DBB Kazaa Database File - 1st 9 Fields plus Kazaa Hash Decoded

Viewing the Kazaa DBB File in EnCase

Meaning of the "Last Shared Date/Time"

 
Return to Main Forensics Help Page

 

Within the Kazaa DBB database file, field #7 describes the date/time that the file was last available for sharing.  This does NOT necessarily mean the last time the file was shared.  There is a difference.  To be certain, it means the date and time that the file was either deleted by the Kazaa software or it was deleted by another user interface outside Kazaa (command line, Explorer, etc) and detected by the Kazaa Content Manager on startup of Kazaa or when it scans the contents of "My Shared Folder" or others under management.  This scanning occurs by default every 300 seconds.  See below image:

Content Manager "Scan for your new shared files every Xsecs" - default for this version is 300 seconds

The key to understanding this data field lies truly in the phrase, "Date/Time Last Available for Sharing".  This doesn't mean it was ever shared, only that it was present in "My Shared Folder" for sharing.  "My Shared Folder" is the default folder created by and managed by Kazaa and other FastTrack software.  The user can opt to add other folders to be "available for share" and management by Kazaa.  In addition to sharing files, is so configured, Kazaa is used to manage, organize, and play media or other files.  While available to be shared by virtue of being in a Kazaa managed folder, to actually be in a shared status whereby a remote user can access and upload a particular file, the following two conditions must have been met.

  1. Kazaa was globally enabled for sharing (it is by default)   AND 

  2. The individual file in question is available for sharing (it is by default when downloaded).  

To make these separate and critical determinations, review these two web pages ( one and two).  Naturally the FastTrack software must be running and the host computer must also be connected to the internet in addition to the configuration conditions.

To understand how Field #7 is populated, the following file was downloaded within the Kazaa client:

Tocatta and Fugue (Piano Solo.mp3 was downloaded and placed (by default) in "My Shared Folder".  When this occurs, the file receives a record in the appropriate dbb.  The "File Date" reflects when it was downloaded and placed in this folder.  No date is populated in the "LastShared" field.  Field # 9 (SharingDisabled) is "NO" by default, yet in this particular configuration, "DisableGlobalSharing" is enabled, meaning no sharing is occurring, despite the individual file setting.

The Kazaa software is restarted and from within the Kazaa software, the file "Tocatta and Fugue (Piano Solo.mp3" is deleted.  The Kazaa application and process were closed.  The dbb was examined again with KazAlyser (can be done under EnCase also).

The field LastShare is now populated with the date/time that the file was deleted by Kazaa.  Note that because global sharing has been turned off, this file has never been shared, but was "available" to be shared if Kazaa were so configured to share.

Kazaa was restarted and another file named "Vanessa Mae - Storm (Techno Vivaldi).mp3" was downloaded by Kazaa.  The Kazaa application and process were closed.  The dbb is examined again with KazAlyser.  The newly downloaded file appears much as did the previous file, with a date/time indicative of when the file was placed in "My Shared Folder", with no date/time in the LastShared field and with a "NO' for Field #9 (SharingDisabled) which is a default value assigned to all Kazaa downloads.  Again this Kazaa software is configured to NOT share via a global setting.

 

Using Windows Explorer, this file (Vanessa Mae - Storm (Techno Vivaldi).mp3) was deleted.  Kazaa was restarted.  Upon restarting, Kazaa's "Content Manager" scans the folders under Kazaa's management, which is "My Shared Folder" by default, but could include others.  The absence of this file is detected by Kazaa and Kazaa does not show the file present.  

 

When present, a folder appeared in the "V's" for Vanessa Mae and the file was in that folder.  Because Kazaa's Content Manager discovered it was missing upon startup, it is not present within the Kazaa software.

The Kazaa application and process were terminated and the dbb examined with KazAlyser,  As expected, the LastShared Date/Time field is populated and specifically with the date/time that Content Manager discovered it missing upon startup.   

 

 

In conclusion, if Kazaa deletes the file, the date/time will be populated with the date/time that Kazaa deleted it.  If is is deleted by external means such as Explorer, it will be populated with the Date/Time that Content Manager scans it and discovers it missing.  This occurs on Kazaa startup and every 300 seconds (default) while Kazaa is running.

Also, its meaning must be interpretted within this context as well as whether or not the Kazaa software was globally sharing or not AND if a particular file is set to share.

See also:

Fields 1 - 9 explained as well as how to determine share settings globally and on a file by file basis

Fields 1 - 9 decoded using EnCase

 

 

 
 

 

This web site was created to provide assistance to computer forensics examiners engaging in cyber-crime investigations.  This field is rapidly evolving and changing as technology marches forward.  It is, therefore, intended to be a growing and evolving resource.  As you conduct your examinations and investigations, if you encounter information, links, or have suggestions that would help others, please let me know so I can add it to this site.  My email address is sbunting@udel.edu .  Thank you.

This site created and maintained by: 
Captain Stephen M. Bunting, CCFT, EnCE
University of Delaware Police
Phone 302-645-4334
Email: sbunting@udel.edu