±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 6
New Yesterday: 2
Overall: 26983
Visitors: 69

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Windows Shell Item Artifacts

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3  Next 
  

Re: Windows Shell Item Artifacts

Post Posted: Wed Dec 12, 2012 9:03 am

H,
I think you answered your own question.
- keydet89
It doesn't make sense. Further, some shell items are much larger, and contain much more information...very little of which appears to actually be used.

The only reason to use an item of limited value is to either reinforce other weak findings or when there are no other items of evidentiary value.

For example in an IP case say the examiner found incriminating e-mails, AutoCad files, and a copy of a wire transfer receipt; how helpful is a 21-byte artifact that just shows a drive letter? Conversely if the same examiner just has a file name in a jump list for a removable drive and is looking for other corroborating evidence that same 21-byte artifact may make a difference.  

BitHead
Senior Member
 
 
  

Re: Windows Shell Item Artifacts

Post Posted: Wed Dec 12, 2012 9:24 am

- BitHead

The only reason to use an item of limited value is to either reinforce other weak findings or when there are no other items of evidentiary value.


Thanks, but what I was referring to was the use of the shell items as part of the operating system. Shell items seem to be most often used to maintain information regarding paths...a "blob" of data several hundred bytes in size will be used to maintain information about a directory, where "system32" would suffice.

However, to your point regarding "evidentiary value"...I agree with your point about using other items to support weak findings. In fact, I generally tend to try to support my findings, without identifying them as "weak"...if I have 6 facts to support a finding, I'll use all 6.

- BitHead

For example in an IP case say the examiner found incriminating e-mails, AutoCad files, and a copy of a wire transfer receipt; how helpful is a 21-byte artifact that just shows a drive letter? Conversely if the same examiner just has a file name in a jump list for a removable drive and is looking for other corroborating evidence that same 21-byte artifact may make a difference.


Again, my reference to the size of, or amount of space used to contain an artifact was more to the point of, "I don't know why the developers would choose to do this...".

However, I do see and agree with your point regarding the relative value of the artifact...in part because I've seen the same thing.

Here's an example...Jacky Fox recently posted her dissertation, which had to do with the pitfalls of interpreting Registry data. One of the things she found out...by looking at the traditional means of identifying USB devices connected to Windows systems...is that the MountPoints2 artifacts are created for all logged on users, not just the user who connected the device to the system. Okay, good to know...but how do we find out which user actually accessed the device?

One way to approach this issue is to look to shellbag artifacts. For example, one of the shell item types is for a "device", which identifies devices that may not show up in the Enum\USBStor key. So, not only would you be able to identify the particular user who accessed the USB device (via drive letter mapping) but you could also use shellbags (shell items) as a means of identifying devices that do not show up via the traditional identification methodologies.

So....back to my original point. Without a discussion of these artifacts, there's little chance for understanding and developing means for understanding the artifacts, as well as developing analysis techniques that fully employ these artifacts.  

keydet89
Senior Member
 
 
  

Re: Windows Shell Item Artifacts

Post Posted: Wed Dec 12, 2012 10:19 am

- keydet89
Again, my reference to the size of, or amount of space used to contain an artifact was more to the point of, "I don't know why the developers would choose to do this...".
Although it is a rather trite answer, it is probably because one group of developers at MS needed it for something and never consulted with the Registry developers or any other group to see if the data was already stored somewhere else. Of course we mere mortals will likely never know.

- keydet89
So....back to my original point. Without a discussion of these artifacts, there's little chance for understanding and developing means for understanding the artifacts, as well as developing analysis techniques that fully employ these artifacts.
I agree, unfortunately the limited value and the limited number of times these artifacts are needed in a case will also limit the amount of time researcher/examiners such as yourself and examiners in the trenches (who typically cannot take the time to look past the next case and will await your next tome) can devote to looking at these items. And as you have posted before (on several occasions) if no one is clamoring for information about an item what motivation do you have to invest time and effort into the research.  

BitHead
Senior Member
 
 
  

Re: Windows Shell Item Artifacts

Post Posted: Wed Dec 12, 2012 11:51 am

- BitHead
I agree, unfortunately the limited value and the limited number of times these artifacts are needed in a case will also limit the amount of time researcher/examiners such as yourself and examiners in the trenches (who typically cannot take the time to look past the next case and will await your next tome) can devote to looking at these items. And as you have posted before (on several occasions) if no one is clamoring for information about an item what motivation do you have to invest time and effort into the research.


Well, I don't think that these artifacts are of limited value, per se.

For example, these artifacts can show accesses to folders and even zipped archives that no longer exist on the system.

In this particular case, I'm training to raise awareness of these artifacts, by engaging in a discussion, so that analysts will look at them, and incorporate them in analysis. I've posted to my blog regarding unique artifacts with respect to off-system communications that were *only* available via shellbag analysis.

- BitHead
...will await your next tome...


Yeah, well, few seem to read those "tomes", and one of the hardest parts about creating the "next tome" is the lack of feedback regarding the current one(s)...  

keydet89
Senior Member
 
 
  

Re: Windows Shell Item Artifacts

Post Posted: Wed Dec 12, 2012 12:42 pm

- keydet89
Yeah, well, few seem to read those "tomes", and one of the hardest parts about creating the "next tome" is the lack of feedback regarding the current one(s)...
I am to say the least surprised. Our lab manager buys a copy of the current edition for each examiner and I cannot imagine a lab without at least one copy. If we as examiners are not supporting the research of our peers that is a sad testament.  

BitHead
Senior Member
 
 
  

Re: Windows Shell Item Artifacts

Post Posted: Wed Dec 12, 2012 1:58 pm

Buying the copies is much appreciated...but without feedback in any endeavor, there's no improvement...or at least, it's limited.  

keydet89
Senior Member
 
 
  

Re: Windows Shell Item Artifacts

Post Posted: Thu Dec 13, 2012 7:39 pm

in terms of feedback....theyre great as reference material...i think i use them in every job i do
and shellbags are definitely something im going to be looking into

the most common questions i get are:
"did the user have knowledge of this file"
or "is there evidence of user activity"
or "can you get deleted data off an iphone 4s" (last ones a joke, but seriously get the question at least once a week)


i would like to see you team up with some of the "internet" guys like Jad from Magnet or the Digital Detectives to try put together something to do with the potential artefacts that indicate social networks or online mail clients etc.  

randomaccess
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 2 of 3
Go to page Previous  1, 2, 3  Next