CST - P2P Marshal Frequently Asked Questions

Cyber Security Technologies Corporation (CST) is the innovation leader in affordable software products for computer investigations. CST was formed by industry veterans who see the need for new investigative tools designed for the changing investigative environment. We are dedicated to delivering technically advanced but easy-to-use software products for corporations, government agencies, service providers and law enforcement, as well as related training and certification. CST is an affiliate of Architecture Technology Corporation, a technology company specializing in software-intensive solutions for complex problems in IT security and high-security network computing applications. Learn more...

P2P Marshal™ Frequently Asked Questions

Are any help files or documentation available for P2P Marshal Forensic Edition?
Yes. A copy of the P2P Marshal Documentation is installed along with P2P Marshal. There is a link to it in the P2P Marshal Start Menu group and you can find it in the P2P Marshal directory.
Does the installation of P2P Marshal Forensic Edition Version 2 overwrite Version 1?
No. Each version stores itself in a directory named (by default) “P2P Marshal XXX” where XXX is the version number (e.g., 2.1.0).
Both versions may be accessed from the Start Menu. The desktop icon, however, WILL be the shortcut to the new version you install. (You can create a second shortcut to point to an older version.)
Can P2P Marshal Version 2 read data acquired with Version 1?
No. You need to use Version 1 to read files acquired with Version 1.
Can P2P Marshal Version 2 target E01 files?
Yes, but not directly. You need to mount the files from EnCase using the physical disk emulator (PDE). The PDE should point to the top directory of the image (i.e., \) and not the directory that contains data (e.g., \Documents and Settings\Suspect\Application Data\LimeWire).

Mount Image Pro can be used in a similar fashion to present a physical drive to P2P Marshal.
Can P2P Marshal Forensic Edition 2.1 target network shared drives?
No. The Forensic Edition only supports locally or physically mounted disks.
I've mounted a disk image with EnCase / Mount Image Pro, but P2P Marshal isn't recognizing it, what's going on?
EnCase and Mount Image Pro can mount a disk image either as a physical disk or as a network share. Make sure you are mounting the disk image as a physical disk (for example, using EnCase's Physical Disk Emulator) and not as a network share.
P2P Marshal doesn't seem to recognize eMule and I know it's installed on the target disk. Am I doing something wrong?
No, it is not your fault. P2P Marshal does not currently support eMule.
Supported clients include LimeWire, Frostwire, BitTorrent 5 and 6, uTorrent, and Azereus Vuze. P2P Marshal has limited support for Kazaa.

If you frequently see a client we don't support, please tell us so that we can put it on our future features list. Send email to support at p2pmarshal dot com.
Does P2P Marshal parse LimeWire spam.dat files? If so, can I run the program on only that file? I have preserved the whole LimeWire folder, but do not have access to the whole image set at this time.
P2P Marshal does not currently parse and display the contents of the spam.dat file. It appears that LimeWire does not differentiate between keywords that are user-specified search terms and those that are automatically added by the LimeWire spam filter.
I made multiple disk images and placed them on a hard drive and tried to run P2P Marshal on them, but it said no client installations found, yet I could see some P2P client directories with (FTK, EnCase, ProDiscover, iLook, etc.). Why doesn't it work?
P2P Marshal does not operate directly on image files. You need to use a physical copy of the disk or mount the disk image file so that it appears as a drive on the system (that is, it has its own drive letter). You can do this with EnCase's PDE or with a variety of third-party tools.

So, for example, if you mount evidence.e01 so that it is available as the Z: drive in Windows, then you would run P2P Marshal, create a new acquisition, and specify the Z: drive as the target to analyze.
P2P Marshal says, "No users found for this P2P client," but I know there is evidence for that client on the disk. How can I fix this?
You may not have permission to access the appropriate files on the disk or mounted disk image. Try to access files in the user's directory and in the user's Application Data / AppData directory in Windows (not using EnCase or FTK). You must be able to access the contents of these directories for P2P Marshal to function properly.
When I attached P2P Marshal Field Edition (the USB thumb drive) to the suspect's computer, a Windows device manager pop-up appeared saying that drivers were being installed. What is being installed?
P2P Marshal Field Edition does not install any drivers on the target machine. Windows, however, may automatically install drivers to handle the USB thumb drive, as it would with any USB drive.

Also note: The data produced by P2P Marshal Field Edition should be stored on a separate evidence disk. If an investigator attaches a generic USB disk for data collection, then the changes to the target system will be similar to the following.

The following results are from a test using a blank P2P Marshal Field Edition thumb drive attached to a Windows Vista virtual machine test system:

The P2P Marshal Field Edition USB device uses the USB storage and generic disk storage drivers. On the Vista test system, it also uses the UMBus and WPD drivers, both of which are associated with portable disk devices. If these drivers are not currently active, they will be activated. If the drivers are not currently installed, they will be automatically installed. These drivers are all stock Windows drivers.

On the test system, both the usbstor and wpdfs drivers are automatically installed, creating USBSTOR.SYS and UMDF\WpdFs.dll drivers in C:\Windows\System32\drivers and PNF files in subdirectories of C:\Windows\System32\DriverStore\FileRepository. The files usbstor.PNF and wpdfs.PNF in C:\Windows\inf are modified. The installation also modifies files in C:\Windows\SoftwareDistribution\DataStore and C:\Windows\System32\wbem\Repository.

The process of installing drivers, activating drivers, and attaching new hardware writes to various Windows log files.

Each driver has a registry entry in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class containing information about the driver. The drivers also create or modify the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WUDF\Services\WpdFs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\UMB\UMB\1&841921d&0&WpdBusEnumRoot
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WUDFRd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles

C:\Windows\system32\drivers\USBSTOR.SYS and C:\Windows\system32\DRIVERS\UMDF\WpdFs.dll are added to the list maintained in the registry key, HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\umbus\Enum.

Information about the USB device itself appears in multiple locations in the registry, partly because it is represented or listed with multiple subsystems. Registry keys or values containing USB device information are created in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices\Devices
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{EEC5AD98-8080-425F-922A-
DABF3DE3F69A}\0000\DeviceData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\WpdBusEnumRoot\UMB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\USBSTOR\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WUDFRd\Enum

The following registry keys are modified to contain information about the USB device:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ecache\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\volsnap\Enum
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

In the active user's registry, Explorer and SyncMgr create information about the USB device in the following keys:
HKEY_USERS\[SID]\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_USERS\[SID]_Classes\LocalSettings\Software\Microsoft\Windows\CurrentVersion\
SyncMgr\HandlerInstances

The following USB-related keys are created on our test system:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\usbflags\130701630100
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\usbstor\05AC12xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\usbstor\05AC13xx

In addition, the following keys are created on our test system during this process:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host\Description\{8DD4CA8A-
D5E2-49BE-BDA9-5E5A3B95442F}\UDNMappings\uuid:ea2e2afc-d1a2-4193-89cf-a9457aa5f489
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host\HTTP Server\VROOTS\/upnphost
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
Reporting\RebootWatch
What is the cost of P2P Marshal Forensic Edition and P2P Marshal Field Edition ?
P2P Marshal Forensic Edition is priced at $995. A 30-day free trial is available by sending us an email using your work e-mail address to sales at p2pmarshal dot com. Please include your company or agency name, your name, your address and your telephone number.

P2P Marshal Field Edition is priced at $2,495. A trial version of P2P Marshal Field Edition is not available. However, a full refund is available if the product is returned within 30 days of receipt. P2P Marshal Field Edition may be ordered here (pdf).