Interpreting ShellB...
 
Notifications
Clear all

Interpreting ShellBags

38 Posts
4 Users
0 Likes
2,789 Views
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Hi

I was asked to look for evidence of data exfiltration on the computer (Win7 Enterprise SP1) and email of a user we terminated. He received the notice of termination 11th Septemebr 2013, and is on Eastern Time

Using TZWorks Shellbags parser, I extracted this information (foldernames changed but structure consistent)

modifydate mtime full path
12-Sep-13 012158 F\Folder9\
12-Sep-13 012150 E\Folder9\FolderY\
12-Sep-13 012150 E\Folder9\FolderX\
12-Sep-13 012106 E\Folder9\
12-Sep-13 012032 F\Folder1\
12-Sep-13 012032 F\Folder1\FolderA\
12-Sep-13 012032 F\Folder2\FolderB\
12-Sep-13 011802 E\Folder1\FolderA\
12-Sep-13 010950 F\Folder8\
12-Sep-13 010624 E\Folder8\
12-Sep-13 010556 F\Folder7\
12-Sep-13 010444 E\Folder7\
12-Sep-13 010424 F\Folder6\
12-Sep-13 010400 E\Folder6\
12-Sep-13 010144 F\Folder4\
12-Sep-13 005152 E\Folder4\
12-Sep-13 005106 F\Folder3\
12-Sep-13 005038 E\Folder3\
12-Sep-13 005000 E\Folder1\
12-Sep-13 004912 F\Folder5
12-Sep-13 000836 E\Folder5\

My deduction is that there were two different drives, with some similar folder structures, connected at the same time. Can anyone suggest any other possible scenarios?

The only other possible explanation I can think of is implausible i.e. he kept disconnecting and reconnecting the same drive time after time and getting different drive letters

I'm in a team of one and have no peers to bounce the theory off, hence asking here.

BTW, there is nothing in JumpLists or LNK files or MRU lists that suggest file access to two different external media around this time, although there is plenty evidence in JumpLists of file access to a Drive E around the same time

Cheers

 
Posted : 29/11/2013 5:16 pm
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Apologies for the formatting (

Also, I forgot to say that one external hard drive was returned, but not the other. And the user had attempted to delete all business data files from his laptop and the drive he returned.

Cheers

 
Posted : 29/11/2013 5:23 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Looking at the data, it seems like someone attempting to "synchronize" manually (or verify "synchronization") of two devices.
Knowing the amount of data in each directory (at least on the device of which you have a copy) may produce a correlation.
I.e. IF folder "\Folder9\" including it's subfolders contain much less data then "\Folder1\" that could explain why the user supposedly "stayed longer" on \Folder1\.
A mere hypothesys, but this
04036 E\Folder5\
00048 F\Folder5
00038 E\Folder1\
00028 E\Folder3\
00046 F\Folder3\
00952 E\Folder4\
00216 F\Folder4\
00024 E\Folder6\
00020 F\Folder6\
00112 E\Folder7\
00028 F\Folder7\
00326 E\Folder8\
00812 F\Folder8\
00230 E\Folder1\FolderA\
00000 F\Folder1\
00000 F\Folder1\FolderA\
00034 F\Folder2\FolderB\
00044 E\Folder9\
00000 E\Folder9\FolderX\
00008 E\Folder9\FolderY\
F\Folder9\
which is your same data ordered by time of event and with "gap" before next event (i.e. time that presumably the user "stared" at an open explorer window listing files) seems to me like indicating that.

jaclaz

 
Posted : 29/11/2013 7:50 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I was asked to look for evidence of data exfiltration on the computer (Win7 Enterprise SP1) and email of a user we terminated.

Do you know the nature of the data? Word documents?

My deduction is that there were two different drives, with some similar folder structures, connected at the same time. Can anyone suggest any other possible scenarios?

One possibility might be that more than just two different devices were connected. Did you check other artifacts for indications of USB thumb drives connected to the system?

The reason I ask is that I have about half a dozen thumb drives on my desk, and I can connect one, disconnect it, and then connect another, all in succession…and each will be mounted to the same drive letter.

The only other possible explanation I can think of is implausible i.e. he kept disconnecting and reconnecting the same drive time after time and getting different drive letters

I think that you're misinterpreting the time stamps that you're seeing. Those time stamps…last modified date and time…are DOSDate format values extracted from metadata for the object/folder in question. If the former employee opened the folder in Windows Explorer, the time stamps would be part of the shellbag artifact that is created. If they then copied/drag-n-dropped a file into the folder, the folder last modification time would be updated on the device, but not in the shellbag artifact.

Does that help?

In short, if you're looking for when the folders on the devices were accessed/viewed by the user, those are not the time stamps you're looking for…I've waited a long time to use that in a sentence. 😉

BTW, there is nothing in JumpLists or LNK files or MRU lists that suggest file access to two different external media around this time, although there is plenty evidence in JumpLists of file access to a Drive E around the same time

Data exfil does not necessarily require that the user open the file once isn't copied/moved to external storage.

 
Posted : 29/11/2013 7:53 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Looking at the data, it seems like someone attempting to "synchronize" manually (or verify "synchronization") of two devices.

I'm curious as to how this was arrived at, given that the modification date and times shown, if extracted directly from the tool output, are from the file system metadata on the device in question.

I'm not questioning your hypothesis, nor second guessing…simply asking if you can elaborate on the reasoning, that's all.

Thanks.

 
Posted : 29/11/2013 8:25 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I'm curious as to how this was arrived at, given that the modification date and times shown, if extracted directly from the tool output, are from the file system metadata on the device in question.

I read those as "a sequence of events" logged.

What it does show is the "alternating" between two devices doing on each of them *something* that leaves the same traces in the shellbags.

What exactly is this *something* is another thing 😯 , but *whatever* it was, it was done in a given sequence and - unless very different actions produce the same traces in the shellbags - it seems to me logical to presume that the "same" *something* was done on two different devices.

jaclaz

 
Posted : 29/11/2013 9:37 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I read those as "a sequence of events" logged.

What it does show is the "alternating" between two devices doing on each of them *something* that leaves the same traces in the shellbags.

I'm not sure that I follow…

The OP stated that he used the TZWorks sbag tool. Assuming that the "modify date" and "mtime" came from the output of the tool, then that would mean that the values were pulled from the shell items that comprise the shellbags artifacts. As these values can be modified/updated completely independent of the shellbags artifacts themselves, I'm sincerely curious to understand how they might be read as a sequence of events logged.

Thanks.

 
Posted : 29/11/2013 10:09 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I'm not sure that I follow…

The OP stated that he used the TZWorks sbag tool. Assuming that the "modify date" and "mtime" came from the output of the tool, then that would mean that the values were pulled from the shell items that comprise the shellbags artifacts. As these values can be modified/updated completely independent of the shellbags artifacts themselves, I'm sincerely curious to understand how they might be read as a sequence of events logged.

Thanks.

Now I am not following you.

The OP posted a sequence of *something*.
The *something* comes from "shell items that comprise the shellbags artifacts"?
Good ) , still it is a sequence of *something*.
Taking just the first four lines of the data the OP posted

12-Sep-13 012158 F\Folder9\
12-Sep-13 012150 E\Folder9\FolderY\
12-Sep-13 012150 E\Folder9\FolderX\
12-Sep-13 012106 E\Folder9\

I read them as
*something* happened on 12-Sep-13 012106 and *somehow* affected[1] E\Folder9\
44 seconds passed away
*something* happened on 12-Sep-13 012150 and *somehow* affected[1] E\Folder9\FolderX\
immediately after, i.e. after 0 seconds
*something* happened on 12-Sep-13 012150 and *somehow* affected[1] E\Folder9\FolderY\
8 seconds passed away
*something* happened on 12-Sep-13 012150 and *somehow* affected[1] F\Folder9\

It is a sequence as each event happens (or however is logged or however leaves a trace of some sort in such a way that the tzworks tool detects and reports it) after another.
It is alternating between E and F.

[1] affected in the sense of "leaves a trace mentioning"

Now, what is the *something* (or whether it is *something else* instead) is wholly debatable, but that the data posted is a sequence, and that the *whatever* is reported by the tools have alternate values belonging to E and F it is hardly so.

jaclaz

 
Posted : 29/11/2013 10:52 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Okay…I see. Thanks.

 
Posted : 30/11/2013 12:08 am
(@joachimm)
Posts: 181
Estimable Member
 

My deduction is that there were two different drives, with some similar folder structures, connected at the same time

any facts to back up your deduction? Any idea what these drive letters were pointing at at the time (setupapi log, mounted USB, firewire devices, network drives, etc?) Why can't they be the same drive with a different volume letters assigned to it? What about subst 2 drive letters for the same volume?

 
Posted : 30/11/2013 2:20 am
Page 1 / 4
Share: