windows shellbags forensics in depth
play

WINDOWS SHELLBAGS FORENSICS IN DEPTH RUXCON 2014 Vincent Lo WHO - PowerPoint PPT Presentation

Feb 01, 2023 •509 likes •1.03k views

WINDOWS SHELLBAGS FORENSICS IN DEPTH RUXCON 2014 Vincent Lo WHO AM I? Vincent Lo CISSP, GCFA Gold, GCIH, GREM, CCE Blog: lylcdigitalforensics.blogspot.com Twitter: @_VincentLo_ CONTENT What is ShellBag? ShellBag Structure ShellBag

  1. WINDOWS SHELLBAGS FORENSICS IN DEPTH RUXCON 2014 Vincent Lo

  2. WHO AM I? Vincent Lo CISSP, GCFA Gold, GCIH, GREM, CCE Blog: lylcdigitalforensics.blogspot.com Twitter: @_VincentLo_

  3. CONTENT What is ShellBag? ShellBag Structure ShellBag Activities Case Study

  4. WHAT IS SHELLBAG? Windows behavior

  5. SHELLBAG STRUCTURE

  6. SHELLBAG STRUCTURE DESKTOP

  7. SHELLBAG STRUCTURE

  8. SHELLBAG STRUCTURE

  9. SHELLBAG STRUCTURE

  10. SHELLBAG STRUCTURE

  11. QUESTION So...what can ShellBags do for digital forensic investigators? It may prove a user accessed certain folders which he/she shouldn't. It may show the directories on external devices. It may contain what files existed on the Desktop at the time. (itempos)

  12. WHEN WILL THE SHELLBAGS BE CREATED? Myth 1 : When the folder is opened and closed in Windows Explorer at least once. (2009) The experiment says... Myth 2 : When a folder is opened and has default settings adjusted. (2011) The experiment says...

  13. SHELLBAG CREATION The activities that could create ShellBags are not always the same.

  14. WINDOWS XP SHELLBAG CREATION Windows Explorer & Desktop Compressed Files (ZIP files) Search Window Remote Machines & Folders Windows Special Folders & Virtual Folders Removable Devices Exception

  15. WINDOWS XP SHELLBAG CREATION Windows Explorer & Desktop Windows Explorer Desktop

  16. WINDOWS XP SHELLBAG CREATION Windows Explorer & Desktop Does the folder contain any visible child items (files or subfolders)? If the folder contains visible child item(s), ShellBags will be created when the folder is opened. If the folder contains does NOT contain any visible child items, ShellBags will be created when the folder is opened and closed. Closed : The Windows Explorer is closed or another folder is opened in the same window.

  17. WINDOWS XP SHELLBAG CREATION Windows Explorer & Desktop What if the folder doesn't contain any visible child items but only hidden child item(s) (files or subfolders)? If Windows Explorer is configured to show them, ShellBags will be created when the folder is opened. If Windows Explorer is configured NOT to show them, ShellBags will be created when the folder is opened and closed.

  18. WINDOWS XP SHELLBAG CREATION Compressed Files (ZIP files) ShellBags will be created, when a ZIP file is opened and closed in Windows Explorer. The ShellBags information will include the created date, modified date and accessed date of the ZIP file.

  19. WINDOWS XP SHELLBAG CREATION Search Window

  20. WINDOWS XP SHELLBAG CREATION Search Window Search Results folder Open Windows Explorer. Click Search icon. Choose the search scope and click Search. Then, close the window or open a folder in the same window. {CCE6191F-13B2-44FA-8D14-324728BEEF2C} folder Open the Search window from Start menu. Then, close the window or open a folder in the same window. Open the Search window from Start menu. Then, choose the search scope and click Search.

  21. WINDOWS XP SHELLBAG CREATION Remote Machines & Remote Folders

  22. WINDOWS XP SHELLBAG CREATION Remote Machines & Remote Folders Remote Machines ShellBags will be created when the remote machine is opened and closed. Remote Folders If the folder contains visible child item(s), ShellBags will be created when the folder is opened. If the folder contains does NOT contain any visible child items, ShellBags will be created when the folder is opened and closed.

  23. WINDOWS XP SHELLBAG CREATION Windows Special Folders & Virtual Folders (It is very complicated.) Special Folders Examples: My Documents , My Music and My Pitures Virtual Folders Examples: My Computer and Control Panel Multiple Identities Example: Desktop can be a special folder, virtual folder or actual file system folder. Example: My Documents can be a file system folder or virtual folder.

  24. WINDOWS XP SHELLBAG CREATION Windows Special Folders & Virtual Folders (It is very complicated.) The activities that cause the creation of their ShellBags depend on the folder type and situation.

  25. WINDOWS XP SHELLBAG CREATION Removable Devices Windows XP does NOT create the ShellBags for folders on removable devices.

  26. WINDOWS XP SHELLBAG CREATION Exception Right click on the folder and choose Properties ➞ Customize . Then, click "OK".

  27. WINDOWS VISTA, 7, 8 AND 8.1 SHELLBAG CREATION

  28. WINDOWS VISTA, 7, 8 AND 8.1 SHELLBAG CREATION Windows Explorer Desktop Removable Devices Remote Machines & Folders Compressed Files (ZIP files) Search Result desktop.ini Command Prompt Windows Special Folders, Virtual Folders & Libraries

  29. WINDOWS VISTA, 7, 8 AND 8.1 SHELLBAG CREATION Windows Explorer It doesn't matter whether a folder is empty or not. Create a folder Click a folder to select it Click a folder to select it and press an arrow key to move the bar to select other folders (The ShellBags information for those folders will be created.) Right click a folder The folder doesn't have to be opened.

  30. WINDOWS VISTA, 7, 8 AND 8.1 SHELLBAG CREATION Windows Explorer As the result, the following activities in Windows Explorer will create the ShellBags information. Open a folder (Double-click a folder) Rename a folder (Right-click a folder and select "Rename" or select the folder and press "F2". Change the folder name and press enter. The ShellBags of original and renamed folder names will be created.) Delete a folder Copy a folder to local drives(ShellBags of the source folder and destination folder will be created.)

  31. WINDOWS VISTA, 7, 8 AND 8.1 SHELLBAG CREATION Desktop The activities that could create the ShellBags are NOT exactly the same as Windows Explorer. Open a folder Right-click a folder Cut a folder (Ctrl+x) Copy a folder (Ctrl+c) Rename a folder (select the folder and press "F2") - Only 7, 8 and 8.1 Delete a folder (Select the folder and press "Delete")

  32. WINDOWS VISTA, 7, 8 AND 8.1 SHELLBAG CREATION Desktop As the result, the following activities will create the ShellBags information for a folder. Rename a folder (Right-click a folder and select "Rename" or select the folder and press "F2" (The later one doesn't create the ShellBags in Vista). Change the folder name and press enter. The ShellBags of original folder name will be created.) Delete a folder (Right-click and select "Delete" or click the folder and press "Delete") Copy a folder(ShellBags of the source folder will be created.) In Vista, the source and destination folders will be created if the destination folder is on the Desktop.

  33. WINDOWS VISTA, 7, 8 AND 8.1 SHELLBAG CREATION Removable Devices ShellBags will be created when folders on removable devices are opened and closed.

  34. WINDOWS VISTA SHELLBAG CREATION Remote Machines & Remote Folders Remote Machines ShellBags will be created when the remote machine is opened and closed. Remote Folders ShellBags will be created when the folder is opened. Remote Folders ➞ Child Folders ShellBags will be created when the child folder is opened.

  35. WINDOWS 7, 8 AND 8.1 SHELLBAG CREATION Remote Machines & Remote Folders Remote Machines ShellBags will be created when the remote machine is opened and closed. Remote Folders ShellBags will be created when the folder is opened. Remote Folders ➞ Child Folders ShellBags can be created without being opened. The activities mentioned in the "Windows Explorer" section can cause their ShellBags information to be created.

  36. WINDOWS VISTA, 7, 8 AND 8.1 SHELLBAG CREATION Compressed Files (ZIP files) ShellBags will be created, when a ZIP file is opened and closed in Windows Explorer. The ShellBags information will include the created date, modified date and accessed date of the ZIP file.

  37. WINDOWS VISTA AND 7 SHELLBAG CREATION Search Result Type the query in the Smart menu's "Start Search" or in Windows Explorer’s Search column and execute it. In Windows Vista and 7, if the query is run in the Start menu’s “Start Search” column, when the search window appears, the query will be recorded. Windows 8 and 8.1 use different Start screen design. The search run through Start screen doesn’t seem to be recorded in ShellBags.

  38. WINDOWS VISTA, 7, 8 AND 8.1 SHELLBAG CREATION desktop.ini If the folder type or CLSID is specified in the desktop.ini, Windows Explorer will create the ShellBags information only after the folder is opened.

  39. WINDOWS VISTA SHELLBAG CREATION Command Prompt This occurs on Vista only. In the Command Prompt, if the folders are created in the %UserProfile%\Desktop folder via “mkdir” command, the ShellBags information of those folders will be created.

  40. WINDOWS VISTA, 7, 8 AND 8.1 SHELLBAG CREATION Windows Special Folders, Virtual Folders & Libraries (It is very complicated.) Special Folders Examples: Documents , Music , Picture and Videos Virtual Folders Examples: My Computer and Control Panel Libraries (7, 8 and 8.1) Examples: Documents , Music , Picture and Videos

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSN08101 Digital Forensics Lecture 10: Windows Registry Module Leader: Dr Gordon Russell

CSN08101 Digital Forensics Lecture 10: Windows Registry Module Leader: Dr Gordon Russell

CSN08101 Digital Forensics Lecture 10: Windows Registry Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Lecture Objectives Windows Registry Structure Properties Examples Timeline Analysis Web

2.99k views • 67 slides
TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA

TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA

TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA DFRWS 2015 DUBLIN, 24 MARCH 2015 REAL CASE Management salaries of a private company were published on a Blog Through an analysis of the

228 views • 21 slides
The impact of Microsoft Windows pool allocation strategies on memory forensics Andreas Schuster

The impact of Microsoft Windows pool allocation strategies on memory forensics Andreas Schuster

The impact of Microsoft Windows pool allocation strategies on memory forensics Andreas Schuster Andreas Schuster / DFRWS 2008 2008-08-12 1 Introduction. A simulated attack. Attacker launches shell (cmd.exe) launches payload

511 views • 25 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
Virtual Forensics 2.0 Investigating virtual environments Christiaan Beek Agenda Who am I?

Virtual Forensics 2.0 Investigating virtual environments Christiaan Beek Agenda Who am I?

Virtual Forensics 2.0 Investigating virtual environments Christiaan Beek Agenda Who am I? Traditional vs Virtual Challenges Citrix & Vmware Windows 7 Summary This session is NOT: A negative talk about

629 views • 44 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Forensics for Graphics Files Types of graphics file formats Type of data compression How to locate

362 views • 25 slides
2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive

884 views • 70 slides
Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Overview of Mobile Forensics Originated in Europe and focused on the GSM SIM card. Roaming of Devices

694 views • 17 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics & Watermarking P. J. Bateman, A. T. S. Ho, and J. A. Briffa This research is sponsored by an EPSRC/Charteris CASE Award Image Forensics

703 views • 38 slides
Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gaper Fele-or University of Ljubljana, Faculty of

446 views • 23 slides
Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de la A N S S I scurit des systmes dinformation Introduction Forensics: context Forensics: memory Forensics: filesystem Reverse

545 views • 36 slides
Getting Started The Command Line Today our computers all have GUIs G raphic U ser I

Getting Started The Command Line Today our computers all have GUIs G raphic U ser I

Lesson 0 Getting Started The Command Line Today our computers all have GUIs G raphic U ser I nterfaces Ability to control with mice or touch But we did not use to have that (pre mid-80s) Intead, we used text to interact with

402 views • 21 slides
KESS2 a Llesiant Cenedlaethaur Dyfodol KESS 2 and the Well-being of Future Generations 12/2/18

KESS2 a Llesiant Cenedlaethaur Dyfodol KESS 2 and the Well-being of Future Generations 12/2/18

KESS2 a Llesiant Cenedlaethaur Dyfodol KESS 2 and the Well-being of Future Generations 12/2/18 Dr Einir Young Cyfarwyddwr Cynaliadwyedd, Prifysgol Bangor Director of Sustainability, Bangor University www.planet.cymru | @PlanetDotCymru

341 views • 12 slides
Dipole Antennas Prof. Girish Kumar Electrical Engineering Department, IIT Bombay

Dipole Antennas Prof. Girish Kumar Electrical Engineering Department, IIT Bombay

Dipole Antennas Prof. Girish Kumar Electrical Engineering Department, IIT Bombay gkumar@ee.iitb.ac.in (022) 2576 7436 Infinitesimal Dipole An infinitesimally small current element is called the Hertz Dipole (Length L< /50) Assume an

404 views • 24 slides
Sharper Tools Topic 15 Implementing and Using Stacks "stack n. The set of things a person

Sharper Tools Topic 15 Implementing and Using Stacks "stack n. The set of things a person

Sharper Tools Topic 15 Implementing and Using Stacks "stack n. The set of things a person has to do in the future. "I haven't done it yet because every time I pop my stack something new gets pushed." If you are interrupted

369 views • 7 slides
How To: Run the ENCODE histone ChIP-seq analysis pipeline

How To: Run the ENCODE histone ChIP-seq analysis pipeline

How To: Run the ENCODE histone ChIP-seq analysis pipeline on DNAnexus Overview: In this exercise, we will run the ENCODE Uniform Processing

328 views • 15 slides
Efficient Computing for Social Scientists Johannes Karreth February 22, 2013 Why do you need a

Efficient Computing for Social Scientists Johannes Karreth February 22, 2013 Why do you need a

Efficient Computing for Social Scientists Johannes Karreth February 22, 2013 Why do you need a good workflow? Collaboration Save time Replication Changes Implement updates Reproduce your own work Expand work to other

446 views • 19 slides
Why important ? You must know how to: Create a file Create a folder Delete

Why important ? You must know how to: Create a file Create a folder Delete

Why important ? You must know how to: Create a file Create a folder Delete a file Delete a folder Show current Path Navigate through folders Show content in folder Show content in file Copy

667 views • 13 slides
COP 3014: Fall 2017 Using Files in myFSU VLab November 29, 2017 This document is a guide for

COP 3014: Fall 2017 Using Files in myFSU VLab November 29, 2017 This document is a guide for

COP 3014: Fall 2017 Using Files in myFSU VLab November 29, 2017 This document is a guide for doing file I/O using Visual Studio on the myFSU VLab. This has to be done in several steps. Please make sure you follow this guide for the homework. 1

826 views • 3 slides

More recommend