±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 2
Overall: 27137
Visitors: 45

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Shellbag analysis

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4  Next 
  

Re: Shellbag analysis

Post Posted: Wed Jan 16, 2013 9:17 am

Greg,

Wondefully detailed post, thanks for taking the time to write it!  

Chris_Ed
Senior Member
 
 
  

Re: Shellbag analysis

Post Posted: Wed Jan 16, 2013 9:26 am

I used MiTeC Registry Analyser (latest version as of april 2012, 1.5.2 i think) and compared the results with X-Ways registry reporting.

I was, in this case, no concerned so much with the dates that were there, but rather the directory names and the contents.

I had several indicators of TrueCrypt being used in conjunction with Limewire and i knew how Limewire was set up by looking in limewire.props.

Once i had the save and share paths from .props, i looked in the shellbags to see how his file system was organized on all his folders inside the truecrypt container. it was hard for him to argue accidental downloads when he had folder for his family pics, folders for adult porn, and many separate folders for CP.

I used the full reports from MiTec tool as exhibits in the case. I had reports from 2 machine showing very consistent information.

In my case the shellbags gave me 'x-ray vision' into the encryption so to speak.

I also used fileurns.cache to see what was inside the encryption and since the hash value is in fileurns.cache, i could say with certainty the exact files that were in the encryption on a given date.

*EDIT* my case was based around Windows XP as well  

EricZimmerman
Senior Member
 
 
  

Re: Shellbag analysis

Post Posted: Wed Jan 16, 2013 9:46 am

Just played with the TZWorks sbags tool a bit. i like it A LOT better than MiTec. the layout and dates are really nice.  

EricZimmerman
Senior Member
 
 
  

Re: Shellbag analysis

Post Posted: Wed Jan 16, 2013 9:56 am

H

Check this out:

tzworks.net/prototype_...roto_id=14

especially this section as it speaks to the DOS dates you mention:

Timestamp Verification
For sbag algorithm updates we internally perform regression testing as a normal course of action to verify the entries are valid. Likewise, it is highly recommended that any user of our tools do some sort of integrity validation to ensure the data reported is accurate. Below is a quick way of one way to verify the timestamps reported by sbag reflect the raw data.
One starts out by identifying where the source of an entry came from (shown as #1 in the diagram). This can be viewed in the last column of the sbag output. Next, one can use any registry viewer to extract the binary data from the appropriate cell value (shown as #2 in the diagram). For the example below we used yaru to extract and review the binary data. The timestamps embedded are DOS based (vice FILETIME based), and thus are four byte values. After locating the three DOS timestamps, one converts these timestamps into a readable form. Step #3 below shows a multipurpose utility we use to convert between various time formats, however, any trusted time-conversion tool that is available will suffice.  

EricZimmerman
Senior Member
 
 
  

Re: Shellbag analysis

Post Posted: Wed Jan 16, 2013 12:14 pm

Eric,

Thanks, I've seen that, and I've seen all of the stuff that Greg posted. But again, that does not really go toward answering my question.

I'm trying to ascertain how you...you...as an analyst, use the time stamps in your analysis. I'm beginning to believe that based on all of the redirection that's going on, no one really does use those timestamps.  

keydet89
Senior Member
 
 
  

Re: Shellbag analysis

Post Posted: Wed Jan 16, 2013 12:20 pm

well, in my last case that i used them, i didn't really use the timestamps (as i previously mentioned) as part of my exhibits. I was more interested in how the files were organized into directories by their type/content. I did look at the dates a bit, but not to the point of relying on them other than to point me in the right direction for filters based on dates and times in my forensic tool(s) to get to other artifacts.


Looking at the output of sbags, if i needed more than i already had date wise, i would use the created and last accessed dates to corroborate the info i had in fileurns.cache, lnk files, etc in order to:

1. start with a known, demonstrable file based on the SHA in fileurns.cache
2. show how/when it got on the computer and in what folder
3. show when it was viewed via various artifacts.

since bags contain file names and dates (ie no hash value) i cant, at least as far as my last case went, say exactly what the contents of the file are, but since i had other artifacts to use which guarantees the contents of a file and gives me the size and full path, i can show the connection between things pretty nicely.

it worked in this case. jury convicted subject of receipt, possession and distribution.  

EricZimmerman
Senior Member
 
 
  

Re: Shellbag analysis

Post Posted: Wed Jan 16, 2013 12:34 pm

- EricZimmerman

Looking at the output of sbags, if i needed more than i already had date wise, i would use the created and last accessed dates to corroborate the info i had in fileurns.cache, lnk files, etc in order to:


Interesting, and thanks for answering my question directly.

If I may...on Vista+ systems, the last accessed dates on file are not updated when the user accesses (opens, views, etc.) them. This is the default, out-of-the-box setting. As such, these should not change when the user accesses the files.

Also, the embedded time stamps are stored in DOSDate format, which has a granularity of 2 seconds. Given that the NTFS file system time stamps have a granularity of 100 nanoseconds, how would you address any disparity between the times?  

keydet89
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 3 of 4
Go to page Previous  1, 2, 3, 4  Next