Shellbags interpret...
 
Notifications
Clear all

Shellbags interpretation  

  RSS
cerh
 cerh
(@cerh)
New Member

Hello,

I have a problem of interpretation with shellbags and I shall like having your opinion.

The analyzed system is under WIN10 ( NTFS).

The installation is dated on 17/10/2016. The system was restored at least twice since 31/05/2018.

The last restoration was made with an image representing the system to the date of 17/10/2016 but did not succeed completely.

The information on Shellbag results from UsrClass.dat who was partially rewritten during the restoration.
I use the Xways hex editor to view it.

I try to determine why the date of a folder stays on 17/10/2016 while sub-folders possess dates in 2018.

Below the hierarchy of folders


Folder 1 Desktop
|
Folder 1 (remote mounted drive)
Default 98022D12E0F8D301 -> 31/05/2018 130538 UTC
MRUListEx 05000000 01000000 04000000 00000000 02000000 03000000 FFFFFFFF
|
|
|-Folder 0
| |-Default 94D53A69217ED201 -> 03/02/2017 132831 UTC
| |-MRUListEx 00000000 FFFFFFFF
| |
| |-Folder 0
| |-Default CD94B87EEBCCD301 -> 05/04/2018 183826 UTC
| |-MRUListEx 00000000 01000000 FFFFFFFF
|
|-Folder 1 (Users)
| |-Default 7E15FBE48D28D201 -> 17/10/2016 154824 UTC
| |-MRUListEx 00000000 FFFFFFFF
| |
| |-Folder 0 (Personal Folder)
| |-Default 9FBE1EB272F3D301 -> 24/05/2018 152006 UTC
| |-MRUListEx 55000000 07000000 .............
| | |
| |-Folder 85
| |-Default 9FBE1EB272F3D301 -> 24/05/2018 152006 UTC
| |-MRUListEx FFFFFFFF
|-Folder 2
| |-Default 7AB5455D23F8D301 -> 30/05/2018 143449 UTC
| |-MRUListEx 00000000 01000000 02000000FFFFFFFF
|-Folder 3
| |-Default E2DA5770D8EDD301 -> 17/05/2018 121317 UTC
| |-MRUListEx 04000000 02000000 03000000 01000000 00000000 FFFFFFFF
|-Folder 4
| |-Default 8549C5CEDEF8D301 -> 31/05/2018 125635 UTC
| |-MRUListEx 04000000 00000000 01000000.................
|-Folder 5 (Shares)
|-Default EC954C13E0F8D301 -> 31/05/2018 130540 UTC
|-MRUListEx 040000000 80000000 50000000............

The \ 1 folder is the desktop
The \ 1 \ 1 folder is a letter from a remote mounted drive
The folder \ 1 \ 1 \ 1 corresponds to a users folder (containing several dozen people on the server,I don't see them in this case, but I have a screen copy of the server folders)
The folder \ 1 \ 1 \ 1 \ 0 is the home folder of the user.
The folders \ 1 \ 1 \ 0, \ 1 \ 1 \ 2, \ 1 \ 1 \ 3, \ 1 \ 1 \ 4, \ 1 \ 1 \ 5 are shared folders for all users.

I'm trying to find a scenario that explains why the \ 1 \ 1 \ 1 \ 0 folder has a timestamp that matches what happened (interacting with the \ 1 \ 1 \ 1 \ 0 \ 85 folder) while the timestamp of his parent folder (\ 1 \ 1 \ 1) remains at 17/10/2016 174824.

For my part, I think that, according to the rights granted on the remote server, the user never "saw" the folder \ 1 \ 1 \ 1 (Users) but was directly directed in his personal folder (\ 1 \ 1 \ 1 \ 0).

However, he can display on the screen the names of the folders (\ 1 \ 1 \ 2, \ 1 \ 1 \ 3, \ 1 \ 1 \ 4, \ 1 \ 1 \ 5) and then navigate in the subfolders .

For example, the folder \ 1 \ 1 \ 5 corresponds to "Shares", I think he sees the name of the folder shares on the screen and then navigates through the subfolders.

What do you think ?
Thanks in advance

ps sorry if I'm not very clear.

Quote
Posted : 18/11/2018 12:57 pm
Share: