in second place. It is likely collect data of clientnodes connected and loged in to
that when internet density grows in these countries the server. This monitoring was stopped when we
they will face the same problems with CAM on P2P. have 5000 clientnodes that share at least 1 file. If we
have a closer look at these 5000 clientnodes, we
3.2 Identifying fake files notice that 24 of them share 3 or more files identified
as CAM with the known hashes. That means 0.48
Ares is contaminated with fake files. Searching for
percent of the 5000 sharing users or 0.06 percent of
CAM related keywords will generate results that
the 38764 total connected users.
lead to files infected with malware. These files are
normally provided by supernodes that probably In total 426 files were identified as CAM, 103 files
generate theses files on the fly and therefore each were images and 258 were videos and 65 files were
search for a keyword will lead to these infected files. other types. From this information it looks like the
By generating a search request for something that amount of CAM video files is much higher than the
really cannot exist, fake files and the related nodes amount of CAM images. However we only have a
can be identified and blocked. This was done by table of identified hash values for CAM and could
searching for a string consisting of randomly not know how many of these hashes are related to
generated hex characters. videos or images. Therefore we also compared the
filenames and meta-information (serialized string,
With this method it is possible to discard a large
etc.) with a list of the following keywords:
amount of possibly incorrect information. In our
‘babyshivid’, ‘hussyfan’, ‘kingpass’, ’lsm’,

5
’mylola’, ’pedo’, ’pthc’, ’ptsc’, ’sdpa’. This resulted GUID. Because the value of a GUID is 128 bits, it is
in 39 images and 180 videos that are possibly CAM. a ‘unique’ value and it can be used to trace people
This also confirms that the amount of shared CAM who are using different IP-addresses. If the GUID
videos is much higher than the amount of images. found on the network is the same as the stored GUID
in the registry it is strong evidence that shows this
4. ANALYSING THE FORENSIC the computer was used on the network at that time.
ARTEFACTS IN THE COMPUTER However Ares is, unlike other networks sich as
There are four important locations where we can find Gnutella, Gnutella2 or Emule, not sending the GUID
the forensic artefacts related to the use of Ares: the over the network during searches, uploads or
registry, the %localappdata% folder, the Ares shared downloads. Therefore the GUID is not very useful
folder and download folder. Some of the data, that for investigations.
can be valuable for a forensic investigation, is Nickname: By default the nickname of the user is
encrypted, but the encryption routines and the not set by the installation program and Ares uses an
variables needed to decrypt this data is available in automatic composed nickname like
the open source code. “anon_531dbe69”. Such automatic composed
nicknames consist of the prefix “anon_” followed by
4.1 Use of the program, default settings and the public IP-address of the computer in
behavior hexadecimal format. In this example the
When the program is installed, there are several 0x531dbe69 stands for IP-address 83.29.190.105.
default settings and users can change these settings. If the user does not choose a nickname, Ares will
Almost all of the settings are stored in the registry. popup 60 seconds after starting the program with the
To investigate a suspect, it is necessary to know question “Would you like to choose your nickname
which settings is default and which settings are now?” If a user uses that popup to change his
probably changed by the user. By default, when nickname the program changes to the “Control Panel
Windows starts, Ares will load automatically Chat settings” pane and the value “anon_531dbe69”
connect to the Ares network. It also shows the for example, is shown as his nickname and can easily
current status on the Ares control panel. The user can be changed. It will be moreover saved to the registry.
also choose to show this status on the main window. For this reason a user who is using different IP-
If the user goes to the Control Panel pane, it also addresses and did not set his nickname will be seen
shows the users nickname and how many files there with different automatic composed “anonymous”
are shared. When the program starts the shown nicknames. However we realize many users on the
window is also the search window. Although network with nicknames looking like automatic
suspects often claim that they were not aware that composed nicknames as described without changing
they were sharing something, this is most unlikely. their IP-address, making it likely that there are other
The shared files are shown on the Library pane Ares clients, probably derived from the original
which is just one click away, the current and also the source, which are saving the automatic composed
completed uploads are visible in the Transfer panel nickname by default.
and if a user chooses his Control Panel there is not Port number: On the first start Ares is automatically
only a subpanel to change the shared library but also choosing a port number within the range from 5000
the number of current shared files are visible in the to 64999 and this port number is also saved into the
caption. registry. A user can change this port number
Personal GUID: When Ares is started for the first manually with the Network settings pane. However
time it will call the API Cocreateguid found in we realize most of the users do not change this port
Microsoft’s windows file OLE32.dll. This will result number.
in a GUID (Globally Unique Identifier), a unique Shared folders: By default only files in the Ares
reference number used as an identifier in computer ‘My shared folder’ are shared. This folder is set to
software This GUID is saved into the value the desktop of the user by default. The setting is
Personal.Guid under the Ares key in the registry. If stored in the registry value Sys.Desktop with the
this API is called again it will create a different value ‘C:\Documents and Settings\<user>\Desktop

6
\My Shared Folder’. Files downloaded with Ares are Preview, watch and listening: While downloading
placed in the download folder, which is by default the user can preview the downloaded part of
the same as the ‘My Shared Folder’. If a user multimedia files with a built-in player. If case of a
changes the default location for the download folder video file Ares will create a folder
it is stored in the registry value Download.Folder. In %localappdata%\ares\data\temp\. The name of that
that case the location of the Download.Folder folder is a random number. Then a copy of the part
becomes the ‘My shared folder’. The value that is already downloaded will be copied to that
Sys.Desktop is still in the registry with the old value folder and played from there. After the preview, it
but that folder is not shared anymore, unless the user will be deleted when the user is previewing another
shares it afterwards. The default shared folder cannot file. With the built in player it is also possible to play
be unshared. Although users can unclick the share multimedia files stored on the system and that
option, this is not changing the setting and on a includes the completed downloads. We could not
restart, the old value (shared) is checked again. find any traces in case Ares was running and the
program was used to play completed downloads or
Searching: The default search option is ‘all’ which
play local stored multimedia files by drag and drop
means ‘Search for generic media’. With this feature
these files on the Ares player window.
there are no further search options available. Besides
the ‘Search for generic media’ a user can choose The player also supports Shoutcast and it is also
between ‘Audio’, ‘Video’, ‘Image’, ‘Document’, possible that watched movies with shoutcast are
‘Software’ and ‘Other’. Ares uses Sha1-hashing to placed in the data\temp folder.
identify files and this makes it possible to combine
downloads for one single file from different users, 4.2 Ares and the registry
also known as ‘file swarming’ or ‘multisource Some derived Ares clients, like “Limewire Pro” and
downloading’. The hashes are not visible in the “Limewire Plus” (despite their names, these clients
search window but a user can make them visible by have nothing to do with Limewire or Gnutella, but
using the right mouse button option ‘export are instead real Ares clients) store the registry data
HashLink’. We did several searches for well know in the same way, but with a different key and with
keywords related to CAM. From the information on additional values. A user can remove his complete
the Results window it is very obvious what the search history or remove a single search with the
contents of the results could be. Result information Ares program. In that case the subkeys and
often contains gender, ages and explicit information stringvalues will be deleted. Sometimes these
about the sexual aspect. deleted keys can be recovered with the program
Downloading and sharing: If a user attempts to YARU (Yet Another Registry Utility) [19].
download a file but the sources are no longer Unallocated clusters and restore points can be used
available or the relevant clientnodes are too busy, to carve old ntuser.dat files. An uninstall procedure
Ares will automatically search for other sources by will remove the registry keys while updating Ares
using the sha1 hashvalue and add new sources to the will keep the old settings and therefore updating will
download. For each started download a separate file probably only have a minor effect like adding new
is created in the download folder with a keys. Besides the keys that are added and changed
prefix‘___ARESTRA___’ (3 underscores by the Ares program, the operating system will also
ARESTRA 3 underscores) followed by the filename. add and change keys to the registry during
This file is used to store the separated chunks for a installation, use and uninstall of Ares. A search for
download and that will lead to a complete file when “Ares” within the registry is a very effective way to
all bytes of the file are downloaded. At the end of discover Ares artifacts that are caused by the
this ‘arestra’ file there is an appendix used to store operating system. This paper however does not
the information about the available sources for this cover that aspect.
download. This appendix is removed on completion
4.2.1. Overview of registry values
of the download. Downloaded files are shared after
the download is completed unless the file is marked Let’s examine most important registry keys and
as corrupt. values. For each entry there is a row with 4 columns
followed by a row with explanation. Sometimes the

7
valuable information is in the name of the key or in this result has to be equal to the value stored in byte
the name of the value (searches). The values are 7 and 8. This integrity check is very important
coded in Hex or e.g. in UnixTimeStamp and most of because the suspect can claim that the value in the
the time in BigEndian. If needed the decode and registry could have been changed by a virus or
Endian information is available in the row with whatever. Therefore we have to do the decryption
explanation. and also check the integrity of that decryption result.
4.2.2. Encryption methods used by Ares for the The whole procedure for the value stored in the key
registry Stats.CFRTime is as follows. First we have to run the
d64(s,24884) operation. To make it more readable
A lot of the Ares encryption procedures are
there is a small description for the decryption of the
combinations of simple XOR and bit shifting
first byte and the calculation of the new XOR key.
operations. It uses a separate XOR operation for
After this, the procedure is repeated in the same way
each byte in a given string. This method is known as
until the encryption is done. The word value to start
stream cipher encryption [25]. The initial key for the
the first XOR operation is 24884 or 2 bytes with the
XOR operation is a hardcoded word value as input
values 11000010 00110100. The shift right 8
parameter and different for each procedure. Only the
operation results in the first byte 11000010 and is
most significant byte of this word value is selected
used as the (key) XOR-byte in the first XOR
with a shift right 8 operation and that byte will be
operation.
used for the XOR operation.
For the second byte the key has to be recalculated.
During the encryption of a given string this XOR-
The formula used is b := (byte(S[I]) + b) * 12559 +
byte (the key) is recalculated by taking the current
14926; So we have to take the value of the current
processed byte and adding the value of the current
byte of the input string add the value of the current
XOR-byte (the key) followed by a multiply and add
key, then multiply by 12559 and then add 14926.
operation with hardcoded values. The differences for
The current byte in the input string is 0x54=84 and
the encryption procedures are the input parameters
the current key is 24884. So the new key is
(string to encrypt and the key) and the hardcoded
(84+24884) * 12559 + 14926 = 313588038 or
values for the multiply and add operation for
00010010101100001111100101000110b. Because
changing the key.
the variable is a word, only the 2 least significant
All encryption procedures are written in the function bytes are used. Again followed by a shift right
“helper_crypt.pas” which is part of the open source operation, it results in 11111001b for the new key.
code. The programmers are also using nested And this procedure is repeated until all bytes are
encryption functions like d67(d64(s,24884),7193). processed in the same way.
Here follows an example for the decryption of an
4.2.3. Hashchecking “gnutella query routing
important key with the name Stats.CFRTime. This
word hashing” (Ares procedure whaaa)
key is filled with an encrypted UnixTimeStamp when
Ares was started for the first time. For this In this example the values of byte 7 and 8 of the
experiment, the value stored in the register is 0x54 previous decrypted Stats.CRFTime are checked with
5F C0 B2 1C 92 41 CD C3 83. This value is the value of the first 4 remaining bytes. Remember
decrypted with d67(d64(s,24884),7193). After we already dropped the first random byte and we
decrypting, the first character of the decrypted value also checked the 5th byte to be a Nullbyte. The value
is removed because it was a random added value 0xD072 has to be hashed and after this a value of 12
during encryption. The first 4 bytes that remain are has to be added. The formula used is word
a UnixTimeStamp stored in little endian. The (whaaa(copy(s,1,4))+12). The result has to be equal
following 5 bytes are used for an integrity check. to the value of the first 4 bytes that are still in Little
Byte 5 must be 0x00 and byte 7 and byte 8 are Endian. The first step in the hashing is to first
checked against the value of the first 4 bytes. For this lowercases the input, this will only effect hexvalues
check these 4 bytes are hashed with a function called in the range from 0x41 until 0x5a (ascii A-Z). Step
“whaaa”, in the code this function is commented as 2 is to convert the result into big endian and then step
“gnutella query routing word hashing”. After this 3 is to multiply the result with a hardcoded hex value
hashing, a value of 12 is added and then the value of of 0x4F1bBCDC. Step 4, the result of this in a 32 bit

8
program like Ares, is only the least significant bits. this will also result in a record in ShareH.dat for that
Step 5 is a shift left32 followed by a shift right48. file with changed meta- information.
Step 7 is adding a value of 12 and then step 8,
For investigators the contents of ShareH.dat is
convert it to Little Endian. Result of the manual
extremely valuable because the records are not
decrypted and decoded data were compared with
removed from the file ShareH.dat if the shared file
Encase Ares Registry Report (V1.1.0), EnPack and
itself is deleted, while records in the file ShareL.dat
AresDecrypter 1.3 and there were no differences
will be deleted. Therefore the ShareH.dat is also
worth mentioning.
known as the ShareHistory, but be carefully it is only
a history of files that contained Ares information as
4.3 Ares and the folder %localappdata%
described before. Besides the fact that records are
Within this folder there are several files that contain not deleted they also contain a sha1 hash value for
valuable data for a forensic examination. During the shared file making it possible to compare records
installation Ares will create the files Snodes.dat, with known hashes.
ShareH.dat, ShareL.dat, FailedSnodes.dat. After
There is a Boolean value in each record indicating if
running Ares will also create the file DHTnodes.dat
the file is shared. If a file is shared that does not mean
and depending on which parts of the Ares program
that the file is downloaded. It just means that the file
are used and which settings are used, Ares changes
was shared and thus available for downloading.
also the files PHashIdx.dat, ChatroomIPs.dat
default.m3u, ‘Shared Folders.txt’, avatar.bmp, Ares indicates if a file is corrupt with a Boolean
Avatar.jpg and MiniAvatar.jpg. Due to the limitation value. This value False indicates that there is
of the number of words of this paper we only present something wrong with the file. This could be caused
the forensic analysis of ShareH.dat. by a fault during downloading. When a file is
completely downloaded the sha1 hash value is used
4.3.1 ShareH.dat
to check if the file is exactly the same as the source
The file ShareH.dat is a permanent file, created file. If the sha1 value differs, the file will be marked
during installation with a header containing the ascii as corrupt. Another reason to mark a file as corrupt
string ‘__ARESDB1.02H_’ hexadecimal value is when it is identified as ‘teen content’. This is done
0x5F5F415245534442312E3032485F. This file by a check on category, title, path and artist with a
contains valuable information about shared files, in small list of CAM related keywords. Looking at the
the source named as “trusted metas”. A record for a huge amount of CAM distributed on Ares this
shared file is added if it contains Ares data like meta- filtering is not very effective. If a file is marked as
information or parameters. Therefore for each corrupt, the value shared is also marked as false and
unique file that is downloaded with Ares, a record is the file won’t be shared.
added to this file. In that case Ares will also add a
If a file is downloaded with Ares, a record contains
record in the file shareL.dat. For files that are not
a value ‘filedate’. This is a UnixTimeStamp when
downloaded with Ares but added to the Ares shared
the download was completed. The file itself will
files in another way, e.g. copying it to the shared
have a creation datewhen the download was started.
folder with the operating system, there are no
records added to this file. However if a user changes
meta-information with Ares, for such an added file,

9
 Figure 4 Changing meta-information with Ares

first 20 bytes are the sha1 hash value of the shared

If a file was not downloaded with Ares but add to
file. The next byte is a Boolean value and will tell if
Sharel.dat in another way, e.g. changing meta -
the file was shared. The following 2 bytes contain
information, this field ‘filedate’ is empty. The field
the length for the rest of the record. This value is in
‘filedate’ in the ShareH.dat cannot be change by the
Little Endian and the maximum value is 1024. Now
user. There is a field with the name Date in the meta-
we know this length we can read the rest of the
information that can be changed by the user, but this
record which is still encrypted and decrypt it with the
field reflects to the field Year in the ShareH.dat
same code. The xor key starts again with the value
records, which is just a string value (Figure 4).
13871. This remaining part contains meta-
information like artist, title and comment (Figure 5
4.3.2 Decryption of ShareH.dat
and Figure 6). The procedure has to be repeated until
The valuable data in the file, which is located after all records are decrypted. The full layout of the
the header, is stored encrypted. This data can be record is available in the pascal file
decrypted with the same methodology as described helper_library_db.pas in the procedure
in section 4.2.2. It is an XOR operation for each byte ‘get_trusted_metas’ which is part of the open source.
with the XOR key given as a fixed value on startup,
and changing for each next XOR operation by using 5. CONCLUSION AND FUTURE WORK
the value of the current XOR key added with the In this paper, we aim to give an overview how the
current byte of the input string multiplied with a Ares network is functioning. This is accompanied by
fixed value of 23219 and followed by adding a fixed an overview about the use of Ares in relation with
value of 36126. After the header we have to read the the worldwide distribution of CAM related to
first 23 bytes and decrypt them. After decryption the countries and spoken languages.

Figure 5 View in hex and ASCII of ShareH.dat

10
 Figure 6 Example of a decrypted record

https://law.resource.org/pub/us/case/reporter/F3
The evidence about the use of Ares, to be found on
/239/239.F3d.1004.00-16403.00-16401.html
a computer, is documented. This includes a
[6] Ares Galaxy / Discussion / Open Discussion:
description of the important parts of the decoding
To the developers of this project URGENT!
and decryption methods. At the time of writing this
Retrieved on February 2015 from
paper, we also work on the forensic analysis of the
http://sourceforge.net/p/aresgalaxy/discussion/3
communication between clientnode and supernode
84787/thread/1a7f4503/
over Ares network protocol. For analyzing huge
[7] Janis Wolak, David Finkelhor & Kimberly J.
amount of artefact data in ARES P2P network, we
Mitchell, “Trends in Arrests for Child
are also looking at efficient data mining techniques
Pornography Possession: The Third National
such as [20][21][22][23].
Juvenile Online Victimization Study (NJOV‐3)
REFERENCES published in bulletin 4-13-2012 by the
University of New Hampshire, Crimes Against
[1] Analysis and characterization of Peer-to-Peer Children Research Center
Filesharing Networks. Retrieved on February [8] Matthew L. Long, Laurence A. Alison and
2015 from Michelle A. McManus concluded in their
http://personales.upv.es/jlloret/pdf/icosmo2004. article ‘Child Pornography and Likelihood of
pdf Contact Abuse: A Comparison Between
[2] New client – Ares Link Retrieved on February Contact Child Sexual Offenders and
2015 from http://www.gnutellaforums.com/ Noncontact Offenders’
general - gnutella-gnutella-network- [9] Janis Wolak, Marc Liberatore and Brian Neil
discussion/13828-fyinew-client-ares.html Levine wrote an article ‘Measuring a year of
[3] Nathaniel, Leibowitz et al. Deconstructing the childpornography trafficking by U.S.
Kazaa Network, Retrieved on January 2016 computers on a peer to peer network’,
from published in Child Abuse & Neglect 38 (2014)
http://citeseerx.ist.psu.edu/viewdoc/download? 347–356
doi=10.1.1.13.8970&rep=rep1&type=pdf [10] Michelle Ann McManus, Matthew L. Long,
Laurence Alison & Louise Almond wrote an
[4] Archie, Kuo, Ethan Le, Spotlighting article ‘Factors associated with contact child
Decentralized P2P File Sharing, Retrieved on sexual abuse in a sample of indecent image
January 2016 from offenders’, published in Journal of Sexual
http://cs.sjsu.edu/faculty/stamp/CS158B/syllab Aggression: An international, interdisciplinary
us/papers/DecentralizedP2P.doc forum for research, theory and practice, DOI:
[5] 239 F.3d 1004 Retrieved on February 2015 10.1080/13552600.2014.927009
from

11
[11] KCeasy, Retrieved on February 2015 from Computational Technology, Vol. 3 (4), 2009,
http://sourceforge.net/projects/kceasy/ pp.517-534
[12] giFT: Internet File Transfer, Retrieved on
February 2015 from http://gift.sourceforge.net/
[13] giFT's Interface Protocol, Retrieved on
February 2015 from
http://gift.sourceforge.net/docs/0.11.x/interface.
html
[14] Ares Dat File Decryptor Retrieved on January
2016
https://www.carbonaria.nl/aresdecrypter.html
[15] Guidancesoftware.com/appcentral Retrieved
on February 2015
https://www.guidancesoftware.com/appcentral/
pages/searchresults.aspx?k=ares
[16] Wireshark · Go Deep. Retrieved on May 2015
https://www.wireshark.org/
[17] GeoLite Legacy Downloadable Databases
Maxmind Developer Site, Retrieved on
February 2015
http://dev.maxmind.com/geoip/legacy/geolite/
[18] The World Factbook, Retrieved on February
2015
https://www.cia.gov/library/publications /the-
world-factbook/
[19] Yet Another Registry Utility, Retrieved on
January 2016
https://www.tzworks.net/prototype_page.php?p
roto_id=3
[20] N-A Le-Khac, L. Aouad and M-Tahar Kechadi
Distributed Knowledge Map for Mining Data
on Grid Platforms, IJCSNS International
Journal of Computer Science and Network
Security, VOL.7 No.10, October 2007
[21] N-A Le-Khac, L. Aouad and M-Tahar
Kechadi, A New Approach for Distributed
Density Based Clustering on Grid Platform,
Data Management. Data, Data Everywhere,
Volume 4587 of the series Lecture Notes in
Computer Science pp 247-258
[22] L. Aouad, N-A. Le-Khac and M-T. Kechadi,
“Lightweight Clustering Technique for
Distributed Data Mining Applications”,
Chapter in Advances in Data Mining.
Theoretical Aspects and Applications, Volume
4597, Lecture Notes in Computer Science pp
120-134, 2007
[23] L. Aouad, N-A. Le-Khac and M-T. Kechadi,
Grid-Based Approaches for Distributed Data
Mining Applications, Journal of Algorithms &

12