Interpreting ShellB...
 
Notifications
Clear all

Interpreting ShellBags

Page 1 / 3
Cults14
(@cults14)
Active Member

Hi

I was asked to look for evidence of data exfiltration on the computer (Win7 Enterprise SP1) and email of a user we terminated. He received the notice of termination 11th Septemebr 2013, and is on Eastern Time

Using TZWorks Shellbags parser, I extracted this information (foldernames changed but structure consistent)

modifydate mtime full path
12-Sep-13 012158 F\Folder9\
12-Sep-13 012150 E\Folder9\FolderY\
12-Sep-13 012150 E\Folder9\FolderX\
12-Sep-13 012106 E\Folder9\
12-Sep-13 012032 F\Folder1\
12-Sep-13 012032 F\Folder1\FolderA\
12-Sep-13 012032 F\Folder2\FolderB\
12-Sep-13 011802 E\Folder1\FolderA\
12-Sep-13 010950 F\Folder8\
12-Sep-13 010624 E\Folder8\
12-Sep-13 010556 F\Folder7\
12-Sep-13 010444 E\Folder7\
12-Sep-13 010424 F\Folder6\
12-Sep-13 010400 E\Folder6\
12-Sep-13 010144 F\Folder4\
12-Sep-13 005152 E\Folder4\
12-Sep-13 005106 F\Folder3\
12-Sep-13 005038 E\Folder3\
12-Sep-13 005000 E\Folder1\
12-Sep-13 004912 F\Folder5
12-Sep-13 000836 E\Folder5\

My deduction is that there were two different drives, with some similar folder structures, connected at the same time. Can anyone suggest any other possible scenarios?

The only other possible explanation I can think of is implausible i.e. he kept disconnecting and reconnecting the same drive time after time and getting different drive letters

I'm in a team of one and have no peers to bounce the theory off, hence asking here.

BTW, there is nothing in JumpLists or LNK files or MRU lists that suggest file access to two different external media around this time, although there is plenty evidence in JumpLists of file access to a Drive E around the same time

Cheers

Quote
Topic starter Posted : 29/11/2013 5:16 pm
Cults14
(@cults14)
Active Member

Apologies for the formatting (

Also, I forgot to say that one external hard drive was returned, but not the other. And the user had attempted to delete all business data files from his laptop and the drive he returned.

Cheers

ReplyQuote
Topic starter Posted : 29/11/2013 5:23 pm
jaclaz
(@jaclaz)
Community Legend

Looking at the data, it seems like someone attempting to "synchronize" manually (or verify "synchronization") of two devices.
Knowing the amount of data in each directory (at least on the device of which you have a copy) may produce a correlation.
I.e. IF folder "\Folder9\" including it's subfolders contain much less data then "\Folder1\" that could explain why the user supposedly "stayed longer" on \Folder1\.
A mere hypothesys, but this
04036 E\Folder5\
00048 F\Folder5
00038 E\Folder1\
00028 E\Folder3\
00046 F\Folder3\
00952 E\Folder4\
00216 F\Folder4\
00024 E\Folder6\
00020 F\Folder6\
00112 E\Folder7\
00028 F\Folder7\
00326 E\Folder8\
00812 F\Folder8\
00230 E\Folder1\FolderA\
00000 F\Folder1\
00000 F\Folder1\FolderA\
00034 F\Folder2\FolderB\
00044 E\Folder9\
00000 E\Folder9\FolderX\
00008 E\Folder9\FolderY\
F\Folder9\
which is your same data ordered by time of event and with "gap" before next event (i.e. time that presumably the user "stared" at an open explorer window listing files) seems to me like indicating that.

jaclaz

ReplyQuote
Posted : 29/11/2013 7:50 pm
keydet89
(@keydet89)
Community Legend

I was asked to look for evidence of data exfiltration on the computer (Win7 Enterprise SP1) and email of a user we terminated.

Do you know the nature of the data? Word documents?

My deduction is that there were two different drives, with some similar folder structures, connected at the same time. Can anyone suggest any other possible scenarios?

One possibility might be that more than just two different devices were connected. Did you check other artifacts for indications of USB thumb drives connected to the system?

The reason I ask is that I have about half a dozen thumb drives on my desk, and I can connect one, disconnect it, and then connect another, all in succession…and each will be mounted to the same drive letter.

The only other possible explanation I can think of is implausible i.e. he kept disconnecting and reconnecting the same drive time after time and getting different drive letters

I think that you're misinterpreting the time stamps that you're seeing. Those time stamps…last modified date and time…are DOSDate format values extracted from metadata for the object/folder in question. If the former employee opened the folder in Windows Explorer, the time stamps would be part of the shellbag artifact that is created. If they then copied/drag-n-dropped a file into the folder, the folder last modification time would be updated on the device, but not in the shellbag artifact.

Does that help?

In short, if you're looking for when the folders on the devices were accessed/viewed by the user, those are not the time stamps you're looking for…I've waited a long time to use that in a sentence. 😉

BTW, there is nothing in JumpLists or LNK files or MRU lists that suggest file access to two different external media around this time, although there is plenty evidence in JumpLists of file access to a Drive E around the same time

Data exfil does not necessarily require that the user open the file once isn't copied/moved to external storage.

ReplyQuote
Posted : 29/11/2013 7:53 pm
keydet89
(@keydet89)
Community Legend

Looking at the data, it seems like someone attempting to "synchronize" manually (or verify "synchronization") of two devices.

I'm curious as to how this was arrived at, given that the modification date and times shown, if extracted directly from the tool output, are from the file system metadata on the device in question.

I'm not questioning your hypothesis, nor second guessing…simply asking if you can elaborate on the reasoning, that's all.

Thanks.

ReplyQuote
Posted : 29/11/2013 8:25 pm
jaclaz
(@jaclaz)
Community Legend

I'm curious as to how this was arrived at, given that the modification date and times shown, if extracted directly from the tool output, are from the file system metadata on the device in question.

I read those as "a sequence of events" logged.

What it does show is the "alternating" between two devices doing on each of them *something* that leaves the same traces in the shellbags.

What exactly is this *something* is another thing 😯 , but *whatever* it was, it was done in a given sequence and - unless very different actions produce the same traces in the shellbags - it seems to me logical to presume that the "same" *something* was done on two different devices.

jaclaz

ReplyQuote
Posted : 29/11/2013 9:37 pm
keydet89
(@keydet89)
Community Legend

I read those as "a sequence of events" logged.

What it does show is the "alternating" between two devices doing on each of them *something* that leaves the same traces in the shellbags.

I'm not sure that I follow…

The OP stated that he used the TZWorks sbag tool. Assuming that the "modify date" and "mtime" came from the output of the tool, then that would mean that the values were pulled from the shell items that comprise the shellbags artifacts. As these values can be modified/updated completely independent of the shellbags artifacts themselves, I'm sincerely curious to understand how they might be read as a sequence of events logged.

Thanks.

ReplyQuote
Posted : 29/11/2013 10:09 pm
jaclaz
(@jaclaz)
Community Legend

I'm not sure that I follow…

The OP stated that he used the TZWorks sbag tool. Assuming that the "modify date" and "mtime" came from the output of the tool, then that would mean that the values were pulled from the shell items that comprise the shellbags artifacts. As these values can be modified/updated completely independent of the shellbags artifacts themselves, I'm sincerely curious to understand how they might be read as a sequence of events logged.

Thanks.

Now I am not following you.

The OP posted a sequence of *something*.
The *something* comes from "shell items that comprise the shellbags artifacts"?
Good ) , still it is a sequence of *something*.
Taking just the first four lines of the data the OP posted

12-Sep-13 012158 F\Folder9\
12-Sep-13 012150 E\Folder9\FolderY\
12-Sep-13 012150 E\Folder9\FolderX\
12-Sep-13 012106 E\Folder9\

I read them as
*something* happened on 12-Sep-13 012106 and *somehow* affected[1] E\Folder9\
44 seconds passed away
*something* happened on 12-Sep-13 012150 and *somehow* affected[1] E\Folder9\FolderX\
immediately after, i.e. after 0 seconds
*something* happened on 12-Sep-13 012150 and *somehow* affected[1] E\Folder9\FolderY\
8 seconds passed away
*something* happened on 12-Sep-13 012150 and *somehow* affected[1] F\Folder9\

It is a sequence as each event happens (or however is logged or however leaves a trace of some sort in such a way that the tzworks tool detects and reports it) after another.
It is alternating between E and F.

[1] affected in the sense of "leaves a trace mentioning"

Now, what is the *something* (or whether it is *something else* instead) is wholly debatable, but that the data posted is a sequence, and that the *whatever* is reported by the tools have alternate values belonging to E and F it is hardly so.

jaclaz

ReplyQuote
Posted : 29/11/2013 10:52 pm
keydet89
(@keydet89)
Community Legend

Okay…I see. Thanks.

ReplyQuote
Posted : 30/11/2013 12:08 am
joachimm
(@joachimm)
Active Member

My deduction is that there were two different drives, with some similar folder structures, connected at the same time

any facts to back up your deduction? Any idea what these drive letters were pointing at at the time (setupapi log, mounted USB, firewire devices, network drives, etc?) Why can't they be the same drive with a different volume letters assigned to it? What about subst 2 drive letters for the same volume?

ReplyQuote
Posted : 30/11/2013 2:20 am
joachimm
(@joachimm)
Active Member

Also there is likely more information in the shell items you can use, which the parser or your example is not showing. E.g. the NTFS file reference in the file entry shell item. See
https://googledrive.com/host/0B3fBvzttpiiSajVqblZQT3FYZzg/Windows%20Shell%20Item%20format.pdf

ReplyQuote
Posted : 30/11/2013 10:17 am
keydet89
(@keydet89)
Community Legend

Joachimm,

It would appear that the issue is simply a misunderstanding of the shellbag artifacts.

ReplyQuote
Posted : 30/11/2013 5:57 pm
joachimm
(@joachimm)
Active Member

Joachimm,

It would appear that the issue is simply a misunderstanding of the shellbag artifacts.

You might be right, but I prefer to have some more context/feedback from the OP before I draw this conclusion. Who knows it might be an interesting issue after all. If I had a similar scenario in an investigation I would be all over it trying to figure out what the deal was.

ReplyQuote
Posted : 01/12/2013 2:35 am
keydet89
(@keydet89)
Community Legend

You might be right, but I prefer to have some more context/feedback from the OP before I draw this conclusion.

Agreed. I'd actually made a similar suggestion.

Who knows it might be an interesting issue after all. If I had a similar scenario in an investigation I would be all over it trying to figure out what the deal was.

Might be, you're right, but it's hard to tell.

However, I still get the very strong impression that folks simply do not know where the modified date and time come from, and what they mean…

ReplyQuote
Posted : 01/12/2013 2:45 am
jaclaz
(@jaclaz)
Community Legend

Being Sunday, I did a simple test, but possibly not simple enough to allow me to understand the results of it, let alone know what works and why it does (or does not).

If anyone is interested, it is in the file you can get from here
http//www2.zshares.net/dhporxnhrxji

I deleted all shellbags with a tool called Shellbag Analyzer & Cleaner
http//privazer.com/download-shellbag-analyzer-shellbag-cleaner.php
ran the tzworks sbag (and also saved the "cleaner" log), then performed a couple semi-automatic and manual opening of drives/directories with Explorer, then run again the tzworks sbag (and also saved the "cleaner" log).

jaclaz

ReplyQuote
Posted : 02/12/2013 12:26 am
Page 1 / 3
Share:
Share to...