[retsmah]

A building was subject to a law enforcement raid into illegal downloads using P2P software. During the actual raid the machine responsible was identified (from other machines analysed at the time of the raid). (the machine was not sharing any fully downloaded files, but had many partial downloads, that it had for many months. The view other shared files feature was disabled)

Anyone know how this was achieved?


When Downloading & Searching for files and using eMule in general (using AllServers & KAD Network, + anything else) what information does eMule provide that can be used to trace the request back to the physical destination & especially identify a particular machine?

For example, I see it requires to send out its machine's IP Address, when receiving & sending files. This allows tracking back to a physical location. Once the physical location has been determined, is there any information that allows the machine in the location to be uniquely (or kind of uniquely) identified (if the machine was inspected) ?.

Does Emule send out:

• the network adaptor's MAC Address? (in any form, whether separate or integrated within a value)?
  
• operating system user account name, or version, unique ID, or other datails?
  
• Serial Numbers or Volume Names of Hard Disks or other hardware?
  
• A unique eMule identifier (e.g. for a particular eMule installation)?
  
• other files a user is downloading? (when viewing shared files is turned off)
  
• anything else?

This post has been edited by retsmah: 05 November 2016 - 08:01 PM

[Some Support]

retsmah, on 05 November 2016 - 07:57 PM, said:

• the network adaptor's MAC Address? (in any form, whether separate or integrated within a value)?
  
• operating system user account name, or version, unique ID, or other datails?
  
• Serial Numbers or Volume Names of Hard Disks or other hardware?
  
• anything else?

No

retsmah, on 05 November 2016 - 07:57 PM, said:

• A unique eMule identifier (e.g. for a particular eMule installation)?

Yes. It's called a the "Userhash" and explained in the help files. It's a part of the network protocol and used for all basic actions (during a session) and the queue/credit/friend/message functions (persistant). eMule isn't trying to "hide" anything from someone who has physical access to your computer, if you do want this your best course of action is either using harddrive encryption or using eMule in the "portable" mode where it stores the config files right in the directory it is installed to - for example a USB stick - and delete the config files / remove the usb stick after using it.

[retsmah]

Some Support, on 05 November 2016 - 11:03 PM, said:

retsmah, on 05 November 2016 - 07:57 PM, said:

• the network adaptor's MAC Address? (in any form, whether separate or integrated within a value)?
  
• operating system user account name, or version, unique ID, or other datails?
  
• Serial Numbers or Volume Names of Hard Disks or other hardware?
  
• anything else?

No

retsmah, on 05 November 2016 - 07:57 PM, said:

• A unique eMule identifier (e.g. for a particular eMule installation)?

Yes. It's called a the "Userhash" and explained in the help files. It's a part of the network protocol and used for all basic actions (during a session) and the queue/credit/friend/message functions (persistant). eMule isn't trying to "hide" anything from someone who has physical access to your computer, if you do want this your best course of action is either using harddrive encryption or using eMule in the "portable" mode where it stores the config files right in the directory it is installed to - for example a USB stick - and delete the config files / remove the usb stick after using it.

Yes I was aware of the UserHash (although I did not mention it), but from my analysis eMule does try to hide this from someone who has physical access to a computer, it does this by encrypting it (?). (I also see Emule make the encryption key available (?) )

[xSTHNSx]

That has nothing to do with making you anonymous. Your IP is visible to the Uploader when you requests chunks as you can see their IP as they can see your IP thus transfer possible.