Interpreting ShellB...
 
Notifications
Clear all

Interpreting ShellBags

38 Posts
4 Users
0 Likes
1,470 Views
keydet89
(@keydet89)
Posts: 3578
Famed Member
 

I'm not going to download a file from that site, but I will ask this…what was the purpose of your test? Was there something that you were hoping to show or learn?

 
Posted : 02/12/2013 4:30 am
Cults14
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Sorry, was away for weekend and no signal (

Anyways, thanks a lot for all the replies, some responses for you

General - I said that the user had attempted to delete business data on his laptop and on the external drive which has been returned to us. I recovered a lot of files from both drives using FTK (Exported all deleted files, maintaining the folder structure).
Re the external drive, the following folders from the Shellbags analysis are NOT in the FTK export
Folder1
Folder5
Folder9

Although we have matching folder names in our recovered data, I don't believe we have a way of knowing whether we have recovered ALL the data that was there two months previously.

Jaclaz
you mention "attempting to syncronise". I'm not sure what you mean by syncronise, it may be a language thing but other than copying (which is not something I've mentioned before) what else could you mean by syncronise?

"……..contain much less data…….." As described above, without having the original data, we can't tell how much of the original data we have recovered. So the folder sizes available to us may not be significant. Having said that, the folders we have recovered
Folder3 = 1.4MB
Folder4 = 21MB
Folder6 = 455KB
Folder7 = 1.27MB
Folder8 = 3.77MB

Keydet89
"nature of documents" - docx, xlsx, msg, PDF, some 3D CAD modelling txt files (which can be >100MB each), DWG. How does this help?

"other artefacts" - yes have checked , and no other USB devices have last connected or first connected date/time around our time frames.
I used Rob Lee's guide and for Hard Drives the "First Time Connected After Last Reboot" is 10th October (our man's second last working day), and "Last Connected Time" is 10th or 11th October. Thumb drives are slightly different in that one option for Last Time Connected show the same as the HDDs, the other (NTUser.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{GUID}) shows varying dates including 10th October, 17th July, and 26th April

First Time Connected is kinda weird though for the HDDs. The Seagate Backup Plus which has been returned was purchased April 2013, setupapi.dev.log suggests first connect time 10th September 2013. The user had deleted all non-Seagate files/folders, Modified dates on the folders I've recovered are mostly around 10th October but there are some pre-dating 10th September, am not sure how to explain this.

"misinterpreting" - I sure don't fully understand these artefacts ( As you know I'm a part-time internal resource with no colleagues, hence double-checking here ) If these are not the timestamps I'm looking for, are you prepared to help me out by pointing me in the right direction?

"Data exfil…………." yes, understand this, but had checked anyway and thought it worth mentioning. The only person who can explain why he/she took certain actions is him/her.

"Assuming that the "modify date" and "mtime"…….." - my OP said "Using TZWorks Shellbags parser, I extracted this information " so I'm not clear as to why you would think that the modify date and mtime would have come from anywhere else?

Joachimm
Drive letters - unfortunately no, have used Rob Lee's guides and there's nothing in my output which can tie a specific drive letter to September (see Last Connected Times above)

"Why can't they be the same drive…………" - OK I know we're into behaviour here, but why would you have two drive letters with (some) duplicated folder structures on the same drive?

"What about subst 2 drive letters…….." - sorry, I'm not with you here.

"more context………" - what do you want? Will happily supply if possible

Thanks again to everyone, the more I get into this stuff the more I realise I need to learn more at a more technical level. I feel like a Police Constable observing you guys performing autopsies!

Cheers

 
Posted : 02/12/2013 4:30 pm
keydet89
(@keydet89)
Posts: 3578
Famed Member
 

Keydet89
"nature of documents" - docx, xlsx, msg, PDF, some 3D CAD modelling txt files (which can be >100MB each), DWG. How does this help?

You can see from other artifacts (RecentDocs, ComDlg32, Office TrustRecords, Jump Lists, LNK files, etc.) the names (and in some cases, paths) of files that the user did access. this doesn't get you to an answer regarding your data exfil question, but it does show what the user was accessing.

"other artefacts" - yes have checked , and no other USB devices have last connected or first connected date/time around our time frames.
I used Rob Lee's guide and for Hard Drives the "First Time Connected After Last Reboot" is 10th October (our man's second last working day), and "Last Connected Time" is 10th or 11th October. Thumb drives are slightly different in that one option for Last Time Connected show the same as the HDDs, the other (NTUser.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{GUID}) shows varying dates including 10th October, 17th July, and 26th April

As this is a Win7 system, what about the EMDMgmt key and "Windows Portable Devices\Devices" subkey values?

Did you happen to check the shellbags artifacts available in any of the Volume Shadow Copies (if any are available)?

"misinterpreting" - I sure don't fully understand these artefacts ( As you know I'm a part-time internal resource with no colleagues, hence double-checking here ) If these are not the timestamps I'm looking for, are you prepared to help me out by pointing me in the right direction?

Well, first off, my comment about misinterpretation wasn't directed solely to you. 😉

It's great that you used the TZWorks tool to pull the information that you did, but one has to keep in mind that the MAC times (a) are DOSDate format, converted from their native structure on the device, and (b) are subject to forces outside of the shellbag artifacts. What I mean by this is that user activity outside of what you see in the shellbags artifacts affect these dates. So, the modification date and time of E\Folder1\Folder2 may have nothing whatsoever to do with the device being connected to the system that you're examining.

My point is, if you're going to run a tool, you should do so because you know exactly what you're trying to determine.

Going back to your original question

My deduction is that there were two different drives, with some similar folder structures, connected at the same time. Can anyone suggest any other possible scenarios?

Based on the displayed data, the source of the deduction is not clear. Of course, there are a number of other scenarios that could apply, given the limited amount of data. Joachimm pointed out one. Another is that it's the same device connected at two different times. Yet another is that it's two different devices. You need to do more detailed analysis, collecting additional information, and possibly even creating a timeline.

That being said, none of this illustrates "evidence of data exfiltration".

Some resources that might help, which respect to shellbags
http//windowsir.blogspot.com/2012/08/shellbag-analysis.html
http//windowsir.blogspot.com/2012/10/dosdate-time-stamps-in-shell-items.html
http//windowsir.blogspot.com/2013/06/there-are-four-lights-shell-items.html

"Assuming that the "modify date" and "mtime"…….." - my OP said "Using TZWorks Shellbags parser, I extracted this information " so I'm not clear as to why you would think that the modify date and mtime would have come from anywhere else?

Well, it's clear that the data was trimmed in some manner, so it's possible that not all of the times lined up properly.

 
Posted : 02/12/2013 6:12 pm
keydet89
(@keydet89)
Posts: 3578
Famed Member
 

With respect to the question of data exfiltration

http//windowsir.blogspot.com/2013/07/howto-data-exfiltration.html

 
Posted : 02/12/2013 6:13 pm
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

I'm not going to download a file from that site, but I will ask this…what was the purpose of your test? Was there something that you were hoping to show or learn?

That's OK (asking I mean), but you cannot have answers to those questions without risking 😯 that download.
If you are interested, you can download that file (from that site) and have a look at it. )
If you are not, don't. ?
I did a quick, simple experiment and provided both the result and a way to replicate it, I am sorry that I chose to use for sharing it the first free file hosting service I had handy (and that I use since a few years for exchanging quickly some data on the Internet with other people, having in all this time not a single one objecting to this practice, nor specifically to the chosen site) which is seemingly not up to your standards. (

@Cults14
As you may gather, in all my previous posts I tried desperately to use the more "generic" terms I can use, hopefully highlighting how they are not exact or strict by putting them between double quotes or asterisks.
The "synchronise" was meant as an attempt to describe one of the possible causes of those shellbags data (in my completely uninformed opinion), that the user had (possibly, or maybe, and anyway don't trust the word of someone that doesn't really know what data in a shellbag is referring to) opened two explorer panes, one besides the other and navigated alternatively in the same subdirectories of two different drives, possibly doing some action (like copying or deleting files or subdirectories) on them.
In other words I personally find your original hypothesis (two disks/volumes) plausible and cannot think of a different explanation/cause for those data.

You should ignore anything I posted and refer to the opinion of a qualified expert that actually knows what shellbag are and what may have created those data, instead.

jaclaz

 
Posted : 02/12/2013 8:05 pm
keydet89
(@keydet89)
Posts: 3578
Famed Member
 

I did a quick, simple experiment…

I saw that, and thanks for sharing it. I did not want to pursue downloading what was shared for two reasons…

One, I am still wondering what you were hoping to show/illustrate with the experiment.

Two, I'm not smart enough to use the file sharing site…each time I click on something, particularly something that says "Download now", everything *except* the file I'm interested in starts to download to my system.

Thanks.

 
Posted : 02/12/2013 10:19 pm
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

One, I am still wondering what you were hoping to show/illustrate with the experiment.

Sadly cry , no particular hope, only some semi-random attempts at strange, new (for me) things 😯 .

Two, I'm not smart enough to use the file sharing site…each time I click on something, particularly something that says "Download now", everything *except* the file I'm interested in starts to download to my system.

Try going to the page
http//www2.zshares.net/dhporxnhrxji
scrolling a bit down.
You should be able to see a "comparison table" between "Premium" and "Free".
At the bottom of the table you should see two buttons, one with "Premium Download" and one with "Free Download".
Try clicking on the one labeled "Free Download".
It should open a new page, around the middle of it you should see a countdown from 10 seconds or so to 0 and below it a button labeled "Download Now".
After the countdown elapses, the button will become enabled and by clicking on it, you should be prompted by your browser to save or open the file Sunday_test.zip (2.879 bytes in size).
I just tested the above procedure and it works fine for me (Opera browser 12.15.1748 on Windows XP SP2).

jaclaz

 
Posted : 02/12/2013 11:51 pm
joachimm
(@joachimm)
Posts: 181
Estimable Member
 

"What about subst 2 drive letters…….." - sorry, I'm not with you here.

There is a command on Windows (that originates from DOS) name subst that will allow you to substitute one "drive-letter" for another. See http//en.wikipedia.org/wiki/SUBST

Since the shell items have a similar functionality as being a path
http//www.forensicswiki.org/wiki/Shell_Item (also see for more references on the matter)

it could look like there are multiple devices that could also have been one.

"more context………" - what do you want? Will happily supply if possible

Thx your follow up post provided a lot more context. Though the tztool seems to be very limited in what it provides you about the shell items. Harlan his scripts might provide you with more relevant data or libregf if you feel like experimenting with its shell item debug output 😉

See https://code.google.com/p/libregf/

I used Rob Lee's guide and for Hard Drives the "First Time Connected After Last Reboot"

Can you provide a link please, want to be sure that the document you're referring to is the same one I have in mind.

So the setupapi logs should normally tell you if and when a device was attached. The corresponding Registry information might indicate which drive letter was assigned and tell you more about the device.

If the data is not on the current volume looking in VSS for older versions of the data is a good suggestion. Otherwise the Windows Search database sometimes is useful for this purpose as well.

Maybe there are other application on the system that might have logged USB insertion?

 
Posted : 03/12/2013 12:32 am
Cults14
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Joachimm

Thanks for the response, some answers (and questions!) for you.

"There is a command on Windows……." Yes am aware of the command, but - similar to having multiple partitions on a single volume, both with same (or very similar) folder structures - am struggling to imagine a scenario where it makes sense to do that.
Also. the user doesn't seem to be techie enough e.g. deleted lots of data but didn't empty Recycler and didn't use scrubbing software )

"Can you provide a link please………"
https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf
https://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf

"Harlan his scripts might provide you with more relevant data….." will look into that

"Maybe there are other application on the system that might have logged USB insertion?" Maybe I'm getting myopic in my old age, but other than system artifacts (LNKs, JumpLists, MRUs etc) I'm not sure what applications might leave the traces you seem to be suggesting

Cheers

 
Posted : 03/12/2013 7:53 pm
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

Joachimm
"Maybe there are other application on the system that might have logged USB insertion?" Maybe I'm getting myopic in my old age, but other than system artifacts (LNKs, JumpLists, MRUs etc) I'm not sure what applications might leave the traces you seem to be suggesting

In the etc.

Setupapi.log
Registry USB related keys

http//www.forensicswiki.org/wiki/USB_History_Viewing

jaclaz

 
Posted : 03/12/2013 8:25 pm
Cults14
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

In the etc.

Setupapi.log
Registry USB related keys

http//www.forensicswiki.org/wiki/USB_History_Viewing

Have already checked setupapi.dev.log and Registry Keys - at least the ones needed to follow Rob Lee's guides - as per previous post Monday 2nd December. Was wondering what else Joachimm might have been referring to (other than the additional sources that Harlan pointed me towards)?

Cheers

 
Posted : 03/12/2013 8:40 pm
keydet89
(@keydet89)
Posts: 3578
Famed Member
 

A couple of things you might want to check are the EMDMgmt and "Windows Portable Devices" keys in the Software hive, as well as the hives in any available VSCs.

However, I think that all of this sort of moves away from your original issue, which was to illustrate data exfil.

 
Posted : 04/12/2013 1:00 am
joachimm
(@joachimm)
Posts: 181
Estimable Member
 

"Maybe there are other application on the system that might have logged USB insertion?" Maybe I'm getting myopic in my old age, but other than system artifacts (LNKs, JumpLists, MRUs etc) I'm not sure what applications might leave the traces you seem to be suggesting

Of the top of my head any AV or HIDS-like applications, any application that might re-act on USB insertion, event logs (usefulness largely depending on the logging level). You're probably in a better position to tell what is installed on the system 😉

Longer shots did you create a full timeline of all available volumes? is there anything in the timeline around the relevant timestamps? any deleted MSIE CF (index.dat) records in unallocated space?

Other things inline of this.

 
Posted : 04/12/2013 1:22 am
Cults14
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Thanks to all for their contributions.

Just to complicate things, this user worked from home most of the time (Eastern Time) vs where the office is (Central) so works off-line mostly, occasionally connects via VPN, and even less frequently makes a trip into the office. I will ask the questions of central IT about what AV and HIDS are set to detect/log and in what circumstances.

And, our friendly non-IT people fired up his computer on 4 days after he left - using his credentials - to have a look-see for business data, and plugged in the external HDD which had been returned to us.

Bit of a mess really (

I now have some to-do's for next year, inlcuding looking properly at time lines (I know I should have done it before now), and getting v3 of Harlan's book (got 1 and 2 already)

In terms of this particular case, in the absence of any other convincing evidence (so far) I'm still inclined to believe that one hard drive with a particular folder structure was connected to the system and concurrently one or more other devices with (in some but not all cases) exactly the same folder structure was connected.
Thereafter it's conjecture about what actions might create this scenario and I definitely can't prove exfil.

Cheers

 
Posted : 04/12/2013 3:27 pm
keydet89
(@keydet89)
Posts: 3578
Famed Member
 

Just to complicate things, this user worked from home most of the time (Eastern Time) vs where the office is (Central) so works off-line mostly, occasionally connects via VPN, and even less frequently makes a trip into the office. I will ask the questions of central IT about what AV and HIDS are set to detect/log and in what circumstances.

I'm not sure that I agree that this situation complicates things, per se. Based on how I read Joachimm's response, the answers to your questions would be right there in the image.

For example, with respect to AV, the first thing I generally tend to look for are Windows Event Log entries for various AV…McAfee (McLogEvent), Microsoft Anti-Malware, etc…as event record sources. From there, you can then look for AV application logs…most maintain some sort of text-based logs, for things like updates, etc.

There are a number of applications that could possibly be used to identify devices connected to the system, outside of the Windows Event Logs.

And, our friendly non-IT people fired up his computer on 4 days after he left - using his credentials - to have a look-see for business data, and plugged in the external HDD which had been returned to us.

Bit of a mess really (

I see this sort of thing all the time. It's not really a mess, per se, as much as it simply requires you to document it in your case notes. The separate external HDD creates it's own, separate artifacts.

I now have some to-do's for next year, inlcuding looking properly at time lines (I know I should have done it before now), and getting v3 of Harlan's book (got 1 and 2 already)

If you wait just a little longer, the fourth edition will be out. 😉

In terms of this particular case, in the absence of any other convincing evidence (so far) I'm still inclined to believe that one hard drive with a particular folder structure was connected to the system and concurrently one or more other devices with (in some but not all cases) exactly the same folder structure was connected.
Thereafter it's conjecture about what actions might create this scenario and I definitely can't prove exfil.

You say, "…in the absence of any other convincing evidence…", and yet, I really don't think that what you've shared is, in fact, convincing evidence of your hypothesis. I apologize if this comes across as somewhat blunt, but using modification date/times from shellbags does not necessarily illustrate your hypothesis. In this thread, there have been other sources of information identified and there don't seem to be any results from an examination of those sources.

Proving data exfil is extremely difficult if you only have one side of the equation. Without full packet captures from the time of data exfil, as well as full process monitoring on the system at the same time, how can you prove that something was shipped off of the system over the network? Without both the source and destination drives, how can you prove that something was copied or moved from one storage location to another?

You may be able to show a good deal of circumstantial "evidence", but in order to do so, you really have to look at multiple data sources in order to narrow down the possibilities. So far, there doesn't seem to be any information posted to the thread regarding an examination of the Windows Event Logs for indications of devices connected, nor of the EMDMgmt and Windows Portable Devices keys.

 
Posted : 04/12/2013 5:59 pm
Page 2 / 3
Share:
Share to...