eMule User Hash and Clients.met Parser
This script parses eMule preferences.dat, client.met, and client.met.bak files.
The main reason for parsing each preferences.dat file is to extract the 16-byte user-hash used to identify the associated user on the eMule network.
The hash is generated randomly albeit the 6th and 15th bytes are then set to 0x0e and 0x6f respectively.
Each eMule client tracks the total number of bytes uploaded to, and downloaded, from remote clients.
This information is written to the client.met file and its backup, client.met.bak, as a sequence of entries.
Each entry will contain the user-hash of one client together with the total number of bytes uploaded/downloaded to/from that client and the time the client was last seen.
EMule's calculation of the total number of bytes uploaded/downloaded is non-trivial. It cannot, for example, be validated simply by summing the logical sizes of the files that have been transferred - data compression and other factors are taken into account.
Accordingly if Client A uploads a file to Client B after any existing client.met file has been deleted, the uploaded value stored by Client A may well differ to the downloaded value stored by Client B. Furthermore, both values are likely to differ from the size of the file that was transferred.
Where possible, the script will include the associated user-hash of each client.met file in its bookmark.
For this to be successful, each client.met file and its associated preferences.dat file must be present in the same folder. Typically this will be the original eMule config folder, in which case there shouldn't be a problem.
However, if one adds multiple preferences.dat and client.met files to the root folder of the current case's Single Files object, this functionality will not work and the script may create incomplete/invalid bookmarks as result.
Output is to the console, bookmarks, and a tab-delimited spreadsheet file. The latter will contain the entries parsed from client.met files.
Timestamps are produced in an unadjusted format. The raw hex value of each timestamp can be inspected using the bookmarks created by the script.
This script was developed for use in EnCase training. For more details, please click the following link:
Download Now