Notifications
Clear all

Shellbag analysis  

Page 1 / 2
  RSS
keydet89
(@keydet89)
Community Legend

Is anyone including shellbag artifacts in their analysis of Windows systems?

If so, what tool(s) are you using?

How are you analyzing/including/interpreting the DOSDate time stamps?

Thanks.

Quote
Posted : 10/01/2013 6:18 pm
BitHead
(@bithead)
Community Legend

Yes.

Regripper and TZWorks sbag.

Using the steps under Timestamp Verification on TZWorks site.

ReplyQuote
Posted : 10/01/2013 8:31 pm
keydet89
(@keydet89)
Community Legend

Regripper and TZWorks sbag.

Over the lists/sites that I've posted this question to, you're the first one to mention RegRipper.

Have you had any issues with regards to validation of either tool, or between the two?

Using the steps under Timestamp Verification on TZWorks site.

That's great for verification. How are you incorporating those values into your analysis?

Thanks.

ReplyQuote
Posted : 10/01/2013 9:10 pm
gmkk
 gmkk
(@gmkk)
New Member

I'm using following tools
- TZWorks sbag
- RegRipper
- MiTeC Windows Registry Analyzer v1.5.2 (ShellBags + StreamMRUs)
- Nir Sorfer's ShellBagsView
and excellent EnPack, 42 LLC Bag Parser, by Yogesh Khatri (ShellBags + StreamMRUs)

My tools of choice are TZWorks sbag + 42LLC Bag Parser. I do like 42LLC Bag Parser for its ability to parse all relevant registry hive files in a single pass (located in all users' profiles, System Restore and so on), very detailed report and nice, Explorer-like form of presenting results (you can also export the results into Excel file for further processing, e.g. to compare and cross-verify with sbag results or to follow manual verification according to TZWorks).

Greg

ReplyQuote
Posted : 14/01/2013 2:10 pm
keydet89
(@keydet89)
Community Legend

Greg,

Thanks.

How are you analyzing/including/interpreting the DOSDate time stamps?

Also, do you have any thoughts on the output of TZWorks sbag.exe vs. the RegRipper plugin?

Thanks.

ReplyQuote
Posted : 14/01/2013 5:01 pm
BenUK
(@benuk)
Junior Member

I'm using Mitec, TZWorks but not RR so much. TZ is my tool of the moment. I've been a shellbag addict since 2005 - never really understood why everyone doesn't do it on every job.

I like the CSV output from TZWorks.

I hadn't heard of the ENpack that Greg mentions but I'll be hunting it down.

ReplyQuote
Posted : 15/01/2013 4:38 pm
keydet89
(@keydet89)
Community Legend

Ben,

Thanks.

How are you analyzing/including/interpreting the DOSDate time stamps?

Also, what have you done to validate the TZWorks tool?

ReplyQuote
Posted : 15/01/2013 5:02 pm
keydet89
(@keydet89)
Community Legend

Should I assume from the responses (or lack thereof) that

1. Very few analysts are actually parsing the shellbag artifacts?

2. No one is at all concerned with the DOSDate time stamps (what they mean, where they come from, etc.)?

ReplyQuote
Posted : 15/01/2013 6:27 pm
BitHead
(@bithead)
Community Legend

How are you analyzing/including/interpreting the DOSDate time stamps?

No one is at all concerned with the DOSDate time stamps (what they mean, where they come from, etc.)?

Sorry to get back to the party late.

Objection your Honor, H is leading the witness with this line of questioning.

What kind of answer are you fishing for? You seem to have a preconceived notion of either a problem or something.

I find that very few tools report the exact same results. Results are named differently, outputs are in different formats, etc. I look at the output of the tools, look to see if they are reasonable and cat the results into a usable format.

As for time stamps, I guess I am missing question. I normalize everything on UTC, output the results, make sure they are reasonable… Not sure to what you are alluding.

ReplyQuote
Posted : 16/01/2013 12:42 am
EricZimmerman
(@ericzimmerman)
Active Member

i just finished a big case and shellbags were included. i used Xways and the Mitec tool.

my use of shellbags was more to show how an encrypted drive was organized and the files the folders contained. it worked VERY well

ReplyQuote
Posted : 16/01/2013 2:55 am
keydet89
(@keydet89)
Community Legend

What kind of answer are you fishing for? You seem to have a preconceived notion of either a problem or something.

Not fishing for anything.

Each of the component structures in the shellbags paths are shell items, similar to the structures that comprise the shell item ID list in LNK files. Each of those shell items that point to a folder also include a series of embedded time stamps in DOSDate format. Several of the available tools include these in the output.

I know that many analysts state that they want "everything", and that they want to be the ones to determine what's useful…and that's fine. So I'm asking how folks use this information in their analysis.

I find that very few tools report the exact same results. Results are named differently, outputs are in different formats, etc. I look at the output of the tools, look to see if they are reasonable and cat the results into a usable format.

Perhaps that's where the confusion lies…different tools provide different information. I have compared my own tools to TZWorks sbag64.exe (v0.28). I tried MiTeC's Windows Registry Recovery, but it doesn't show anything from a Windows 7 USRCLASS.DAT hive.

Maybe the issue is that if folks don't know what data is in the structures…they're only seeing the output of the tools…then using different tools that output different information (perhaps not all of it) might lead to the confusion.

As for time stamps, I guess I am missing question. I normalize everything on UTC, output the results, make sure they are reasonable… Not sure to what you are alluding.

Not alluding to anything…asking a straight up question.

ReplyQuote
Posted : 16/01/2013 4:54 pm
keydet89
(@keydet89)
Community Legend

i just finished a big case and shellbags were included. i used Xways and the Mitec tool.

"Mitec" tool? Which one?

my use of shellbags was more to show how an encrypted drive was organized and the files the folders contained. it worked VERY well

Very cool. How did you find the encrypted drive in the shellbags? Was it listed as a volume/drive letter?

ReplyQuote
Posted : 16/01/2013 4:56 pm
keydet89
(@keydet89)
Community Legend

To both BitHead and EricZ,

What have you done to validate the tools you use?

I've done analysis similar to what Eric describes…however, I've found that some tools miss some critical data structures…had I not been aware of that, I might have blown passed it, thinking, "okay, that user never accessed that item….", when, in fact, they had.

ReplyQuote
Posted : 16/01/2013 5:08 pm
gmkk
 gmkk
(@gmkk)
New Member

As per ShellBags detailed structure, you may want to have a look at the following sources

"Using shellbag information to reconstruct user activities" - excellent paper by Yuandong Zhu, Pavel Gladyshev, and Joshua James
http//www.dfrws.org/2009/proceedings/p69-zhu.pdf

"Windows Shell Item format specification" by Joachim Metz
http//liblnk.googlecode.com/files/Windows%20Shell%20Item%20format.pdf

Speaking about tools, you may also want to check Willi Balenthin's shellbag parser, written in Python (source code available), however I didn't use this tool to date
http//www.williballenthin.com/forensics/shellbags/index.html
You will also find a lot of detailed information about ShellBag's internals on this page.

As per validation of ShellBags - some time ago I did a lot of manual checks of ShellBags artifacts on my lab box. I have prepared a fresh virtual XP instance and then I was accessing various files and folders, connecting USB mass storage devices, accessing files on these devices (making detailed log of operations including time, path etc.). Then I used a few tools to parse ShellBags and compared results with my notes (sbag, EnCase's 42LLC Bag Parser and MiTeC's WRA - no RR at that time, though) as well as I did a spot manual check on selected raw entries by following TZWorks process.

All three tools did a good job and produced consistent results, therefore I have marked them as valid for my toolbox, with some remarks, though

1) TZWorks - overall note "very good", it can parse both NTUSER.DAT and USRCLASS.DAT files on both x86 and x64 Windows platforms; moreover you can easily export results to Excel for further processing (e.g. to include it in the final timeline of user's activity). It can also parse ShellBags from live system - good choice for scripting.
http//tzworks.net/prototype_page.php?proto_id=14

2) EnCase's 42LLC Bag Parser by Yogesh Khatri - overall note "excellent"; it can parse both NTUSER.DAT and USRCLASS.DAT files on both x86 and x64 Windows platforms (ShellBags+StreamMRUs) and it is parsing all relevant registry hives found in the image (e.g. located in System Restore). You can easily export data to Excel (with some bells and whistles, e.g. you can select columns for export, select entries for export, export entries based on custom conditions etc.) + results are presented in nice Explorer-like form. Definitely a tool of choice with only one drawback - it is EnPack, so you need to use EnCase.
http//www.swiftforensics.com/p/downloads.html

3) MiTeC WRA - overall note "medium" - although this tool did a good job on parsing (both ShellBags and StreamMRUs), it has a few major drawbacks

- first of all, the report it produces does not contain RegLastWritten timestamp which strongly reduces functionality of this tool (only MAC timestamps are available)
- it can't parse USRCLASS.DAT files (Win7).
- it is not easy to export the data to Excel
- the last free version (1.5.2) comes from 2004, so it's rather old (AFAIK, later it was purchased by Paraben and now it's a part of Paraben's forensic suite). Google is your friend so you can still find v1.5.2 available for download on some sites.

Having all that in mind, I'm using "approved" sbag and 42LLC Bag Parser on daily basis and usually do not perform manual ShellBags verification on each case (except some spot checks on critical items for high priority cases). Moreover, in many cases it is OK just to verify that user accessed given folder in the past and exact timestamp is not always critical to the case (so you can easily cross-verify ShellBags findings with other artifacts).

Have a good day!

Greg

ReplyQuote
Posted : 16/01/2013 7:04 pm
Chris_Ed
(@chris_ed)
Active Member

Greg,

Wondefully detailed post, thanks for taking the time to write it!

ReplyQuote
Posted : 16/01/2013 7:17 pm
Page 1 / 2
Share: