Probably Shared via Ares

[paulobreim]

I am examining a hard drive, and IPED-SearchApp.exe detected 29 files that marked in the markers tab the expression: "Probably Shared via Ares".
I did a search with ext:ares and found 11 files that were not deleted, and 64 that were deleted, all with names carved-xxxx.ares and all with a size of 1,000,000.

In one of these files, the preview shows 41 lines with the file path as: C:\Users\USER\AppData\Local\Ares\My Shared Folder\FILE NAME. The Shared column is marked yes.

However, I did not find the Ares program (Ares Galaxy) installed on this computer, which is normally located in C:\Users\USER\AppData\Local\Ares

How did IPED conclude that "Probably Shared via Ares"? Is it because of this "shared" column? If so, why only 29?

Considering that the Ares program was not found on this computer, I am left wondering about the correct conclusion:
1 - Could it have been copied from another computer?
Yes, but it would normally be more common to copy mp4 files, and not .ares files.
2 - The Ares program may have been uninstalled, but IPED recovered these .ares files with the information inside.
3 - Can it be considered, with certainty, that there was sharing on this computer?

tks
paulo

[wladimirleite]

Hi @paulobreim!

Ares Galaxy control files are usually named ShareL.dat and ShareH.dat.
The ".ares" extension is added by IPED when recovering them through a carving (signature based) process.
The header signatures are defined in conf\CarverConfig.xml.
However, there is no footer (a signature in the end of the file), so IPED uses a fixed length to "cut" the carved item (maxLength, also defined in the same XML, which default is 1,000,000).

If all your files were carved, they are not "active files", and were recovered by IPED from unallocated space, file slacks, pagefile.sys and other disk areas covered by the carving process.
So, from what you described, I believe the most likely scenario is that Ares was installed and later removed.
Try to search for ares.exe and shareh.dat in your case, and see if you can find any traces of these files.

About the sharing, the column you mentioned "Shared" is in fact used by IPED, so sharing must be enabled for a given entry. This is the default behavior, and usually is enabled, but it can be modified by the user.

In the bookmark "Probably Shared via Ares" are included files that were located in the case (SHA-1, present in the Share[H/L].dat entries, is used to match) AND the flag "Shared" is enabled.

[paulobreim]

Thanks for the reply. It really makes perfect sense.