±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 3
New Yesterday: 6
Overall: 27388
Visitors: 59

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Interpreting ShellBags

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3, 4, 5, 6  Next 
  

Interpreting ShellBags

Post Posted: Fri Nov 29, 2013 7:16 am

Hi

I was asked to look for evidence of data exfiltration on the computer (Win7 Enterprise SP1) and email of a user we terminated. He received the notice of termination 11th Septemebr 2013, and is on Eastern Time

Using TZWorks Shellbags parser, I extracted this information (foldernames changed but structure consistent):

modifydate mtime full path
12-Sep-13 01:21:58 F:\Folder9\
12-Sep-13 01:21:50 E:\Folder9\FolderY\
12-Sep-13 01:21:50 E:\Folder9\FolderX\
12-Sep-13 01:21:06 E:\Folder9\
12-Sep-13 01:20:32 F:\Folder1\
12-Sep-13 01:20:32 F:\Folder1\FolderA\
12-Sep-13 01:20:32 F:\Folder2\FolderB\
12-Sep-13 01:18:02 E:\Folder1\FolderA\
12-Sep-13 01:09:50 F:\Folder8\
12-Sep-13 01:06:24 E:\Folder8\
12-Sep-13 01:05:56 F:\Folder7\
12-Sep-13 01:04:44 E:\Folder7\
12-Sep-13 01:04:24 F:\Folder6\
12-Sep-13 01:04:00 E:\Folder6\
12-Sep-13 01:01:44 F:\Folder4\
12-Sep-13 00:51:52 E:\Folder4\
12-Sep-13 00:51:06 F:\Folder3\
12-Sep-13 00:50:38 E:\Folder3\
12-Sep-13 00:50:00 E:\Folder1\
12-Sep-13 00:49:12 F:\Folder5
12-Sep-13 00:08:36 E:\Folder5\

My deduction is that there were two different drives, with some similar folder structures, connected at the same time. Can anyone suggest any other possible scenarios?

The only other possible explanation I can think of is implausible i.e. he kept disconnecting and reconnecting the same drive time after time and getting different drive letters

I'm in a team of one and have no peers to bounce the theory off, hence asking here.

BTW, there is nothing in JumpLists or LNK files or MRU lists that suggest file access to two different external media around this time, although there is plenty evidence in JumpLists of file access to a Drive E around the same time

Cheers  

Cults14
Senior Member
 
 
  

Re: Interpreting ShellBags

Post Posted: Fri Nov 29, 2013 7:23 am

Apologies for the formatting Sad

Also, I forgot to say that one external hard drive was returned, but not the other. And the user had attempted to delete all business data files from his laptop and the drive he returned.

Cheers  

Cults14
Senior Member
 
 
  

Re: Interpreting ShellBags

Post Posted: Fri Nov 29, 2013 9:50 am

Looking at the data, it seems like someone attempting to "synchronize" manually (or verify "synchronization") of two devices.
Knowing the amount of data in each directory (at least on the device of which you have a copy) may produce a correlation.
I.e. IF folder "\Folder9\" including it's subfolders contain much less data then "\Folder1\" that could explain why the user supposedly "stayed longer" on \Folder1\.
A mere hypothesys, but this:
Code:
0:40:36	E:\Folder5\	
0:00:48		F:\Folder5
0:00:38	E:\Folder1\	
0:00:28	E:\Folder3\	
0:00:46		F:\Folder3\
0:09:52	E:\Folder4\	
0:02:16		F:\Folder4\
0:00:24	E:\Folder6\	
0:00:20		F:\Folder6\
0:01:12	E:\Folder7\	
0:00:28		F:\Folder7\
0:03:26	E:\Folder8\	
0:08:12		F:\Folder8\
0:02:30	E:\Folder1\FolderA\	
0:00:00		F:\Folder1\
0:00:00		F:\Folder1\FolderA\
0:00:34		F:\Folder2\FolderB\
0:00:44	E:\Folder9\	
0:00:00	E:\Folder9\FolderX\	
0:00:08	E:\Folder9\FolderY\	
		F:\Folder9\
which is your same data ordered by time of event and with "gap" before next event (i.e. time that presumably the user "stared" at an open explorer window listing files) seems to me like indicating that.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Interpreting ShellBags

Post Posted: Fri Nov 29, 2013 9:53 am

- Cults14

I was asked to look for evidence of data exfiltration on the computer (Win7 Enterprise SP1) and email of a user we terminated.


Do you know the nature of the data? Word documents?

- Cults14

My deduction is that there were two different drives, with some similar folder structures, connected at the same time. Can anyone suggest any other possible scenarios?


One possibility might be that more than just two different devices were connected. Did you check other artifacts for indications of USB thumb drives connected to the system?

The reason I ask is that I have about half a dozen thumb drives on my desk, and I can connect one, disconnect it, and then connect another, all in succession...and each will be mounted to the same drive letter.

- Cults14

The only other possible explanation I can think of is implausible i.e. he kept disconnecting and reconnecting the same drive time after time and getting different drive letters


I think that you're misinterpreting the time stamps that you're seeing. Those time stamps...last modified date and time...are DOSDate format values extracted from metadata for the object/folder in question. If the former employee opened the folder in Windows Explorer, the time stamps would be part of the shellbag artifact that is created. If they then copied/drag-n-dropped a file into the folder, the folder last modification time would be updated on the device, but not in the shellbag artifact.

Does that help?

In short, if you're looking for when the folders on the devices were accessed/viewed by the user, those are not the time stamps you're looking for...I've waited a long time to use that in a sentence. Wink

- Cults14

BTW, there is nothing in JumpLists or LNK files or MRU lists that suggest file access to two different external media around this time, although there is plenty evidence in JumpLists of file access to a Drive E around the same time


Data exfil does not necessarily require that the user open the file once isn't copied/moved to external storage.  

keydet89
Senior Member
 
 
  

Re: Interpreting ShellBags

Post Posted: Fri Nov 29, 2013 10:25 am

- jaclaz
Looking at the data, it seems like someone attempting to "synchronize" manually (or verify "synchronization") of two devices.


I'm curious as to how this was arrived at, given that the modification date and times shown, if extracted directly from the tool output, are from the file system metadata on the device in question.

I'm not questioning your hypothesis, nor second guessing...simply asking if you can elaborate on the reasoning, that's all.

Thanks.  

keydet89
Senior Member
 
 
  

Re: Interpreting ShellBags

Post Posted: Fri Nov 29, 2013 11:37 am

- keydet89

I'm curious as to how this was arrived at, given that the modification date and times shown, if extracted directly from the tool output, are from the file system metadata on the device in question.


I read those as "a sequence of events" logged.

What it does show is the "alternating" between two devices doing on each of them *something* that leaves the same traces in the shellbags.

What exactly is this *something* is another thing Shocked , but *whatever* it was, it was done in a given sequence and - unless very different actions produce the same traces in the shellbags - it seems to me logical to presume that the "same" *something* was done on two different devices.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Interpreting ShellBags

Post Posted: Fri Nov 29, 2013 12:09 pm

- jaclaz

I read those as "a sequence of events" logged.

What it does show is the "alternating" between two devices doing on each of them *something* that leaves the same traces in the shellbags.


I'm not sure that I follow...

The OP stated that he used the TZWorks sbag tool. Assuming that the "modify date" and "mtime" came from the output of the tool, then that would mean that the values were pulled from the shell items that comprise the shellbags artifacts. As these values can be modified/updated completely independent of the shellbags artifacts themselves, I'm sincerely curious to understand how they might be read as a sequence of events logged.

Thanks.  

keydet89
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 6
Go to page 1, 2, 3, 4, 5, 6  Next