Interpreting ShellBags

I did a quick, simple experiment…

I saw that, and thanks for sharing it. I did not want to pursue downloading what was shared for two reasons…

One, I am still wondering what you were hoping to show/illustrate with the experiment.

Two, I'm not smart enough to use the file sharing site…each time I click on something, particularly something that says "Download now", everything *except* the file I'm interested in starts to download to my system.

Thanks.

One, I am still wondering what you were hoping to show/illustrate with the experiment.

Sadly cry , no particular hope, only some semi-random attempts at strange, new (for me) things 😯 .

Two, I'm not smart enough to use the file sharing site…each time I click on something, particularly something that says "Download now", everything *except* the file I'm interested in starts to download to my system.

Try going to the page
http//www2.zshares.net/dhporxnhrxji
scrolling a bit down.
You should be able to see a "comparison table" between "Premium" and "Free".
At the bottom of the table you should see two buttons, one with "Premium Download" and one with "Free Download".
Try clicking on the one labeled "Free Download".
It should open a new page, around the middle of it you should see a countdown from 10 seconds or so to 0 and below it a button labeled "Download Now".
After the countdown elapses, the button will become enabled and by clicking on it, you should be prompted by your browser to save or open the file Sunday_test.zip (2.879 bytes in size).
I just tested the above procedure and it works fine for me (Opera browser 12.15.1748 on Windows XP SP2).

jaclaz

"What about subst 2 drive letters…….." - sorry, I'm not with you here.

There is a command on Windows (that originates from DOS) name subst that will allow you to substitute one "drive-letter" for another. See http//en.wikipedia.org/wiki/SUBST

Since the shell items have a similar functionality as being a path
http//www.forensicswiki.org/wiki/Shell_Item (also see for more references on the matter)

it could look like there are multiple devices that could also have been one.

"more context………" - what do you want? Will happily supply if possible

Thx your follow up post provided a lot more context. Though the tztool seems to be very limited in what it provides you about the shell items. Harlan his scripts might provide you with more relevant data or libregf if you feel like experimenting with its shell item debug output 😉

See https://code.google.com/p/libregf/

I used Rob Lee's guide and for Hard Drives the "First Time Connected After Last Reboot"

Can you provide a link please, want to be sure that the document you're referring to is the same one I have in mind.

So the setupapi logs should normally tell you if and when a device was attached. The corresponding Registry information might indicate which drive letter was assigned and tell you more about the device.

If the data is not on the current volume looking in VSS for older versions of the data is a good suggestion. Otherwise the Windows Search database sometimes is useful for this purpose as well.

Maybe there are other application on the system that might have logged USB insertion?

Joachimm

Thanks for the response, some answers (and questions!) for you.

"There is a command on Windows……." Yes am aware of the command, but - similar to having multiple partitions on a single volume, both with same (or very similar) folder structures - am struggling to imagine a scenario where it makes sense to do that.
Also. the user doesn't seem to be techie enough e.g. deleted lots of data but didn't empty Recycler and didn't use scrubbing software )

"Can you provide a link please………"
https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf
https://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf

"Harlan his scripts might provide you with more relevant data….." will look into that

"Maybe there are other application on the system that might have logged USB insertion?" Maybe I'm getting myopic in my old age, but other than system artifacts (LNKs, JumpLists, MRUs etc) I'm not sure what applications might leave the traces you seem to be suggesting

Cheers

Joachimm
"Maybe there are other application on the system that might have logged USB insertion?" Maybe I'm getting myopic in my old age, but other than system artifacts (LNKs, JumpLists, MRUs etc) I'm not sure what applications might leave the traces you seem to be suggesting

In the etc.

Setupapi.log
Registry USB related keys

http//www.forensicswiki.org/wiki/USB_History_Viewing

jaclaz

In the etc.

Setupapi.log
Registry USB related keys

http//www.forensicswiki.org/wiki/USB_History_Viewing

Have already checked setupapi.dev.log and Registry Keys - at least the ones needed to follow Rob Lee's guides - as per previous post Monday 2nd December. Was wondering what else Joachimm might have been referring to (other than the additional sources that Harlan pointed me towards)?

Cheers

A couple of things you might want to check are the EMDMgmt and "Windows Portable Devices" keys in the Software hive, as well as the hives in any available VSCs.

However, I think that all of this sort of moves away from your original issue, which was to illustrate data exfil.

"Maybe there are other application on the system that might have logged USB insertion?" Maybe I'm getting myopic in my old age, but other than system artifacts (LNKs, JumpLists, MRUs etc) I'm not sure what applications might leave the traces you seem to be suggesting

Of the top of my head any AV or HIDS-like applications, any application that might re-act on USB insertion, event logs (usefulness largely depending on the logging level). You're probably in a better position to tell what is installed on the system 😉

Longer shots did you create a full timeline of all available volumes? is there anything in the timeline around the relevant timestamps? any deleted MSIE CF (index.dat) records in unallocated space?

Other things inline of this.

Thanks to all for their contributions.

Just to complicate things, this user worked from home most of the time (Eastern Time) vs where the office is (Central) so works off-line mostly, occasionally connects via VPN, and even less frequently makes a trip into the office. I will ask the questions of central IT about what AV and HIDS are set to detect/log and in what circumstances.

And, our friendly non-IT people fired up his computer on 4 days after he left - using his credentials - to have a look-see for business data, and plugged in the external HDD which had been returned to us.

Bit of a mess really (

I now have some to-do's for next year, inlcuding looking properly at time lines (I know I should have done it before now), and getting v3 of Harlan's book (got 1 and 2 already)

In terms of this particular case, in the absence of any other convincing evidence (so far) I'm still inclined to believe that one hard drive with a particular folder structure was connected to the system and concurrently one or more other devices with (in some but not all cases) exactly the same folder structure was connected.
Thereafter it's conjecture about what actions might create this scenario and I definitely can't prove exfil.

Cheers

Just to complicate things, this user worked from home most of the time (Eastern Time) vs where the office is (Central) so works off-line mostly, occasionally connects via VPN, and even less frequently makes a trip into the office. I will ask the questions of central IT about what AV and HIDS are set to detect/log and in what circumstances.

I'm not sure that I agree that this situation complicates things, per se. Based on how I read Joachimm's response, the answers to your questions would be right there in the image.

For example, with respect to AV, the first thing I generally tend to look for are Windows Event Log entries for various AV…McAfee (McLogEvent), Microsoft Anti-Malware, etc…as event record sources. From there, you can then look for AV application logs…most maintain some sort of text-based logs, for things like updates, etc.

There are a number of applications that could possibly be used to identify devices connected to the system, outside of the Windows Event Logs.

And, our friendly non-IT people fired up his computer on 4 days after he left - using his credentials - to have a look-see for business data, and plugged in the external HDD which had been returned to us.

Bit of a mess really (

I see this sort of thing all the time. It's not really a mess, per se, as much as it simply requires you to document it in your case notes. The separate external HDD creates it's own, separate artifacts.

I now have some to-do's for next year, inlcuding looking properly at time lines (I know I should have done it before now), and getting v3 of Harlan's book (got 1 and 2 already)

If you wait just a little longer, the fourth edition will be out. 😉

In terms of this particular case, in the absence of any other convincing evidence (so far) I'm still inclined to believe that one hard drive with a particular folder structure was connected to the system and concurrently one or more other devices with (in some but not all cases) exactly the same folder structure was connected.
Thereafter it's conjecture about what actions might create this scenario and I definitely can't prove exfil.

You say, "…in the absence of any other convincing evidence…", and yet, I really don't think that what you've shared is, in fact, convincing evidence of your hypothesis. I apologize if this comes across as somewhat blunt, but using modification date/times from shellbags does not necessarily illustrate your hypothesis. In this thread, there have been other sources of information identified and there don't seem to be any results from an examination of those sources.

Proving data exfil is extremely difficult if you only have one side of the equation. Without full packet captures from the time of data exfil, as well as full process monitoring on the system at the same time, how can you prove that something was shipped off of the system over the network? Without both the source and destination drives, how can you prove that something was copied or moved from one storage location to another?

You may be able to show a good deal of circumstantial "evidence", but in order to do so, you really have to look at multiple data sources in order to narrow down the possibilities. So far, there doesn't seem to be any information posted to the thread regarding an examination of the Windows Event Logs for indications of devices connected, nor of the EMDMgmt and Windows Portable Devices keys.