Interpreting ShellB...
 
Notifications
Clear all

Interpreting ShellBags

38 Posts
4 Users
0 Likes
2,796 Views
(@joachimm)
Posts: 181
Estimable Member
 

Also there is likely more information in the shell items you can use, which the parser or your example is not showing. E.g. the NTFS file reference in the file entry shell item. See
https://googledrive.com/host/0B3fBvzttpiiSajVqblZQT3FYZzg/Windows%20Shell%20Item%20format.pdf

 
Posted : 30/11/2013 10:17 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Joachimm,

It would appear that the issue is simply a misunderstanding of the shellbag artifacts.

 
Posted : 30/11/2013 5:57 pm
(@joachimm)
Posts: 181
Estimable Member
 

Joachimm,

It would appear that the issue is simply a misunderstanding of the shellbag artifacts.

You might be right, but I prefer to have some more context/feedback from the OP before I draw this conclusion. Who knows it might be an interesting issue after all. If I had a similar scenario in an investigation I would be all over it trying to figure out what the deal was.

 
Posted : 01/12/2013 2:35 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

You might be right, but I prefer to have some more context/feedback from the OP before I draw this conclusion.

Agreed. I'd actually made a similar suggestion.

Who knows it might be an interesting issue after all. If I had a similar scenario in an investigation I would be all over it trying to figure out what the deal was.

Might be, you're right, but it's hard to tell.

However, I still get the very strong impression that folks simply do not know where the modified date and time come from, and what they mean…

 
Posted : 01/12/2013 2:45 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Being Sunday, I did a simple test, but possibly not simple enough to allow me to understand the results of it, let alone know what works and why it does (or does not).

If anyone is interested, it is in the file you can get from here
http//www2.zshares.net/dhporxnhrxji

I deleted all shellbags with a tool called Shellbag Analyzer & Cleaner
http//privazer.com/download-shellbag-analyzer-shellbag-cleaner.php
ran the tzworks sbag (and also saved the "cleaner" log), then performed a couple semi-automatic and manual opening of drives/directories with Explorer, then run again the tzworks sbag (and also saved the "cleaner" log).

jaclaz

 
Posted : 02/12/2013 12:26 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm not going to download a file from that site, but I will ask this…what was the purpose of your test? Was there something that you were hoping to show or learn?

 
Posted : 02/12/2013 4:30 am
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Sorry, was away for weekend and no signal (

Anyways, thanks a lot for all the replies, some responses for you

General - I said that the user had attempted to delete business data on his laptop and on the external drive which has been returned to us. I recovered a lot of files from both drives using FTK (Exported all deleted files, maintaining the folder structure).
Re the external drive, the following folders from the Shellbags analysis are NOT in the FTK export
Folder1
Folder5
Folder9

Although we have matching folder names in our recovered data, I don't believe we have a way of knowing whether we have recovered ALL the data that was there two months previously.

Jaclaz
you mention "attempting to syncronise". I'm not sure what you mean by syncronise, it may be a language thing but other than copying (which is not something I've mentioned before) what else could you mean by syncronise?

"……..contain much less data…….." As described above, without having the original data, we can't tell how much of the original data we have recovered. So the folder sizes available to us may not be significant. Having said that, the folders we have recovered
Folder3 = 1.4MB
Folder4 = 21MB
Folder6 = 455KB
Folder7 = 1.27MB
Folder8 = 3.77MB

Keydet89
"nature of documents" - docx, xlsx, msg, PDF, some 3D CAD modelling txt files (which can be >100MB each), DWG. How does this help?

"other artefacts" - yes have checked , and no other USB devices have last connected or first connected date/time around our time frames.
I used Rob Lee's guide and for Hard Drives the "First Time Connected After Last Reboot" is 10th October (our man's second last working day), and "Last Connected Time" is 10th or 11th October. Thumb drives are slightly different in that one option for Last Time Connected show the same as the HDDs, the other (NTUser.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{GUID}) shows varying dates including 10th October, 17th July, and 26th April

First Time Connected is kinda weird though for the HDDs. The Seagate Backup Plus which has been returned was purchased April 2013, setupapi.dev.log suggests first connect time 10th September 2013. The user had deleted all non-Seagate files/folders, Modified dates on the folders I've recovered are mostly around 10th October but there are some pre-dating 10th September, am not sure how to explain this.

"misinterpreting" - I sure don't fully understand these artefacts ( As you know I'm a part-time internal resource with no colleagues, hence double-checking here ) If these are not the timestamps I'm looking for, are you prepared to help me out by pointing me in the right direction?

"Data exfil…………." yes, understand this, but had checked anyway and thought it worth mentioning. The only person who can explain why he/she took certain actions is him/her.

"Assuming that the "modify date" and "mtime"…….." - my OP said "Using TZWorks Shellbags parser, I extracted this information " so I'm not clear as to why you would think that the modify date and mtime would have come from anywhere else?

Joachimm
Drive letters - unfortunately no, have used Rob Lee's guides and there's nothing in my output which can tie a specific drive letter to September (see Last Connected Times above)

"Why can't they be the same drive…………" - OK I know we're into behaviour here, but why would you have two drive letters with (some) duplicated folder structures on the same drive?

"What about subst 2 drive letters…….." - sorry, I'm not with you here.

"more context………" - what do you want? Will happily supply if possible

Thanks again to everyone, the more I get into this stuff the more I realise I need to learn more at a more technical level. I feel like a Police Constable observing you guys performing autopsies!

Cheers

 
Posted : 02/12/2013 4:30 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Keydet89
"nature of documents" - docx, xlsx, msg, PDF, some 3D CAD modelling txt files (which can be >100MB each), DWG. How does this help?

You can see from other artifacts (RecentDocs, ComDlg32, Office TrustRecords, Jump Lists, LNK files, etc.) the names (and in some cases, paths) of files that the user did access. this doesn't get you to an answer regarding your data exfil question, but it does show what the user was accessing.

"other artefacts" - yes have checked , and no other USB devices have last connected or first connected date/time around our time frames.
I used Rob Lee's guide and for Hard Drives the "First Time Connected After Last Reboot" is 10th October (our man's second last working day), and "Last Connected Time" is 10th or 11th October. Thumb drives are slightly different in that one option for Last Time Connected show the same as the HDDs, the other (NTUser.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{GUID}) shows varying dates including 10th October, 17th July, and 26th April

As this is a Win7 system, what about the EMDMgmt key and "Windows Portable Devices\Devices" subkey values?

Did you happen to check the shellbags artifacts available in any of the Volume Shadow Copies (if any are available)?

"misinterpreting" - I sure don't fully understand these artefacts ( As you know I'm a part-time internal resource with no colleagues, hence double-checking here ) If these are not the timestamps I'm looking for, are you prepared to help me out by pointing me in the right direction?

Well, first off, my comment about misinterpretation wasn't directed solely to you. 😉

It's great that you used the TZWorks tool to pull the information that you did, but one has to keep in mind that the MAC times (a) are DOSDate format, converted from their native structure on the device, and (b) are subject to forces outside of the shellbag artifacts. What I mean by this is that user activity outside of what you see in the shellbags artifacts affect these dates. So, the modification date and time of E\Folder1\Folder2 may have nothing whatsoever to do with the device being connected to the system that you're examining.

My point is, if you're going to run a tool, you should do so because you know exactly what you're trying to determine.

Going back to your original question

My deduction is that there were two different drives, with some similar folder structures, connected at the same time. Can anyone suggest any other possible scenarios?

Based on the displayed data, the source of the deduction is not clear. Of course, there are a number of other scenarios that could apply, given the limited amount of data. Joachimm pointed out one. Another is that it's the same device connected at two different times. Yet another is that it's two different devices. You need to do more detailed analysis, collecting additional information, and possibly even creating a timeline.

That being said, none of this illustrates "evidence of data exfiltration".

Some resources that might help, which respect to shellbags
http//windowsir.blogspot.com/2012/08/shellbag-analysis.html
http//windowsir.blogspot.com/2012/10/dosdate-time-stamps-in-shell-items.html
http//windowsir.blogspot.com/2013/06/there-are-four-lights-shell-items.html

"Assuming that the "modify date" and "mtime"…….." - my OP said "Using TZWorks Shellbags parser, I extracted this information " so I'm not clear as to why you would think that the modify date and mtime would have come from anywhere else?

Well, it's clear that the data was trimmed in some manner, so it's possible that not all of the times lined up properly.

 
Posted : 02/12/2013 6:12 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

With respect to the question of data exfiltration

http//windowsir.blogspot.com/2013/07/howto-data-exfiltration.html

 
Posted : 02/12/2013 6:13 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I'm not going to download a file from that site, but I will ask this…what was the purpose of your test? Was there something that you were hoping to show or learn?

That's OK (asking I mean), but you cannot have answers to those questions without risking 😯 that download.
If you are interested, you can download that file (from that site) and have a look at it. )
If you are not, don't. ?
I did a quick, simple experiment and provided both the result and a way to replicate it, I am sorry that I chose to use for sharing it the first free file hosting service I had handy (and that I use since a few years for exchanging quickly some data on the Internet with other people, having in all this time not a single one objecting to this practice, nor specifically to the chosen site) which is seemingly not up to your standards. (

@Cults14
As you may gather, in all my previous posts I tried desperately to use the more "generic" terms I can use, hopefully highlighting how they are not exact or strict by putting them between double quotes or asterisks.
The "synchronise" was meant as an attempt to describe one of the possible causes of those shellbags data (in my completely uninformed opinion), that the user had (possibly, or maybe, and anyway don't trust the word of someone that doesn't really know what data in a shellbag is referring to) opened two explorer panes, one besides the other and navigated alternatively in the same subdirectories of two different drives, possibly doing some action (like copying or deleting files or subdirectories) on them.
In other words I personally find your original hypothesis (two disks/volumes) plausible and cannot think of a different explanation/cause for those data.

You should ignore anything I posted and refer to the opinion of a qualified expert that actually knows what shellbag are and what may have created those data, instead.

jaclaz

 
Posted : 02/12/2013 8:05 pm
Page 2 / 4
Share: