Notifications
Clear all

Shellbag analysis

24 Posts
6 Users
0 Likes
3,481 Views
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Is anyone including shellbag artifacts in their analysis of Windows systems?

If so, what tool(s) are you using?

How are you analyzing/including/interpreting the DOSDate time stamps?

Thanks.

 
Posted : 10/01/2013 6:18 pm
(@bithead)
Posts: 1206
Noble Member
 

Yes.

Regripper and TZWorks sbag.

Using the steps under Timestamp Verification on TZWorks site.

 
Posted : 10/01/2013 8:31 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Regripper and TZWorks sbag.

Over the lists/sites that I've posted this question to, you're the first one to mention RegRipper.

Have you had any issues with regards to validation of either tool, or between the two?

Using the steps under Timestamp Verification on TZWorks site.

That's great for verification. How are you incorporating those values into your analysis?

Thanks.

 
Posted : 10/01/2013 9:10 pm
 gmkk
(@gmkk)
Posts: 13
Active Member
 

I'm using following tools
- TZWorks sbag
- RegRipper
- MiTeC Windows Registry Analyzer v1.5.2 (ShellBags + StreamMRUs)
- Nir Sorfer's ShellBagsView
and excellent EnPack, 42 LLC Bag Parser, by Yogesh Khatri (ShellBags + StreamMRUs)

My tools of choice are TZWorks sbag + 42LLC Bag Parser. I do like 42LLC Bag Parser for its ability to parse all relevant registry hive files in a single pass (located in all users' profiles, System Restore and so on), very detailed report and nice, Explorer-like form of presenting results (you can also export the results into Excel file for further processing, e.g. to compare and cross-verify with sbag results or to follow manual verification according to TZWorks).

Greg

 
Posted : 14/01/2013 2:10 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Greg,

Thanks.

How are you analyzing/including/interpreting the DOSDate time stamps?

Also, do you have any thoughts on the output of TZWorks sbag.exe vs. the RegRipper plugin?

Thanks.

 
Posted : 14/01/2013 5:01 pm
(@benuk)
Posts: 42
Eminent Member
 

I'm using Mitec, TZWorks but not RR so much. TZ is my tool of the moment. I've been a shellbag addict since 2005 - never really understood why everyone doesn't do it on every job.

I like the CSV output from TZWorks.

I hadn't heard of the ENpack that Greg mentions but I'll be hunting it down.

 
Posted : 15/01/2013 4:38 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Ben,

Thanks.

How are you analyzing/including/interpreting the DOSDate time stamps?

Also, what have you done to validate the TZWorks tool?

 
Posted : 15/01/2013 5:02 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Should I assume from the responses (or lack thereof) that

1. Very few analysts are actually parsing the shellbag artifacts?

2. No one is at all concerned with the DOSDate time stamps (what they mean, where they come from, etc.)?

 
Posted : 15/01/2013 6:27 pm
(@bithead)
Posts: 1206
Noble Member
 

How are you analyzing/including/interpreting the DOSDate time stamps?

No one is at all concerned with the DOSDate time stamps (what they mean, where they come from, etc.)?

Sorry to get back to the party late.

Objection your Honor, H is leading the witness with this line of questioning.

What kind of answer are you fishing for? You seem to have a preconceived notion of either a problem or something.

I find that very few tools report the exact same results. Results are named differently, outputs are in different formats, etc. I look at the output of the tools, look to see if they are reasonable and cat the results into a usable format.

As for time stamps, I guess I am missing question. I normalize everything on UTC, output the results, make sure they are reasonable… Not sure to what you are alluding.

 
Posted : 16/01/2013 12:42 am
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

i just finished a big case and shellbags were included. i used Xways and the Mitec tool.

my use of shellbags was more to show how an encrypted drive was organized and the files the folders contained. it worked VERY well

 
Posted : 16/01/2013 2:55 am
Page 1 / 3
Share: