I have a shellbag question. I am an insider threat analyst working on the insider risk team supporting the investigators. I used to be a forensic analyst with access to all the forensic tools. I don’t have access to those tools in my current position. Because of this, I can only review the output (in the form of spreadsheets) that the forensics teams sends to our team without being able to go into the forensic tools for more in depth information.
I would most often use shellbags to verify if a folder had resided at one time on the local machine, removeable devices or network location. I’ve coached the investigators that shellbags are good for determining if folders had existed at one time. My question is this: can we interpret anything of value with the timestamp output by just reviewing the spreadsheet (with no extra context)? The output spreadsheets we are given by the forensic team include the following columns: Absolute Path, ShellType, Value, Last Write Time (UTC), First Interacted (UTC) and Last Interacted (UTC). Can we determine when a folder was first opened and/or last opened just by reviewing the timestamps given on our spreadsheets? Right now, I'm thinking the only credible information we can get from these spreadsheets is that a folder was located on a drive at one time. I'm not comfortable interpreting the date/time stamps without being able to review the raw data behind the information put into the spreadsheet. Any feedback would be appreciated!
Absolute Path Shelltype Value LastWriteTime FirstInteracted(UTC) LastInteracted(UTC)
I used to be a forensic analyst with access to all the forensic tools. I don’t have access to those tools in my current position. Because of this, I can only review the output (in the form of spreadsheets) that the forensics teams sends to our team without being able to go into the forensic tools for more in depth information.
Would this not help you?
|ShellBags Explorer||126.96.36.199||GUI for browsing shellbags data. Handles locked files|
Tools will not help me because I still won't have access to the actual raw data. The only information I have access to are spreadsheets with results from those tools. So I basically just need to know if looking at a spreadsheet with results from a tool that parses shellbag data and has three different timestamp columns (LastWriteTime, First Interacted, Last Interacted) would give me reliable timestamp data to tell the investigators that this was when a folder name xxxx was opened or this was when a folder name xxxxx was last accessed and so forth. What would each of those timestamps mean when you see them on a spreadsheet provided to you by the EFI team with no explanation as to what the results mean?
For what its worth, in some testing and analysis I have done here is what i believe you can tell from the dates/times alone.
You should have a "bag id" that has a "folder name" with associated dates / times, paths.
The "last written date" should match the sbag "modify date" as well as if you convert the shell bag file size from hex to decimal you may find a match there.
All this to be said that it is "more than likely" the same....
Hope this helps.