±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 36107
New Yesterday: 8 Visitors: 131

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Shellbag analysis

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

keydet89
Senior Member
 

Re: Shellbag analysis

Post Posted: Jan 15, 13 19:27

Should I assume from the responses (or lack thereof) that:

1. Very few analysts are actually parsing the shellbag artifacts?

2. No one is at all concerned with the DOSDate time stamps (what they mean, where they come from, etc.)?  
 
  

BitHead
Senior Member
 

Re: Shellbag analysis

Post Posted: Jan 16, 13 01:42

- keydet89
How are you analyzing/including/interpreting the DOSDate time stamps?


- keydet89
No one is at all concerned with the DOSDate time stamps (what they mean, where they come from, etc.)?


Sorry to get back to the party late.

Objection your Honor, H is leading the witness with this line of questioning.

What kind of answer are you fishing for? You seem to have a preconceived notion of either a problem or something.

I find that very few tools report the exact same results. Results are named differently, outputs are in different formats, etc. I look at the output of the tools, look to see if they are reasonable and cat the results into a usable format.

As for time stamps, I guess I am missing question. I normalize everything on UTC, output the results, make sure they are reasonable... Not sure to what you are alluding.  
 
  

EricZimmerman
Senior Member
 

Re: Shellbag analysis

Post Posted: Jan 16, 13 03:55

i just finished a big case and shellbags were included. i used Xways and the Mitec tool.

my use of shellbags was more to show how an encrypted drive was organized and the files the folders contained. it worked VERY well  
 
  

keydet89
Senior Member
 

Re: Shellbag analysis

Post Posted: Jan 16, 13 17:54

- BitHead

What kind of answer are you fishing for? You seem to have a preconceived notion of either a problem or something.


Not fishing for anything.

Each of the component structures in the shellbags paths are shell items, similar to the structures that comprise the shell item ID list in LNK files. Each of those shell items that point to a folder also include a series of embedded time stamps in DOSDate format. Several of the available tools include these in the output.

I know that many analysts state that they want "everything", and that they want to be the ones to determine what's useful...and that's fine. So I'm asking how folks use this information in their analysis.

- BitHead

I find that very few tools report the exact same results. Results are named differently, outputs are in different formats, etc. I look at the output of the tools, look to see if they are reasonable and cat the results into a usable format.


Perhaps that's where the confusion lies...different tools provide different information. I have compared my own tools to TZWorks sbag64.exe (v0.28). I tried MiTeC's Windows Registry Recovery, but it doesn't show anything from a Windows 7 USRCLASS.DAT hive.

Maybe the issue is that if folks don't know what data is in the structures...they're only seeing the output of the tools...then using different tools that output different information (perhaps not all of it) might lead to the confusion.

- BitHead

As for time stamps, I guess I am missing question. I normalize everything on UTC, output the results, make sure they are reasonable... Not sure to what you are alluding.


Not alluding to anything...asking a straight up question.  
 
  

keydet89
Senior Member
 

Re: Shellbag analysis

Post Posted: Jan 16, 13 17:56

- EricZimmerman
i just finished a big case and shellbags were included. i used Xways and the Mitec tool.


"Mitec" tool? Which one?

- EricZimmerman

my use of shellbags was more to show how an encrypted drive was organized and the files the folders contained. it worked VERY well


Very cool. How did you find the encrypted drive in the shellbags? Was it listed as a volume/drive letter?  
 
  

keydet89
Senior Member
 

Re: Shellbag analysis

Post Posted: Jan 16, 13 18:08

To both BitHead and EricZ,

What have you done to validate the tools you use?

I've done analysis similar to what Eric describes...however, I've found that some tools miss some critical data structures...had I not been aware of that, I might have blown passed it, thinking, "okay, that user never accessed that item....", when, in fact, they had.  
 
  

gmkk
Member
 

Re: Shellbag analysis

Post Posted: Jan 16, 13 20:04

As per ShellBags detailed structure, you may want to have a look at the following sources:

"Using shellbag information to reconstruct user activities" - excellent paper by Yuandong Zhu, Pavel Gladyshev, and Joshua James
www.dfrws.org/2009/pro...69-zhu.pdf

"Windows Shell Item format specification" by Joachim Metz
liblnk.googlecode.com/...format.pdf

Speaking about tools, you may also want to check Willi Balenthin's shellbag parser, written in Python (source code available), however I didn't use this tool to date:
www.williballenthin.co...index.html
You will also find a lot of detailed information about ShellBag's internals on this page.

As per validation of ShellBags - some time ago I did a lot of manual checks of ShellBags artifacts on my lab box. I have prepared a fresh virtual XP instance and then I was accessing various files and folders, connecting USB mass storage devices, accessing files on these devices (making detailed log of operations including time, path etc.). Then I used a few tools to parse ShellBags and compared results with my notes (sbag, EnCase's 42LLC Bag Parser and MiTeC's WRA - no RR at that time, though) as well as I did a spot manual check on selected raw entries by following TZWorks process.

All three tools did a good job and produced consistent results, therefore I have marked them as valid for my toolbox, with some remarks, though:

1) TZWorks - overall note: "very good", it can parse both NTUSER.DAT and USRCLASS.DAT files on both x86 and x64 Windows platforms; moreover you can easily export results to Excel for further processing (e.g. to include it in the final timeline of user's activity). It can also parse ShellBags from live system - good choice for scripting.
tzworks.net/prototype_...roto_id=14

2) EnCase's 42LLC Bag Parser by Yogesh Khatri - overall note: "excellent"; it can parse both NTUSER.DAT and USRCLASS.DAT files on both x86 and x64 Windows platforms (ShellBags+StreamMRUs) and it is parsing all relevant registry hives found in the image (e.g. located in System Restore). You can easily export data to Excel (with some bells and whistles, e.g. you can select columns for export, select entries for export, export entries based on custom conditions etc.) + results are presented in nice Explorer-like form. Definitely a tool of choice with only one drawback - it is EnPack, so you need to use EnCase.
www.swiftforensics.com...loads.html

3) MiTeC WRA - overall note: "medium" - although this tool did a good job on parsing (both ShellBags and StreamMRUs), it has a few major drawbacks:

- first of all, the report it produces does not contain RegLastWritten timestamp which strongly reduces functionality of this tool (only MAC timestamps are available)
- it can't parse USRCLASS.DAT files (Win7).
- it is not easy to export the data to Excel
- the last free version (1.5.2) comes from 2004, so it's rather old (AFAIK, later it was purchased by Paraben and now it's a part of Paraben's forensic suite). Google is your friend so you can still find v1.5.2 available for download on some sites.

Having all that in mind, I'm using "approved" sbag and 42LLC Bag Parser on daily basis and usually do not perform manual ShellBags verification on each case (except some spot checks on critical items for high priority cases). Moreover, in many cases it is OK just to verify that user accessed given folder in the past and exact timestamp is not always critical to the case (so you can easily cross-verify ShellBags findings with other artifacts).

Have a good day!

Greg  
 

Page 2 of 4
Page Previous  1, 2, 3, 4  Next