In this article, we will be focusing on shellbags and its forensic analysis using shellbag explorer. Shellbags are created to enhance the users’ experience by remembering user preferences while exploring folders, the information stored in shellbags is useful for forensic investigation.
Table of Contents
·
Introduction
·
Location
of shellbags
·
Forensic
analysis using Shellbags Explorer
·
Active Registry Analysis
·
Offline Registry Analysis
Introduction
Windows Shell Bags were introduced
into Microsoft's Windows 7 operating system and are yet present on all later Windows
platform. Shellbags are registry keys that are used to improve user experience
and recall user’s preferences whenever needed. The creation of shellbags relies
upon the exercises performed by the user.
As a digital forensic investigator, with
the help of shellbags, you can prove whether a specific folder was accessed by a
particular user or not. You can even check whether the specific folder was
created or was available or not. You can also find out whether external
directories have been accessed on external devices or not.
For the most part, Shell Bags are
intended to hold data about the user's activities while exploring Windows. This
implies that if the user changes icon sizes from large icons to the grid, the
settings get updated in Shell Bag instantly. At the point when you open, close,
or change the review choice of any folder on your system, either from Windows
Explorer or from the Desktop, even by right-clicking or renaming the organizer,
a Shellbag record is made or refreshed.
Location of shellbags
Windows XP
The shellbags for Windows XP are stored in NTUSER.DAT
·
Network folders
references:\Software\Microsoft\Windows\Shell
·
Local folder references:
\Software\Microsoft\Windows\ShellNoRoam
· Removable device folders: \Software\Microsoft\Windows\StreamMRU
Windows 7 to Windows
10
Shellbags are a set of subkeys in
the UsrClass.dat registry hive of Windows 10 systems. The shell bags are stored in both NTUSER.DAT and USRCLASS.DAT.
·
NTUSER.DAT: HKCU\Software\Microsoft\Windows\Shell
·
USRCLASS.DAT: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell
The majority of the data is found in
the USRCLASS.DAT hive-like local, removable, and network folders’
data.
You can manually check shellbags
entry in the registry editor like so. In the following screenshot, a shellbag
entry for a folder named jeenali is shown.
The Shellbag data contains two main
registry keys, BagMRU and Bags
·
BagMRU: This stores folder names and folder path
similar to the tree structure. The root directory is represented by the first
bagMRU key i.e. 0. BagMRU contains numbered values that compare to
say sub key’s nested subkeys. All of these subkeys contain numbered values
aside from the last child in each branch.
·
Bag: These stores view preference such as the size
of the window, location, and view mode.
We will be analyzing the shellbags
using the shellbag explorer.
1.
ShellBags
explorer(SBECmd)
2.
Shellbags
explorer (GUI version)
Shellbags explorer is a tool by Eric
Zimmerman to analyze shellbags. The shellbags explorer is available in both
versions cmd and GUI. You can download the tool from here.
Forensic Analysis of Shellbag
Analysis using SBECmd
Here we are using the SBECmd.exe
(Cmd version of the shellbag explorer tool) by Eric Zimmerman. This cmd tool is
great for command prompt lovers who prefer using commands over GUI.
To get a clear idea about how shell
bags work and store data and how you can analyze it I have created a new folder
named “raaj” which consists of a text document. Further, we will be renaming it
to geet and then to jeenali. Let’s analyze the shellbags entries for this.
Run the executable file and browse
to the directory where the executable is present. To extract the shellbags data
into a .csv file use the following command:
SBECmd.exe –l –csv ./
As a result of the above command, a
.csv file will be created in the directory.
Lets’ open the .csv file and analyze
it.
As I mentioned earlier we have renamed the folder named “raaj” to “geet” and further to “jeenali” as highlighted in the screenshot the MFT entry number is the same for all three folders which depict that the folder was renamed.
v Shellbags explorer (GUI version)
Active Registry Analysis
Using the shellbags explorer we can
also analyze the active registry. Select load an active registry which will
load the registry in use by the active user.
The shellbags are successfully
parsed from the active registry.
The shellbags parsed contains the
shellbags entries created based on users’ activities. As depicted earlier the
folder renamed will have a similar MFT entry number. I have created a folder
named “raaj”, we will be further renaming it to “geet”.
Whenever a folder is renamed an
entry is stored in shellbag, the MFT entry number of both the folder will be
the same.
Now lets’ once again rename the
folder to jeenali. The MFT entry will be similar to the previous one.
Offline registry analysis
For offline analysis, we first have
to extract the shellbags file which is USRCLASS.DAT. Let’s extract the shellbag
file using FTK imager. Download FTK imager from here.
Lets’ add in the evidence, go to the add evidence item.
Select the source for adding
evidence here I have select the local drive as the usrclass.dat as the
Select the desired user drive. Click
Finish.
Expand the window to the location of
the usrclass.dat.Select the user you want to investigate go to the following
path to extract the UsrClass.dat.
root > users > administrator
>Appdata>Local>Microsoft>windows
We will be analyzing the
usrclass.dat extracted from the above step using shell bag explorer by Eric
Zimmerman.
As we have exported the registry
hives we will choose “load offline hive”
After successful parsing of the
extracted shellbags file, you will be able to see the entries for folders
browsed, created, deleted, etc. Here is the entry of the folders renamed
earlier, the MFT entry number is the same for the three folders.
Further, I deleted the folder named
“jeenali”. Now lets’ check the shellbags data whether the deleted folder still
exists.
Yes, the shellbags store the entry
even though the folder was deleted later.
Shellbags stores the entries of the
directories accessed by the user, user preferences such as window size, icon
size. Shellbags explorer parses the shellbags entries shows the absolute path
of the directory accessed, creation time, file system, child bags. The tool
classifies the folders accessed according to the location of the folder. Shellbags
are created for compressed files (ZIP files), command prompt, search window,
renaming, moving, and deleting a folder.
0 comments:
Post a Comment