d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 0 ) 9 0e9 4
ava i lab le a t www.sc iencedi rec t .com
journa l homepage : www.e lsev ie r . com/ loca te /d i in
Analysis of Internet Download Manager for collection ofdigital forensic artefacts
Muhammad Yasin*, Ahmad R. Cheema, Firdous Kausar
National University of Sciences and Technology (NUST), Islamabad, Pakistan
a r t i c l e i n f o
Article history:
Received 15 February 2010
Received in revised form
21 August 2010
Accepted 30 August 2010
Keywords:
Digital forensics
Download manager
Forensic artefacts
Internet Download Manager
Password Cracking
Windows registry analysis
IDM
* Corresponding author. Tel.: þ92 3005170839E-mail address: [email protected] (M
1742-2876/$ e see front matter ª 2010 Elsevdoi:10.1016/j.diin.2010.08.005
a b s t r a c t
Internet Download Manager (IDM) provides accelerated download speed and flexibility in
features. Its attractiveness lies behind video content processing and automatic handling of
downloads. This paper analyzes IDM activities recorded across multiple files that includes
Windows Registry, history and log files from artefacts collection view point. The tools and
techniques used for extracting evidence are also elaborated. In case of download
managers, the foremost concerns are installation location, download path, downloaded
file, URL address, login credentials for password protected websites, date and time the
activity was performed. This enables digital forensic investigators to envisage and deduce
suspicious activities.
ª 2010 Elsevier Ltd. All rights reserved.
1. Introduction this paper accentuates the footprints of IDM. The research is
IDM is awidely used downloadmanager that runs onWindows
operating systems. It supports HTTP, HTTPS, FTP and MMS
protocols. IDM file management system maintains multiple
categories of downloaded files depending on their file type.
IDM provides seamless integration with most popular web
browsers. The unorthodox support of downloading webpage
embedded videos distinguishes it from other standard down-
load managers. Along with all these characteristics, IDM soft-
ware does not provide checksum verification (Internet
Download Manager, 2010).
This analysis follows on from the preceding research that
examined the forensic artefacts left behind by Download
Accelerator Plus (Yasin et al., 2009a) and Free Download
Manager (Yasin et al., 2009b). The examination carried out in
.. Yasin).ier Ltd. All rights reserve
accomplished on IDM versions 5.16 and 5.18 running on
Microsoft Windows XP platform. The test cases are carried out
at multiple machines to acquire better results. The forensic
dissection characterizes the information about user (Installer
of IDM), downloaded files (complete or incomplete) history,
login credentials (password protected websites/servers and
FTP/HTTP proxy servers), blocked websites/servers, URL
addresses and search keywords history. Moreover, it provides
precise detail of password encryption/encoding technique used
by IDM to secure the user login credentials. The analysis covers
windows registry examination, History and log files analysis to
gather the fertile evidences from the intended system.
This paper is organized into five sections. The first section
introduces IDM and how this endeavor accommodates digital
forensic investigators with considerable information. The
d.
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 0 ) 9 0e9 4 91
second section performs windows registry examination. The
third sectiongivesdetails onhistoryand logfiles analysis to cite
an encompassing representation of the downloaded activities.
The forth section emphasizes the method used to encrypt
passwords by IDM. The paper is concluded in the last section.
2. Windows registry examination
Windows registry is a splendid repository for digital forensic
investigators to examine, investigate and collect evidence
fromWindows operating systems (Carvey, 2005; Farmer, 2007;
Vivienne et al., 2006). A key to access registry information is to
understand structure of the registry itself (Carvey, 2005). The
information collected from registry and file system can be
correlated to display a magnificent sketch of downloaded
activities. There are numerous freely obtainable tools for
extracting information from the registry such as RegEdit
(Microsoft Windows default Registry Editor), Registrar Lite
(Resplendence, 2008) and Registry Viewer (Access Data, 2010).
These tools have been used to analyze windows registry to
trace the activities performed by IDM.
Windows registry contains download activity entries,
especially related to IDM, under HKEY_CURRENT_USER\Soft-
ware\DownloadManager branch. Fig. 1 depicts the logical view
of IDM in windows registry using RegEdit. The left pane
contains hierarchical tree structure of sub-keys of Internet
Download Manager and right pane presents the key values of
category type ‘Compressed’. This section highlights essential
registry keys and delineates how these keys can be useful and
beneficial to investigate download activities on suspicious
computer.
The default registry key ‘DownloadManager’ contains
crucial and evident information regarding the configuration
and user settings. Investigators can acquire information about
the execution path of IDM, its version, connection speed, Path
of folder used for maintaining logs, history of download
activities, last URL address used to download a file, download
destination path and temporary folder information. Further-
more, it keeps proxy setting for IDM.
Fig. 1 e IDM Reg
2.1. Proxy settings
IDM holds proxy setting information under ‘DownloadManager’
registry key. Which contains proxy address, port number,
username and password for FTP, HTTP and HTTPS proxies as
illustrated in Fig. 2. These UseFtpProxy, UseHttpProxy and
UseHttpsProxy key values hold information whether user takes
advantage of these FTP, HTTP and HTTPS proxies or not as
portrayed in Fig. 3. IDM does not store passwords of these
proxies in clear text, rather encrypted with their own devel-
oped encryption technique. The IDM encryption technique is
explained in Section 4.
2.2. History of downloaded files
IDM organizes downloaded files by their file types in several
default and user created categories. The default categories for
downloading files are Music, Compressed Documents, Video
and Programs. In Fig. 1 ‘Hacking Tools’, name of user created
category. It has conspicuous and imperative information
about the user interests and download activities for an
investigator when inspecting dubious system. Windows
registry manages category settings within sub-keys under
‘FoldersTree’ as depicted in Fig. 1. It is comprised of category
name as the title of sub-key, supported extensions, unique
Identity and download directory path. Each download file
contains a key value ‘categoryID’ which represents the unique
ID of category. Unique ID can be accustomed to relate the
category of each downloaded file. Table 1 on next page
describes the corresponding ID’s of categories. It is worth
mentioning that the user created category unique ID starts
from 64 onward.
Windows Registry keeps information about all downloaded
files. It maintains each downloaded file as sub-key of ‘Down-
loadManager’. For example 3, 4, 5 and 6 are the downloaded
files by the user as illustrated in Fig. 1. Each downloaded file is
represented with a File ID for instance ‘6’. The sequence of File
ID starts from three rather than one. The value ‘6’ represents
that user has downloaded forth file. The File ID is incremented
with value one for each new file. The invaluable and essential
istry view.
Fig. 2 e HTTP and HTTPS proxy settings of IDM in Windows Registry.
Table 1 e Category Title with their coresponding ID.
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 0 ) 9 0e9 492
key values of downloaded files are file name, file size, date of
adding a URL address to IDM for downloading a file, URL
address, login credentials, download directory path, Category
ID and status of file. By default IDM uses ‘anonymous’ as
username and ‘IEUser’ as password for user that does not
provide login credentials.
2.3. Files requested to download
The ‘maxID’ sub-key contains maximum File ID that provides
total number of files requested to download using IDM as
shown in Fig. 4. The value name ‘maxID’ contains hexadecimal
and numeric value formats. In this case the total number of
files requested by user is 34. This number is irrespective of the
files successfully downloaded or still incomplete.
2.4. Incomplete download files
The sub-key ‘Queue’ contains File ID’s of all incomplete
downloaded files which are interrupted during downloading
as illustrated in Fig. 5. The value name ‘Queue’ contains File
IDs’ of 3 27, 33 and 34 that are still queued.
2.5. Password protected websites
The enumeration of all password protected websites and
servers is kept under ‘Passwords’ key. Each sub-key labeled
with website address that holds login credentials as depicted
in Fig. 6. As illustrated in the fig below IDM does not store
Fig. 3 e FTP, HTTP and HTTPS proxies enable/disable
Registry Keys.
passwords in clear text, rather in encrypted form. The IDM
encryption technique is explained in Section 4.
2.6. Site Grabber
The site grabber of IDM is used to download a complete
website or required files for offline browsing. IDM maintains
these downloaded files separately from the normal down-
loaded files under ‘GrabberSts\Projects’ branch.
2.7. Uninstall location
Each registry key stores particular information under its sub-
keys. For example the ‘Uninstall’ branch sub-keys indirectly
indicate all the installed programs. The ‘Internet Download
Manager’ key under the ‘Uninstall’ branch contains execution
path, program name and uninstall path of IDM. This infor-
mation is contained under the following path in Windows
register:‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Uninstall\Internet Download Manager’.
3. Log files analysis
IDM maintains history and log files under user profile:
‘C:\Documents and Settings\User Profile\Application Data\IDM\’
Category Title Category ID
Programs 1
Music 2
Video 3
Documents 5
Compressed 7
Hacking Tools 64
Fig. 4 e maxID.Fig. 6 e Password protected websites.
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 0 ) 9 0e9 4 93
folder as a default location. IDM keeps user activities in log
files in a chronological order. It keeps record of downloaded
data of each user under ‘DwnlData\User Account name’ folder
and archives history of grabbed websites under ‘Grabber’
folder. IDM permits its users to change the path manually of
temporary directory of log files. The ‘UrlHistory.txt’ file
comprises of URL addresses of the downloaded files. WinHex
(X-ways, 2009) is used to analyze and evaluate the log files.
3.1. Downloaded files
The log of each downloaded file is kept in a separate file
having ‘Filename_FileID.log’ name. The log files of IDM are
sufficiently vivid but passwords are concealed with ‘xxx’. The
forensic examiner can collect downloading start time, URL
address used to download a file, download directory path,
username, and proxy server address. IDM also holds the log of
all events performed during downloading, starts with ‘CO:’.
3.2. Site Grabber
Site grabber keeps track of all the projects in ‘project.dat’ file
and establishes user setting in ‘projectGrabberID.igp’ such as
project2.igp. The ‘tempFolder’ folder contains paths of
currently downloaded web pages through grabbed websites.
IDM removes the history of temporary files after the comple-
tion of grabbed website. Even though, the footprints of grab-
bed website are found in temporary directory extensively.
3.3. Un-installation process
During un-installation process, IDM is provisioned with
‘Default’ and ‘Complete’ preferences to opt. After selection,
a message prompts to restart a computer for completion of
un-installation process. The default option only erases
executable files of IDM and detaches the integration of IDM
with web browser. Generally users use default option to
uninstall IDM. In default case, IDM conserves the history of
IDM in Windows registry and log files. This assists the digital
forensics investigator to gather vital artefacts from suspected
system. In case of user selecting complete option, the uninstall
process wipes out the history of completely downloaded files,
pending files, configuration and user settings collectively from
Windows registry and log files.
Fig. 5 e Queue.
The uninstall process does not scrub up the footprints of
those log files which are logged at user specified path. The
searching of keywords such as ‘DwnlData’ and ‘GrabberData’
can lead to these log files. IDM retains all log files under
a directory whose name look-alike Login ID. Investigators can
look for Login ID such as ‘Administrator’ to acquire log files.
Additionally, it keeps log files of all other users at their default
locations after un-installation by Administrator. For instance,
if Administrator installs IDM, use it to download files, and
then uninstall it completely. This merely clears the log files of
Administrator. In intervening period of time, other users are
also using IDM for downloading files on that system. Their log
files are persistent and aremaintained separately. They do not
intermingle with Administrator logs.
4. Password encryption technique
IDM neither keeps track of encrypted passwords in log files
nor in protected storage area of the Windows registry. In log
files, it possesses ‘xxx’ instead of encrypted passwords. The
Download Manager archives encrypted passwords of HTTP,
HTTPS and FTP proxies essential for downloading files under
‘HKEY_CURRENT_USER\Software\DownloadManager’ branch in
Windows Registry. It retains login credentials of password
protected websites under ‘Passwords’ sub-key of the ‘Down-
loadManager’ branch. Fig. 7 portrays the encrypted password of
HTTP proxy.
The encryption technique used by IDM is analyzed by
selecting random password strings, only few of them are lis-
ted in Table 2 on next page. These password strings are picked
off precisely to describe the encryptionmethod. It is perceived
that the last byte of encrypted password is always ‘00’. The
encrypted password has one extra byte of ‘00’ than the orig-
inal password. The first password string is ‘AAAAaaaa’ whose
hexadecimal value is ‘41 41 41 41 61 61 61 61’ are obtained from
Fig. 8. The generated encrypted password is ‘NNNNnnnn’
whose hexadecimal value is ‘4E 4E 4E 4E 6E 6E 6E 6E 00’. The
analysis of passwords substantiate that the encryption tech-
nique is awfully weak as it is simply substituting ‘N’ with ‘A’
and ‘n’ with ‘a’.
Fig. 7 e Hexadecimal and ASCII values of encrypted
password for HTTP proxy.
Table 2 e Analysis results.
Plaintext Hexadecimal Value Encrypted Password Hexadecimal Value
AAAAaaaa 41 41 41 41 61 61 61 61 NNNNnnnn 4E 4E 4E 4E 6E 6E 6E 6E 00
NNNNnnnn 4E 4E 4E 4E 6E 6E 6E 6E AAAAaaaa 41 41 41 41 61 61 61 61 00
0123456789:; <¼>? 30 31 32.3D 3E 3F ?>¼<;:9876543210 3F 3E 3D.32 31 30 00
C0MP13Xp@$$w0rd 43 30 4D 50 31 33 58 70 40 24 24 77 30 72 64 L?B_><W, Oþþx?}k 4C 3F 42 5F 3E 3C 57 7F 4F 2B 2B 78 3F 7D 6B 00
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 0 ) 9 0e9 494
The former outcome ‘NNNNnnnn’ is selected as a new
password string to inspect and verify the encryption tech-
nique. Thus, the encrypted result is similar to the previous
chosen password string ‘AAAAaaaa’. It is verified that IDM is
only performing linear substitution and is lacking permuta-
tion process. Another hexadecimal string ‘30 31.3E 3F’ is
taken as a new password. Its encrypted value ‘3F 3E.31 30 00’
is according to the expectation. Finally, the real world
complex password ‘C0MP13Xp@$$w0rd’ is chosen as pass-
word string whose hexadecimal string is ‘43 30 4D 50 31 33 58
70 40 24 24 77 30 72 64’ is chosen, which gives encrypted string
‘L?B_><W, Oþþx?}k’ whose hexadecimal string is ‘4C 3F 42
5F 3E 3C 57 7F 4F 2B 2B 78 3F 7D 6B 00’.
Now, it is quite clear that IDM encryption technique is
using XOR operation for substitution. The first 4-bits of each
byte of the encrypted password are same as the first 4-bits
of each byte of password string. But the last 4-bits of each byte
of encrypted password are bitwise complement of last 4-bits
of each byte of password string. The following equations
describe the encryption technique used by the IDM. It is
analyzed during the research that the key used for encryption
is K ¼ 00001111 (OF).
P4K ¼ E (1)
P4E ¼ K (2)
Eq. (2) and (3) are obtained from Table 2
P ¼ A/41/01000001 (3)
E ¼ N/4E/01001110 (4)
Put Eqs. (3) and (4) in Eq. (2)
01000001401001110 ¼ 00001111 (5)
Fig. 8 e ASCII/Hexadecimal conversion table in WinHex.
K ¼ 00001111/0F/SI (6)
Therefore, from Eq. (6) it is observed that key is ‘SI’ as shown
in Fig. 8.
5. Conclusion
Artefacts of downloaded activities are grouped together in
a hierarchy under a root tree. This layout can be seen both
inWindows registry and in directory structure. Therefore, it is
relatively less complicated for forensic examiners to collect
information from registry and directory structure. A forensic
tool (similar to DAP Forensic Artefact Collector) can also be
designed to compile the footprints of IDM activities with
single click. Another beneficial aspect found during the
research is that date and time are en-clair, not encoded using
little-endian or big-endian format, which saves the investi-
gation time and accelerate the forensic artefact gathering
process.
r e f e r e n c e s
Access Data. Registry viewer. Access data Corp, http://www.accessdata.com/products/rv/; 2010.
Carvey H. The windows registry as a forensic resource. DigitalInvestigations 2005;2:201e5.
Farmer DJ. A forensic analysis of the Windows registry, http://eptuners.com/forensics/Index.htm; 2007.
Internet Download Manager. Internet download managerfeatures. Internet download manager corp, http://www.internetdownloadmanager.com/features.html; January 2010.
Resplendence. Registrar lite. Resplendence software projects Sp,http://www.resplendence.com; 2008.
Vivienne Mee, Theodore Tryfonas, Iain Sutherland. The windowsregistry as a forensic artefact: illustrating evidence collectionfor Internet usage. Digital Investigation 2006;3(3):166e73.
X-Ways. WinHex 15.4, X-Ways software technology AG, http://www.x-ways.net/winhex.zip; 2009.
Yasin M, Wahla MA, Kausar F. Analysis of download acceleratorplus (DAP) for forensic artefacts. In: Proceedings of the 5thInternational Conference on IT Security Incident managementand IT forensics (IMF ‘09), Stuttgart, Germany. pp. 142e152.Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber¼5277879&isnumber¼5277834; September 2009a.
Yasin M, Wahla MA, Kausar F. Analysis of free downloadmanager for forensic artefacts. In. Proceedings of the digitalforensics and Cyber Crime first International ICST Conference,ICDF2C 2009b, Albany, NY, USA. pp. 59e68. Available at: http://www.springerlink.com/content/u740q85rv08k744q/; October2009b.