DISCOVERING TRIBLER FOR FORENSIC EXAMINATION
By Nanni Bassetti – http://www.nannibassetti.com

This is an OPEN DOCUMENT written to be improved by the readers, because I wrote it using only experiments on this program and its structure.

Tribler is a famous new bittorrent client, it is open source, it is different from the others bittorent clients because it is a peer-to-peer client, but maybe Wikipedia could help me to explain it better:

From: http://en.wikipedia.org/wiki/Tribler

"Tribler is an open source peer-to-peer client with various features for watching videos online. The user interface of Tribler is very basic and focused on ease of use, instead of including features.[2] Tribler is based on the BitTorrent protocol and uses an overlay network for content searching.[3] Due to this overlay network Tribler does not require an external website or indexing service to discover content.[4] Tribler features include: video-only searching, experimental video streaming, and an integrated video player. Tribler is available for Linux, Windows and OS X."

The scope of this paper is to make a first classification of the most interesting things we can consider to find out the downloaded files with Tribler.

We can examine these files (in a Windows OS):

1) C:\Program Files (x86)\Tribler\triblere.exe.log or c:/users/USERNAME/tribler.exe.log

2) C:\Users\USER_NAME\Desktop\TriblerDownloads

3) C:\Users\USER_NAME\AppData\Roaming\.Tribler\recent_download_history (HERE WE CAN FIND WHERE IS THE DOWNLOAD DIRECTORY)

4) C:\Users\USER_NAME\AppData\Roaming\.Tribler\sessconfig.pickle (Tribler settings)

Then there is a directory named:

C:\Users\USER_NAME\AppData\Roaming\.Tribler\seeding_manager_stats

where we can find files named with an hash code like:

if we open it, we can see something like this:

(dp1
S'time_seeding'
p2
F59.470001028611229
sS'total_down'
p3
L1051454L
sS'version'
p4
I1
sS'total_up'
p5
L0L
s.

Where 1051454 is the size of the file in bytes the user downloaded.

Then, we can go into

and find for the same file name
f4aed57f74ac8dX4af3fd1ae6b5XX1eX2b881692.pickle

and open it with a text editor like Notepad++, we can find there the file name the user downloaded, e.g. “johndoe.pdf’

So, now we can cross the filename we found there with the file name we found into the C:\Users\USER_NAME\Desktop\TriblerDownloads

If the user deleted that file we can try to retrieve it by data carving or deleted file recovering...

We can affirm that the file “johndoe.pdf” has been downloaded by that computer for sure, because these tracking files and because the tribler.exe.log.

We have others evidences to affirm that “johndoe.pdf” has been downloaded, we can examine the SqlLite database

We can look into the table MyPreference  for the downloaded files, the table is:  

The creation_time is in Unix epoch time UTC the ending time of the download.

Unix Epoch time conversion: 1359531172 --> 2013-01-30 07:32:52. UTC

So, if we query the table “Torrent”:

We can see the starting creation time (field insert_time of the Torrent table) in Unix time and we can convert it in human timestamp in UTC.

Unix Epoch time conversion: 1359531111 --> 2013-01-30 07:31:51. UTC

We can say that the download started at 07:31:51 and ended at 07:32:52 on 2013-01-30.

http://www.yunqa.de/delphi/doku.php/products/sqlitespy/index

and a Unix Time converter online
http://www.onlineconversion.com/unix_time.htm 
or DCode
http://www.digital-detective.co.uk/freetools/decode.asp