Download FTK imager from here. Select the source for adding evidence as here I have selected the logical drive as usrclass. Next, select the desired user drive. Click Finish. Expand the window to the location of the usrclass. Select the user you want to investigate go to the following path to extract the UsrClass. We will be analyzing the usrclass. After successful parsing of the extracted shellbags file, you will be able to see the entries for folders browsed, created, deleted, etc.
Here is the entry of the folders renamed earlier, the MFT entry number is the same for the three folders. Yes, the shellbags store the entry even though the folder was deleted later. Shellbags stores the entries of the directories accessed by the user, user preferences such as window size, icon size. Shellbags explorer parses the shellbags entries shows the absolute path of the directory accessed, creation time, file system, child bags. The tool classifies the folders accessed according to the location of the folder.
Shellbags are created for compressed files ZIP files , command prompt, search window, renaming, moving, and deleting a folder. Author: Vishva Vaghela is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here. Skip to content Hacking Articles. Cyber Forensics. Given much of this information can only be found within Shellbag keys, it is little wonder why it has become a fan favorite.
The architecture of Shellbag keys within Windows XP is well understood and has been broadly covered [1,2]. However this is not the case with the Windows 7 format. I have recently had good luck using Shellbags within computer intrusion cases to show evidence of file system enumeration by attackers using compromised accounts. These systems have largely been Windows XP or Server and when I first sat down to review a Windows 7 system I was severely disappointed. Following the trend of many of our favorite Registry keys being updated in Windows 7, the Shellbag keys underwent a major transformation.
Data from all of these locations still appears to be collected, but all three artifact categories are now stored within the Shell subkey. The keys themselves are stored as a slightly different binary format making manual deciphering even more painful. I was beating my head against the wall trying to reverse engineer the new format when Rob Lee suggested I do something really smart: leverage an existing tool and work backwards.
He introduced me to the Tzworks Shellbag Parser and I was hooked. Besides being the only true Windows 7 Shellbags parser I am aware of, it does a remarkable job of parsing Shellbag structures. This hive supports the new User Access Control UAC and the mandatory access control integrity levels now baked into the operating system.
In oversimplified terms, it is used to record configuration information from user processes that do not have access to write to the standard registry hives.
The specific Shellbag keys are:. Microsoft documents additional Shellbag keys that may be present on Win7 systems, but after a review of several Win7, Vista, and R2 systems I have been unable to find any evidence of them being used [4]. As always, feel free to get in touch with me by emailing jamie. Or, you can ask me a question here. Read More. Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news. By continuing to use this site without changing your settings, you consent to our use of cookies in accordance with the Privacy Policy.
What are Shellbags? For example if a given folder has three child folders labelled 0, 1, and 2 and folder 2 was the most recently accessed, the MRUListEx will list folder 2 first followed by the correct order of access for folders 0 and 1 NodeSlot value corresponds to the Bags key and the particular view setting that is stored there for that folder.
This will help examiners understand what folders were browsed on a system through the Windows Explorer including any folders that might have been previously deleted or found on remote systems or storage: The path of the folder being analyzed The last write time of the BagMRU registry key The last write time of the Bags registry key Additionally, shellbags provide the investigator with timestamp details including the last accessed times of the folders being examined, allowing investigators to potentially find out the last time a suspect viewed a particular folder.
Related Resources. Published on December 14,
0コメント