Notifications
Clear all

Shellbags Explorer  

  RSS
jblakley
(@jblakley)
Active Member

I've been testing Shellbags Explorer (SE) today, and I noticed a few things. The MFT record that I'm getting from SE is not hitting a starting boundary in the actual MFT so I searched for the offset in disk view in EnCase. I have no lnk for access to this folder either


Short name Wxxxxxx~1
Modified 2014-05-13 220546.000

Value Wxxxxxxxxxs
Shell Type Directory

Bag Path BagMRU\1\1, Slot # 3, MRU Position 15, Node Slot 250
Absolute Path Desktop\My Computer\E\Wxxxxxxxxxs

# Child Bags 0

First interacted 2017-03-27 091606.249

Extension blocks found 1
---------------------- Block 0 ----------------------
Signature 0xbeef0004
Size 70
Version 8
Version Offset 0x18

Identifier 2A (Windows 2008, 7, 8)

Created On 2014-05-13 220720.000
Last Access 2014-05-13 000000.000

Long Name Wxxxxxxxxxs

[b]MFT Entry Number 246464[/b]

File system hint FAT

--------------------------------------------------

Last Write Time 2017-05-31 131711.046


I'm assuming that the MFT entry number here is the disk offset and not a record in the MFT, but I'm still not finding a reference to this file. This is from a USB device, and I'm trying to determine which device was connected at the time.

Thanks!

Quote
Posted : 04/10/2017 10:08 pm
jblakley
(@jblakley)
Active Member

Now I'm thinking that the MFT record number mentioned is going to be the MFT on that drive, or with regards to FAT, the offset of that disk. So (and correct me if I'm wrong), if I don't have the device this mentions, this attribute won't really help me.

ReplyQuote
Posted : 04/10/2017 11:10 pm
benfindlay
(@benfindlay)
Active Member

Just so I understand correctly - are you saying that the $MFT record you are looking at is not aligned to a sector boundary?

I've seen this a few times, especially when carrying out tests using VMs.

My experience is that MFT entries can get stored in journal type files (like $logfile IIRC) rather than the actual MFT (these of course have their own internal organisational structure), therefore won't necessarily be aligned to a sector boundary like they would within the actual $MFT itself.

Just a thought!

Ben

ReplyQuote
Posted : 05/10/2017 8:17 am
Bunnysniper
(@bunnysniper)
Active Member

I'm assuming that the MFT entry number here is the disk offset and not a record in the MFT, but I'm still not finding a reference to this file. This is from a USB device, and I'm trying to determine which device was connected at the time.

Thanks!

"On NTFS file systems, the MFT entry and sequence numbers come from the FILE record for the directory. With exFAT and FAT, the MFT entry number is the absolute offset to the structure defining the directory on disk"

https://www.sans.org/summit-archives/file/summit-archive-1492184337.pdf

The PDF mentioned above is everything you need to answer your questions, i think. And have a look at the timestamps differences for FAT and NTFS when it comes to Shellbags!

best regards,
Robin

ReplyQuote
Posted : 05/10/2017 10:16 am
jblakley
(@jblakley)
Active Member

Thanks Robin. That's the same PDF I had found when I noticed the offset wasn't in the MFT due to it being a FAT volume. I'm going to do some testing on a known USB device today (a personal one) to see if it's the entry number on that device. If it is, I'm going to assume I'm not going to be able to do anything with this number if I don't have the suspect device in hand.

ReplyQuote
Posted : 05/10/2017 12:01 pm
jblakley
(@jblakley)
Active Member

Just so I understand correctly - are you saying that the $MFT record you are looking at is not aligned to a sector boundary?

I've seen this a few times, especially when carrying out tests using VMs.

My experience is that MFT entries can get stored in journal type files (like $logfile IIRC) rather than the actual MFT (these of course have their own internal organisational structure), therefore won't necessarily be aligned to a sector boundary like they would within the actual $MFT itself.

Just a thought!

Ben

Thanks Ben. Shellbags Explorer is reporting that the volume the USB drive had was FAT and not NTFS. For NTFS, it will provide a sequence number along with the MFT record number, but for FAT it will only provide an "MFT" record number. This number, for a FAT volume, I'm assuming is the physical sector of the device (which I would need in my possession) to be able to see the data that the shellbag references (I could be completely wrong here). Since each volume has its own MFT (besides this being a FAT volume), and I know that this USB device was assigned to the E\, without having that device, I wouldn't be able to reference the MFT record.

So my question was how to determine which volume guid a certain shellbag folder belonged to without having access to the USB device. Can I determine the serial number of the device that was viewed just by the shellbag itself? My guess is no, and the only thing I can conclusively prove is that there could me more than one USB device that has these folders.

ReplyQuote
Posted : 05/10/2017 12:14 pm
Bunnysniper
(@bunnysniper)
Active Member

I'm going to assume I'm not going to be able to do anything with this number if I don't have the suspect device in hand.

Yes, that`s right. Sorry! Another question what are you searching for? Paths to a folder, a picture or any other kind of file type? Is it a CP case with inappropritate pictures?

best regards, Robin

ReplyQuote
Posted : 05/10/2017 12:39 pm
jblakley
(@jblakley)
Active Member

I'm going to assume I'm not going to be able to do anything with this number if I don't have the suspect device in hand.

Yes, that`s right. Sorry! Another question what are you searching for? Paths to a folder, a picture or any other kind of file type? Is it a CP case with inappropritate pictures?

best regards, Robin

Oh no nothing like that. During an investigation, I noticed that if Windows assigned the D designation to a USB drive, and I clicked on "folder 1", a shellbag would be recorded. I remove that drive and insert a totally different USB drive that also receives the D, and I click on "folder 2", the shellbag is created.

When parsing these, I now have 1 D for shellbags that appears to have two folders instead of two separate drives. I was trying to determine if there was a way for me to associate "folder 1" to its volume guid or serial number, and "folder 2" the same, but it doesn't appear to me that there's a way to really do that without the devices.

Thank you so much for the response!! D

ReplyQuote
Posted : 05/10/2017 12:47 pm
Share: