README.txt for ATC-NY eMule Reader[tm]
-------------------------------------------

Copyright (c) 2011 Architecture Technology Corporation.  All rights reserved.


The eMule Reader tools parse and print the contents of evidence files
associated with the eMule P2P file-sharing client. These tools are run
directly against individual eMule evidence files. You must be familiar with
command-line tools to use these programs.

http://www.cybermarshal.com/index.php/cyber-marshal-utilities/emule-reader

If you are interested in a full-featured forensic tool that can parse
and interpret evidence files from eMule and other P2P file-sharing clients,
see P2P Marshal: http://www.p2pmarshal.com/

See LICENSE.txt for license information.


Usage:

The eMule Reader tools are a collection of ten command-line utilities, each
of which targets a different type of eMule evidence files. The name of each
utility and the type of evidence file it parses are listed below:

Tool                    Parses
----------              ----------
ParseCancelled          cancelled.met
ParseClients            clients.met
ParseKeyIndex           key_index.dat
ParseKnown              known.met, known2.met, known2_64.met
ParseLoadIndex          load_index.dat
ParseNodes              nodes.dat
ParsePartMet            .part.met files (e.g., 001.part.met)
ParseServer             server.met
ParseSourceIndex        src_index.dat
ParseStoredSearches     StoredSearches.met

Each eMule Reader utility has a similar command-line syntax. Running
an eMule Reader utility with no parameters or with the -h option will
print the utility's usage message and exit. For example:

> ParseCancelled.exe
ParseCancelled: parse eMule cancelled.met files.
  Copyright (c) 2011 by Architecture Technology Corporation.
  All rights reserved.
  http://www.cybermarshal.com/

Usage: ParseCancelled.exe [-dh] <infile>
       ParseCancelled.exe [-dh] -i <infile> -o <outfile>

Options:
  -i <infile>     parse the cancelled.met file at <infile>
  -o <outfile>    output the results to the file <outfile>
  -d              enable debugging output
  -h              print this help message and exit

There are two ways of invoking an eMule Reader utility:

ParseCancelled.exe cancelled.met
	This command will parse the file "cancelled.met" and print the output
	to the terminal window.
ParseCancelled.exe -i cancelled.met -o cancelled.txt
	This command will parse the file "cancelled.met" and write the output
	to the file "cancelled.txt".

All eMule Reader utilities also support the -d option, which causes
additional debugging messages to be printed.

Two eMule Reader utilities have additional options, listed below.

ParseKnown:
	ParseKnown reads known.met, known2.met, and known2_64.met files, which
	have different formats. If you are parsing a known.met file, specify
	the -1 option when running ParseKnown. If you are parsing a known2.met
	or known2_64.met file, specify the -2 option. If neither option is specified,
	ParseKnown operates as if the -1 option was specified.

ParseStoredSearches:
	If the -r option is specified, the search results from stored searches
	are also printed.
