d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 0 ) 9 0e9 4

ava i lab le a t www.sc iencedi rec t .com

journa l homepage : www.e lsev ie r . com/ loca te /d i in

Analysis of Internet Download Manager for collection ofdigital forensic artefacts

Muhammad Yasin*, Ahmad R. Cheema, Firdous Kausar

National University of Sciences and Technology (NUST), Islamabad, Pakistan

a r t i c l e i n f o

Article history:

Received 15 February 2010

Received in revised form

21 August 2010

Accepted 30 August 2010

Keywords:

Digital forensics

Download manager

Forensic artefacts

Internet Download Manager

Password Cracking

Windows registry analysis

IDM

* Corresponding author. Tel.: þ92 3005170839E-mail address: yaseenyns@gmail.com (M

1742-2876/$ e see front matter ª 2010 Elsevdoi:10.1016/j.diin.2010.08.005

a b s t r a c t

Internet Download Manager (IDM) provides accelerated download speed and flexibility in

features. Its attractiveness lies behind video content processing and automatic handling of

downloads. This paper analyzes IDM activities recorded across multiple files that includes

Windows Registry, history and log files from artefacts collection view point. The tools and

techniques used for extracting evidence are also elaborated. In case of download

managers, the foremost concerns are installation location, download path, downloaded

file, URL address, login credentials for password protected websites, date and time the

activity was performed. This enables digital forensic investigators to envisage and deduce

suspicious activities.

ª 2010 Elsevier Ltd. All rights reserved.

1. Introduction this paper accentuates the footprints of IDM. The research is

IDM is awidely used downloadmanager that runs onWindows

operating systems. It supports HTTP, HTTPS, FTP and MMS

protocols. IDM file management system maintains multiple

categories of downloaded files depending on their file type.

IDM provides seamless integration with most popular web

browsers. The unorthodox support of downloading webpage

embedded videos distinguishes it from other standard down-

load managers. Along with all these characteristics, IDM soft-

ware does not provide checksum verification (Internet

Download Manager, 2010).

This analysis follows on from the preceding research that

examined the forensic artefacts left behind by Download

Accelerator Plus (Yasin et al., 2009a) and Free Download

Manager (Yasin et al., 2009b). The examination carried out in

.. Yasin).ier Ltd. All rights reserve

accomplished on IDM versions 5.16 and 5.18 running on

Microsoft Windows XP platform. The test cases are carried out

at multiple machines to acquire better results. The forensic

dissection characterizes the information about user (Installer

of IDM), downloaded files (complete or incomplete) history,

login credentials (password protected websites/servers and

FTP/HTTP proxy servers), blocked websites/servers, URL

addresses and search keywords history. Moreover, it provides

precise detail of password encryption/encoding technique used

by IDM to secure the user login credentials. The analysis covers

windows registry examination, History and log files analysis to

gather the fertile evidences from the intended system.

This paper is organized into five sections. The first section

introduces IDM and how this endeavor accommodates digital

forensic investigators with considerable information. The

d.

d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 0 ) 9 0e9 4 91

second section performs windows registry examination. The

third sectiongivesdetails onhistoryand logfiles analysis to cite

an encompassing representation of the downloaded activities.

The forth section emphasizes the method used to encrypt

passwords by IDM. The paper is concluded in the last section.

2. Windows registry examination

Windows registry is a splendid repository for digital forensic

investigators to examine, investigate and collect evidence

fromWindows operating systems (Carvey, 2005; Farmer, 2007;

Vivienne et al., 2006). A key to access registry information is to

understand structure of the registry itself (Carvey, 2005). The

information collected from registry and file system can be

correlated to display a magnificent sketch of downloaded

activities. There are numerous freely obtainable tools for

extracting information from the registry such as RegEdit

(Microsoft Windows default Registry Editor), Registrar Lite

(Resplendence, 2008) and Registry Viewer (Access Data, 2010).

These tools have been used to analyze windows registry to

trace the activities performed by IDM.

Windows registry contains download activity entries,

especially related to IDM, under HKEY_CURRENT_USER\Soft-

ware\DownloadManager branch. Fig. 1 depicts the logical view

of IDM in windows registry using RegEdit. The left pane

contains hierarchical tree structure of sub-keys of Internet

Download Manager and right pane presents the key values of

category type ‘Compressed’. This section highlights essential

registry keys and delineates how these keys can be useful and

beneficial to investigate download activities on suspicious

computer.

The default registry key ‘DownloadManager’ contains

crucial and evident information regarding the configuration

and user settings. Investigators can acquire information about

the execution path of IDM, its version, connection speed, Path

of folder used for maintaining logs, history of download

activities, last URL address used to download a file, download

destination path and temporary folder information. Further-

more, it keeps proxy setting for IDM.

Fig. 1 e IDM Reg

2.1. Proxy settings

IDM holds proxy setting information under ‘DownloadManager’

registry key. Which contains proxy address, port number,

username and password for FTP, HTTP and HTTPS proxies as

illustrated in Fig. 2. These UseFtpProxy, UseHttpProxy and

UseHttpsProxy key values hold information whether user takes

advantage of these FTP, HTTP and HTTPS proxies or not as

portrayed in Fig. 3. IDM does not store passwords of these

proxies in clear text, rather encrypted with their own devel-

oped encryption technique. The IDM encryption technique is

explained in Section 4.

2.2. History of downloaded files

IDM organizes downloaded files by their file types in several

default and user created categories. The default categories for

downloading files are Music, Compressed Documents, Video

and Programs. In Fig. 1 ‘Hacking Tools’, name of user created

category. It has conspicuous and imperative information

about the user interests and download activities for an

investigator when inspecting dubious system. Windows

registry manages category settings within sub-keys under

‘FoldersTree’ as depicted in Fig. 1. It is comprised of category

name as the title of sub-key, supported extensions, unique

Identity and download directory path. Each download file

contains a key value ‘categoryID’ which represents the unique

ID of category. Unique ID can be accustomed to relate the

category of each downloaded file. Table 1 on next page

describes the corresponding ID’s of categories. It is worth

mentioning that the user created category unique ID starts

from 64 onward.

Windows Registry keeps information about all downloaded

files. It maintains each downloaded file as sub-key of ‘Down-

loadManager’. For example 3, 4, 5 and 6 are the downloaded

files by the user as illustrated in Fig. 1. Each downloaded file is

represented with a File ID for instance ‘6’. The sequence of File

ID starts from three rather than one. The value ‘6’ represents

that user has downloaded forth file. The File ID is incremented

with value one for each new file. The invaluable and essential

istry view.

Fig. 2 e HTTP and HTTPS proxy settings of IDM in Windows Registry.

Table 1 e Category Title with their coresponding ID.

d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 0 ) 9 0e9 492

key values of downloaded files are file name, file size, date of

adding a URL address to IDM for downloading a file, URL

address, login credentials, download directory path, Category

ID and status of file. By default IDM uses ‘anonymous’ as

username and ‘IEUser’ as password for user that does not

provide login credentials.

2.3. Files requested to download

The ‘maxID’ sub-key contains maximum File ID that provides

total number of files requested to download using IDM as

shown in Fig. 4. The value name ‘maxID’ contains hexadecimal

and numeric value formats. In this case the total number of

files requested by user is 34. This number is irrespective of the

files successfully downloaded or still incomplete.

2.4. Incomplete download files

The sub-key ‘Queue’ contains File ID’s of all incomplete

downloaded files which are interrupted during downloading

as illustrated in Fig. 5. The value name ‘Queue’ contains File

IDs’ of 3 27, 33 and 34 that are still queued.

2.5. Password protected websites

The enumeration of all password protected websites and

servers is kept under ‘Passwords’ key. Each sub-key labeled

with website address that holds login credentials as depicted

in Fig. 6. As illustrated in the fig below IDM does not store

Fig. 3 e FTP, HTTP and HTTPS proxies enable/disable

Registry Keys.

passwords in clear text, rather in encrypted form. The IDM

encryption technique is explained in Section 4.

2.6. Site Grabber

The site grabber of IDM is used to download a complete

website or required files for offline browsing. IDM maintains

these downloaded files separately from the normal down-

loaded files under ‘GrabberSts\Projects’ branch.

2.7. Uninstall location

Each registry key stores particular information under its sub-

keys. For example the ‘Uninstall’ branch sub-keys indirectly

indicate all the installed programs. The ‘Internet Download

Manager’ key under the ‘Uninstall’ branch contains execution

path, program name and uninstall path of IDM. This infor-

mation is contained under the following path in Windows

register:‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft

\Windows\CurrentVersion\Uninstall\Internet Download Manager’.

3. Log files analysis

IDM maintains history and log files under user profile:

‘C:\Documents and Settings\User Profile\Application Data\IDM\’

Category Title Category ID

Programs 1

Music 2

Video 3

Documents 5

Compressed 7

Hacking Tools 64

Fig. 4 e maxID.Fig. 6 e Password protected websites.

d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 0 ) 9 0e9 4 93

folder as a default location. IDM keeps user activities in log

files in a chronological order. It keeps record of downloaded

data of each user under ‘DwnlData\User Account name’ folder

and archives history of grabbed websites under ‘Grabber’

folder. IDM permits its users to change the path manually of

temporary directory of log files. The ‘UrlHistory.txt’ file

comprises of URL addresses of the downloaded files. WinHex

(X-ways, 2009) is used to analyze and evaluate the log files.

3.1. Downloaded files

The log of each downloaded file is kept in a separate file

having ‘Filename_FileID.log’ name. The log files of IDM are

sufficiently vivid but passwords are concealed with ‘xxx’. The

forensic examiner can collect downloading start time, URL

address used to download a file, download directory path,

username, and proxy server address. IDM also holds the log of

all events performed during downloading, starts with ‘CO:’.

3.2. Site Grabber

Site grabber keeps track of all the projects in ‘project.dat’ file

and establishes user setting in ‘projectGrabberID.igp’ such as

project2.igp. The ‘tempFolder’ folder contains paths of

currently downloaded web pages through grabbed websites.

IDM removes the history of temporary files after the comple-

tion of grabbed website. Even though, the footprints of grab-

bed website are found in temporary directory extensively.

3.3. Un-installation process

During un-installation process, IDM is provisioned with

‘Default’ and ‘Complete’ preferences to opt. After selection,

a message prompts to restart a computer for completion of

un-installation process. The default option only erases

executable files of IDM and detaches the integration of IDM

with web browser. Generally users use default option to

uninstall IDM. In default case, IDM conserves the history of

IDM in Windows registry and log files. This assists the digital

forensics investigator to gather vital artefacts from suspected

system. In case of user selecting complete option, the uninstall

process wipes out the history of completely downloaded files,

pending files, configuration and user settings collectively from

Windows registry and log files.

Fig. 5 e Queue.

The uninstall process does not scrub up the footprints of

those log files which are logged at user specified path. The

searching of keywords such as ‘DwnlData’ and ‘GrabberData’

can lead to these log files. IDM retains all log files under

a directory whose name look-alike Login ID. Investigators can

look for Login ID such as ‘Administrator’ to acquire log files.

Additionally, it keeps log files of all other users at their default

locations after un-installation by Administrator. For instance,

if Administrator installs IDM, use it to download files, and

then uninstall it completely. This merely clears the log files of

Administrator. In intervening period of time, other users are

also using IDM for downloading files on that system. Their log

files are persistent and aremaintained separately. They do not

intermingle with Administrator logs.

4. Password encryption technique

IDM neither keeps track of encrypted passwords in log files

nor in protected storage area of the Windows registry. In log

files, it possesses ‘xxx’ instead of encrypted passwords. The

Download Manager archives encrypted passwords of HTTP,

HTTPS and FTP proxies essential for downloading files under

‘HKEY_CURRENT_USER\Software\DownloadManager’ branch in

Windows Registry. It retains login credentials of password

protected websites under ‘Passwords’ sub-key of the ‘Down-

loadManager’ branch. Fig. 7 portrays the encrypted password of

HTTP proxy.

The encryption technique used by IDM is analyzed by

selecting random password strings, only few of them are lis-

ted in Table 2 on next page. These password strings are picked

off precisely to describe the encryptionmethod. It is perceived

that the last byte of encrypted password is always ‘00’. The

encrypted password has one extra byte of ‘00’ than the orig-

inal password. The first password string is ‘AAAAaaaa’ whose

hexadecimal value is ‘41 41 41 41 61 61 61 61’ are obtained from

Fig. 8. The generated encrypted password is ‘NNNNnnnn’

whose hexadecimal value is ‘4E 4E 4E 4E 6E 6E 6E 6E 00’. The

analysis of passwords substantiate that the encryption tech-

nique is awfully weak as it is simply substituting ‘N’ with ‘A’

and ‘n’ with ‘a’.

Fig. 7 e Hexadecimal and ASCII values of encrypted

password for HTTP proxy.

Table 2 e Analysis results.

Plaintext Hexadecimal Value Encrypted Password Hexadecimal Value

AAAAaaaa 41 41 41 41 61 61 61 61 NNNNnnnn 4E 4E 4E 4E 6E 6E 6E 6E 00

NNNNnnnn 4E 4E 4E 4E 6E 6E 6E 6E AAAAaaaa 41 41 41 41 61 61 61 61 00

0123456789:; <¼>? 30 31 32.3D 3E 3F ?>¼<;:9876543210 3F 3E 3D.32 31 30 00

C0MP13Xp@$$w0rd 43 30 4D 50 31 33 58 70 40 24 24 77 30 72 64 L?B_><W, Oþþx?}k 4C 3F 42 5F 3E 3C 57 7F 4F 2B 2B 78 3F 7D 6B 00

d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 0 ) 9 0e9 494

The former outcome ‘NNNNnnnn’ is selected as a new

password string to inspect and verify the encryption tech-

nique. Thus, the encrypted result is similar to the previous

chosen password string ‘AAAAaaaa’. It is verified that IDM is

only performing linear substitution and is lacking permuta-

tion process. Another hexadecimal string ‘30 31.3E 3F’ is

taken as a new password. Its encrypted value ‘3F 3E.31 30 00’

is according to the expectation. Finally, the real world

complex password ‘C0MP13Xp@$$w0rd’ is chosen as pass-

word string whose hexadecimal string is ‘43 30 4D 50 31 33 58

70 40 24 24 77 30 72 64’ is chosen, which gives encrypted string

‘L?B_><W, Oþþx?}k’ whose hexadecimal string is ‘4C 3F 42

5F 3E 3C 57 7F 4F 2B 2B 78 3F 7D 6B 00’.

Now, it is quite clear that IDM encryption technique is

using XOR operation for substitution. The first 4-bits of each

byte of the encrypted password are same as the first 4-bits

of each byte of password string. But the last 4-bits of each byte

of encrypted password are bitwise complement of last 4-bits

of each byte of password string. The following equations

describe the encryption technique used by the IDM. It is

analyzed during the research that the key used for encryption

is K ¼ 00001111 (OF).

P4K ¼ E (1)

P4E ¼ K (2)

Eq. (2) and (3) are obtained from Table 2

P ¼ A/41/01000001 (3)

E ¼ N/4E/01001110 (4)

Put Eqs. (3) and (4) in Eq. (2)

01000001401001110 ¼ 00001111 (5)

Fig. 8 e ASCII/Hexadecimal conversion table in WinHex.

K ¼ 00001111/0F/SI (6)

Therefore, from Eq. (6) it is observed that key is ‘SI’ as shown

in Fig. 8.

5. Conclusion

Artefacts of downloaded activities are grouped together in

a hierarchy under a root tree. This layout can be seen both

inWindows registry and in directory structure. Therefore, it is

relatively less complicated for forensic examiners to collect

information from registry and directory structure. A forensic

tool (similar to DAP Forensic Artefact Collector) can also be

designed to compile the footprints of IDM activities with

single click. Another beneficial aspect found during the

research is that date and time are en-clair, not encoded using

little-endian or big-endian format, which saves the investi-

gation time and accelerate the forensic artefact gathering

process.

r e f e r e n c e s

Access Data. Registry viewer. Access data Corp, http://www.accessdata.com/products/rv/; 2010.

Carvey H. The windows registry as a forensic resource. DigitalInvestigations 2005;2:201e5.

Farmer DJ. A forensic analysis of the Windows registry, http://eptuners.com/forensics/Index.htm; 2007.

Internet Download Manager. Internet download managerfeatures. Internet download manager corp, http://www.internetdownloadmanager.com/features.html; January 2010.

Resplendence. Registrar lite. Resplendence software projects Sp,http://www.resplendence.com; 2008.

Vivienne Mee, Theodore Tryfonas, Iain Sutherland. The windowsregistry as a forensic artefact: illustrating evidence collectionfor Internet usage. Digital Investigation 2006;3(3):166e73.

X-Ways. WinHex 15.4, X-Ways software technology AG, http://www.x-ways.net/winhex.zip; 2009.

Yasin M, Wahla MA, Kausar F. Analysis of download acceleratorplus (DAP) for forensic artefacts. In: Proceedings of the 5thInternational Conference on IT Security Incident managementand IT forensics (IMF ‘09), Stuttgart, Germany. pp. 142e152.Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber¼5277879&isnumber¼5277834; September 2009a.

Yasin M, Wahla MA, Kausar F. Analysis of free downloadmanager for forensic artefacts. In. Proceedings of the digitalforensics and Cyber Crime first International ICST Conference,ICDF2C 2009b, Albany, NY, USA. pp. 59e68. Available at: http://www.springerlink.com/content/u740q85rv08k744q/; October2009b.