Filenames in Shellb...
 
Notifications
Clear all

Filenames in Shellbags

9 Posts
4 Users
0 Likes
966 Views
(@randomaccess)
Posts: 385
Reputable Member
Topic starter
 

Hopefully someone has seen this before;
I did a keyword search for a filename and got hits in the NTUSER.dat file.

Eventually I found the hits in the registry file (searching with registry viewer, parsing with regripper/regreport didnt come back with anything) in a key within the following path

NTUSER.dat\Software\Microsoft\Windows\ShellNoRoam\Bags\1044\Shell
in the key "ItemPos1152x864(1)"

This keycontained several lines of hex which ammounted to a number of hte file names of interest. Basically I'd like to figure out why they're there and what they mean since my understanding of shellbags was that they related to folders, rather than files.

Has anyone seen anything like this before?

Cheers

 
Posted : 14/05/2013 9:50 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Eventually I found the hits in the registry file (searching with registry viewer, parsing with regripper/regreport didnt come back with anything) in a key within the following path

NTUSER.dat\Software\Microsoft\Windows\ShellNoRoam\Bags\1044\Shell
in the key "ItemPos1152x864(1)"

Well shell bags area known artefact
http//computer-forensics.sans.org/blog/2011/07/05/shellbags

I'm pretty sure that shell bags contain information about the size an application was and its position, so that key may relate to that.

A google search will bring you lots on shell bags though, so I'd suggest you read the link above and a few other forensics blogs. There are a few free tools which will parse the data for you as well.

Hope this helps

 
Posted : 14/05/2013 11:38 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Eventually I found the hits in the registry file (searching with registry viewer, parsing with regripper/regreport didnt come back with anything)….

And RegRipper won't…I've said from the very beginning that the shellbags.pl plugin for RegRipper is specifically for Win7…in fact, the comments (third line of the file) say, "RR plugin to parse (Vista, Win7/Win2008R2) shell bags".

I guess this falls under the umbrella of all those times when I've asked RR users via various forums (to include my blog) what they'd like to see updated in or added to RegRipper, and no one says anything. 😉

…in a key within the following path

NTUSER.dat\Software\Microsoft\Windows\ShellNoRoam\Bags\1044\Shell
in the key "ItemPos1152x864(1)"

This key contained several lines of hex which ammounted to a number of hte file names of interest. Basically I'd like to figure out why they're there and what they mean since my understanding of shellbags was that they related to folders, rather than files.

Has anyone seen anything like this before?

Yep. I haven't had a chance to do any real detailed examination of these items from Windows XP, which is the version of Windows that this appears to be from…that, or Windows 2003. On Win7, however, that _value_ (it's not a key) contains information about the file located on the desktop for the user. The hex you're seeing is part of the shell items that comprise the data.

If you're willing to share the data, I can update the shellbags plugin to cover XP, as well. I simply do not have any data on which to test the plugin…all of the data from XP systems that I currently have available is from test systems that aren't well populated with overall data. I can be reached at keydet89 at yahoo dot com.

Either way, good luck.

 
Posted : 14/05/2013 4:19 pm
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

email sent Harlan.

 
Posted : 14/05/2013 8:20 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Eric,

Email received, thanks.

I'd be very interested in OPs response, when he has the time for one…

 
Posted : 14/05/2013 9:12 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

FYI to the OP…

The RegRipper plugin itempos.pl was written specifically for Win7, but it works for the specific values it looks for (see the plugin itself for the key path…) on WinXP, as well.

With some work and the new test data I have, I should be able to iterate through additional subkeys and extract the values.

Edit Okay, mark that as done…

 
Posted : 14/05/2013 10:41 pm
(@randomaccess)
Posts: 385
Reputable Member
Topic starter
 

when he has the time for one…

now now, timezones make things an issue when you're down in Australia…

so, yes it's windows xp service pack 1; i forgot to include that in my original post.

to clarify; I found the hit, then parsed it with the ntuser plugins and regreport, as well as did a manual search ultimately to search the results for my keyword. Then with the assistance of one of my colleagues figured out how to find the key that the hit came from specifically and then posted on here and went home for the day to look at it this morning.

I'll speak to my boss about sharing the data, I know it's something they're usually not very keen on doing.
Your help is greatly appreciated

I'll have a look at the itempos.pl plugin and get back to you

 
Posted : 15/05/2013 1:57 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

now now, timezones make things an issue when you're down in Australia…

Don't take my comment the wrong way. I know you're busy, and I know that you're in Australia. I also know that you can't sit at your keyboard and wait for responses. Maybe a better way to state that would've been, "…when you're available…", or not at all.

I'll speak to my boss about sharing the data, I know it's something they're usually not very keen on doing.

It's not a problem…someone else shared some data.

I'll have a look at the itempos.pl plugin and get back to you

Don't bother. I updated my local version of the plugin…it's not something that I've uploaded to a new, updated archive.

 
Posted : 15/05/2013 2:06 am
(@randomaccess)
Posts: 385
Reputable Member
Topic starter
 

examined the ntuser.dat file with Willi Ballenthin's shellbag.py script
https://github.com/williballenthin/shellbags
and verified with tzworks sb64.exe and found some interesting information about the original locations of the files.
Whilst not something that I can include in my report (the time on the computer was unreliable) it was interesting to note the original location of the files.

Bad guy had placed the files (containing a previously unknown victim) in a directory A. then moved into new directory B.
then deleted new directory B.
directory A still had a thumb.db file which contained the names of the files and of course a thumbnail image.
if bad guy had not put the files in directory A then we would not have found any indications of the files existance; shellbags would have shown the filenames, but since they werent particularly indicative they would have been overlooked.

 
Posted : 15/05/2013 7:22 am
Share: