Hi all, my coworkers and I have begun using Shellbags Explorer to analyze shellbags for data exfiltration cases. We really like this software but are having a difficult time interpreting the different time stamps within this software. There are 6 different timestamps Created On, Modified On, Accessed On, Last Write Time, First Explored and Last Explored. We have reviewed the manual where it explains what these stamps are…..and it still somewhat confuses us. What does First explored and last explored mean? Is this when the folder was last opened and first opened? I've seen several answers for what the Last Written Time is including the first access to the directory by a user, last time preferences were changed and when the folder was opened. Are these correct? And would the Last Written Time also include when copying, moving or deleting?
Also, I've noticed on one of our cases, when I highlight one of the drive letters in the directory tree, all of the subfolders within that tree have the same dates and times under the Last Write Time. Does anyone know what this means?
Also, sometimes there are no entries in the Last Explored column. What does this mean if fields are empty?
Thank you all in advance for any help you can give me, I truly appreciate it!
LAB
hi
I wrote SBE, so i can help! =)
First explored and last explored take into account the different timestamps in the BagMRU keys
the manual explains these, but you can get additional detail here
http//
last written is the timestamp a Registry key for a given shell bag was last written. there really is no other explanation for this unless another tool is choosing to use that terminology for something different.
First and last explored are the first and last explored dates ACCORDING TO WHAT IS IN BAGMru. There are some instances where those timestamps are not updated because Windows isnt updating the Registry keys related to the bag in question. first and last explored take into account the last write timestamp of the shell bag key itself, and when possible, the bottom most bag of a given directory structure. It also takes into account the last write timestamp of a key based on the MRU list.
you need to do some testing against your own data (or a vm, etc) where you make changes and then look at the corresponding shell bag entries. this is the best way to get familiar with what things mean and how things get updated.
Created On, Modified on, and accessed on are right from the file system (MFT for example). Once a shellbag is created for a given path, these dates are never updated, even if a folder is deleted and recreated. this is where things like looking at VSCs come into play with older versions of usrclass.dat and SBECmd's ability to dedupe things.
lemme know if any of that is unclear.
Also, I've noticed on one of our cases, when I highlight one of the drive letters in the directory tree, all of the subfolders within that tree have the same dates and times under the Last Write Time. Does anyone know what this means?
last write time is the timestamp of the key where all those bags were found
Also, sometimes there are no entries in the Last Explored column. What does this mean if fields are empty?
see manual. it means the algorithm used to determine last explored doesnt have enough information to glean last explored. typically this is because of the MRU position and/or whether or not a given path has child bags.
Thanks Eric, your explanations are very helpful! Ill definitely being doing some testing to determine what date/time stamps change when moving, copying and deleting one or multiple folders to external devices such as sub thumb drives and hard drives.
Much appreciated!
remember, shellbags only get created when accessing the folders, so merely copying, moving, deleted etc will not do anything.
you have to interact with the shell in order for shellbags to be created (and once created, they are not updated)