I agree, unfortunately the limited value and the limited number of times these artifacts are needed in a case will also limit the amount of time researcher/examiners such as yourself and examiners in the trenches (who typically cannot take the time to look past the next case and will await your next tome) can devote to looking at these items. And as you have posted before (on several occasions) if no one is clamoring for information about an item what motivation do you have to invest time and effort into the research.
Well, I don't think that these artifacts are of limited value, per se.
For example, these artifacts can show accesses to folders and even zipped archives that no longer exist on the system.
In this particular case, I'm training to raise awareness of these artifacts, by engaging in a discussion, so that analysts will look at them, and incorporate them in analysis. I've posted to my blog regarding unique artifacts with respect to off-system communications that were *only* available via shellbag analysis.
…will await your next tome…
Yeah, well, few seem to read those "tomes", and one of the hardest parts about creating the "next tome" is the lack of feedback regarding the current one(s)…
Yeah, well, few seem to read those "tomes", and one of the hardest parts about creating the "next tome" is the lack of feedback regarding the current one(s)…
I am to say the least surprised. Our lab manager buys a copy of the current edition for each examiner and I cannot imagine a lab without at least one copy. If we as examiners are not supporting the research of our peers that is a sad testament.
Buying the copies is much appreciated…but without feedback in any endeavor, there's no improvement…or at least, it's limited.
in terms of feedback….theyre great as reference material…i think i use them in every job i do
and shellbags are definitely something im going to be looking into
the most common questions i get are
"did the user have knowledge of this file"
or "is there evidence of user activity"
or "can you get deleted data off an iphone 4s" (last ones a joke, but seriously get the question at least once a week)
i would like to see you team up with some of the "internet" guys like Jad from Magnet or the Digital Detectives to try put together something to do with the potential artefacts that indicate social networks or online mail clients etc.
the most common questions i get are
"did the user have knowledge of this file"
or "is there evidence of user activity"
If these are the top two most common questions, why *aren't* you already analyzing shellbags?
i would like to see you team up with some of the "internet" guys like Jad from Magnet or the Digital Detectives to try put together something to do with the potential artefacts that indicate social networks or online mail clients etc.
Sure, and I'd love to get paid to do that.
i would like to see you team up with some of the "internet" guys like Jad from Magnet or the Digital Detectives to try put together something to do with the potential artefacts that indicate social networks or online mail clients etc.
I'm really not sure what this has to do with shellbags, per se…and the fact is, I think that Jad already has the first part, to some degree, addressed.
i would like to see you team up with some of the "internet" guys like Jad from Magnet or the Digital Detectives to try put together something to do with the potential artefacts that indicate social networks or online mail clients etc.
I'm really not sure what this has to do with shellbags, per se…and the fact is, I think that Jad already has the first part, to some degree, addressed.
oh it doesnt, it was regarding the general feedback for any new books you plan on writing
and re the why arent i examining shellbags….i need to start. So far I've been able to get away with checking for other artefacts and get by with that, but I do need to start reading everything I can about them to add another tool to the arsenal.
So far I've been able to get away with checking for other artefacts and get by with that, but I do need to start reading everything I can about them to add another tool to the arsenal.
That's what I thought, too.
Then this spring I had to examine a Windows 2008 R2 system, that had been accessed and compromised via Terminal Services (easy to guess Admin password). There was some difficulty in figuring out who did what, because we found that several "bad guys" were accessing the system, as well as the admin, all using the same account. However, Win7 and 2008R2 are much more verbose in their logging, so we could see in the timeline where someone was logging in and out.
So we had to determine how data was being transferred to/from the system. I looked for all of the usual suspects…and came up empty. I then went to the Shellbags and found that what one intruder did was use Windows Explorer to perform FTP transfers. I thought this was interesting but remembered that Syngress had had me do the very same thing when I was writing my first book. The interesting thing about this is that the ONLY place where there are artifacts of this sort of activity was in the Shellbags. Ftp.exe is never launched, the browser isn't used, and no third party applications were ever used. And yet, we found clear indications of accesses to two sites, and attempts to access two others.
So, I hear things like, "I need to start…" or "I need to read up on this…", and I offer my assistance to those folks…and then never hear from them. I would say that from this point on, if you're doing any exam that focuses on what a user did on the system, and you're NOT looking at Shellbags, then you're not doing everything you can for your exam, or your client.
One other thing…Jacky Fox recently released her dissertation regarding interpreting Registry data. In her dissertation, she mentions that she found that when a USB device is plugged into a system, the MountPoints2 artifact is created/updated for *all logged in users*. This can make it difficult to determine which user accessed the volume. Shellbags can help you narrow that down. Shellbags can also show user access to devices that don't always show up via the traditional USB device analysis methodologies.