ShellBags Explorer ...
 
Notifications
Clear all

ShellBags Explorer available

8 Posts
6 Users
0 Likes
1,407 Views
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
Topic starter
 

Hello all,

In case you missed it on Twitter or elsewhere i wanted to provide some info on a program i am working on for ShellBags analysis. It is a different approach from other ShellBags tools in that the aim of my tool is to process all bytes in each ShellBag and provide context as to the relationship between bags in a Windows Explorer like fashion.

ShellBags Explorer (SBE) has many features not found in any other application including providing first and last explored dates, the type of file system a directory lived on, what directories were accessed on optical media, and so on. There is also a command line version that can deduplicate ShellBags across multiple hives for the same account which is useful for hives recovered via carving or shadow copies.

SBE also reports new extension blocks, unmapped GUIDs, and unknown ShellBag types. If you run into any of these situations, please email me the usrclass.dat hive so i can add support.

A manual is included that explains other features such as recursive viewing of bags, filtering, sorting, searching, etc. Please Read The Friendly Manual =)

SBE can be downloaded here

https://www.dropbox.com/s/lw9d0zrzqcrccy4/ShellBagsExplorer.zip?dl=0

Like all my software it will auto update via the lower right corner when a new version is available.

Please email with any questions, issues, feature requests, etc

I think you will find SBE to be the easiest and most thorough ShellBags tool out there and of course it is 100% free.

PS i am working on version 0.5.0.4 now (should be out by mid week) that includes the following changes (there will be even more new stuff when 0.5.0.4 is released)

NEW Add icon for "History folder" ShellBag type
NEW Allow hives to be dropped on Hex view
NEW Added millisecond precision to timestamps that have that level of resolution. These timestamps are visible in the details pane
NEW Added support for http URLs in variable blocks.
NEW FILETIME and DOS Date fields in data interpreter will be bolded if the calculated date > Now - 10 years AND calculated date < Now + 5 years. This provides a visual cue a valid timestamp may have been found.
NEW GUID field in the data interpreter will be bolded if the calculated GUID maps to a known value
FIX Remove early return in 0x4d bag which resulted in the ShellBag not displaying properly

 
Posted : 01/12/2014 1:51 am
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

I can't download it. cry

 
Posted : 01/12/2014 11:06 am
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
Topic starter
 

Why not?

- not allowed?
- link broken?
- no hard drive space? =)

why, specifically, cant you download it?

I just tried the dropbox link and it worked fine. if Chrome complains of malware, it is wrong. it just doesnt like the obfuscator used. Try Firefox or Chrome to download

 
Posted : 01/12/2014 7:14 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Just for the record, my Opera works fine with it.

jaclaz

 
Posted : 01/12/2014 7:17 pm
(@missicey)
Posts: 12
Active Member
 

This is what I use, works like a charm! Thanks!

 
Posted : 01/12/2014 11:34 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

This is excellent, thank you. The manual serves as a great primer on ShellBags, as well.

Two thumbs up!

 
Posted : 02/12/2014 2:30 pm
(@dcs1094)
Posts: 146
Estimable Member
 

Nice work Eric! The manual is the icing on the cake. Cheers.

 
Posted : 04/12/2014 1:33 am
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
Topic starter
 

0.5.0.4 is out! This is an important update! Lots of good stuff and
added functionality! See the manual's changelog section for more details

NEW Build for AnyCPU vs forcing x86.
NEW Add icon for "History folder" ShellBag type
NEW Allow hives to be dropped on Hex view
NEW Added millisecond precision to timestamps that have that level of
resolution. These timestamps are visible in the details pane
NEW Added support for http URLs in variable blocks.
NEW Added ability to double click on Data Interpreter to copy values on
Interpreter plus ShellBag details to Clipboard
NEW FILETIME and DOS Date fields in data interpreter will be bolded if
the calculated date > Now - 10 years AND calculated date < Now + 5
years. This provides a visual cue a valid timestamp may have been found.
NEW GUID field in the data interpreter will be bolded if the calculated
GUID maps to a known value
NEW Count all ShellBag registry values seen and compare to the number
of ShellBags processed. If seen != processed, show warning on summary
screen as data is missing
NEW Added Placeholder extension block which is used to "pad" main
ShellBags when they contain additional ShellBag items (Bags containing
bags). Placeholder bags are not printed to the details pane
NEW Added detection of Beef0010 blocks in 0x71 ShellBags.
NEW Added detection of Beef0010 blocks in 0x2f ShellBags.
NEW Added ability to double click on a row in the Messages window which
will select the related node in the tree on the main window
NEW Add GUID for OneDrive on Windows 10
NEW Detect drive letters in 0x1F ShellBags.

CHANGE Detect optional Beef0004 extension block in CDBurn ShellBags
CHANGE Look for common signatures in several bags and act accordingly

FIX Detect several fringe cases and set value to "!!! Unable to
determine value !!!". These need more research for full support
FIX Remove early return in 0x4d bag which resulted in the ShellBag not
displaying properly

The software will auto update on start up via the lower right corner, or
you can use this URL for the latest

https://www.dropbox.com/s/lw9d0zrzqcrccy4/ShellBagsExplorer.zip?dl=0

 
Posted : 09/12/2014 8:52 pm
Share: