This script will parse all eDonkey & eMule known.met or known.met.bak files or those that have been selected in the current view. Any files that don't have one of those two file-names will be ignored. To prevent errors, deleted-overwritten files will be ignored regardless.

Known.met files produced by eDonkey and eMule have a slightly different structure. Processing an eDonkey known.met file using the eMule structure (and vice versa) will produce incorrect data and may cause the script to crash. The user has the choice of specifying which structure to use or he/she can choose to have the script detect "eDonkey" or "eMule" in each file's path to determine the most likely type and process it accordingly.

With the exception of the MD4-based hash value and the last-written date of each file entry, file data is stored in metatags, which will either have a name or special ID.

The script will interpret special ID's according to the labels defined in the eMule source code. Note that while some labels are self-explanatory, others are not; they may need further research in order to understand their importance/relevance.

Metatags can have one of a number of different types of value. The most common are 32-bit integers and strings but there are others such as 32/64-bit floating-point values, 8/16/64-bit integers, binary (BLOB) data and Boolean values. The script supports most but not all value types. If a non-supported value is located then an error message will be generated and the script will halt. In cases such as these then additional assistance may be sought from the script's author (shown below).

For each file record read, the script will produce a link of the form -

• ed2k://|file|Madonna - Hung Up.mp3|7926135|8A092B434AE3B95B43B21AEA0DD55933|/

A properly installed instance of eMule will accept these links either by pasting them into the program itself, or from the Windows run dialogue box. It will then attempt to locate and re-download the associated file from the network.

The results are written to the console; they can also be bookmarked and written to a nominated XML file. The script also provides the option to search the current case for files matching the records that have been parsed. This may be a time-consuming process.

The script uses bookmark-decode bookmarks to highlight each record in an eMule/eDonkey known.met file. Whilst this will allow the examiner to identify the binary data associated with each record, the format for bookmark-decode bookmarks will need to be adjusted in the current case's report-template so as to show the comment field, which contains the interpreted record-data.

Timestamps are produced in an unadjusted format together with the underlying unsigned integer value in hex so as to aid verification.

It's important to note that eMule may overcompensate for daylight savings time (DST) when recording timestamps in the known.met file. This typically results in the unadjusted (UTC) value of a DST timestamp being skewed by the DST offset of the timezone that was active when the timestamp was written.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training