Shellbags
Shellbags
What are shellbags?
Shell bags are found in the registry, they contain information about files. This includes file access,
dates, and number of times programs have been ran. This data can still exist, even for deleted files and folders.
dates, and number of times programs have been ran. This data can still exist, even for deleted files and folders.
Why are they useful?
They exist, even for removeable media. This means that even if a folder is on a USB stick, investigators
can show that it was accessed on that device when the USB was plugged in.
can show that it was accessed on that device when the USB was plugged in.
Where can shellbags be found?
NTUSER.DAT
\Software\Microsoft\Windows\Shell\BagMRU- actual directory structures of the folders accessed
\ Software\Microsoft\Windows\Shell\Bags
UsrClass.dat
\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
\Local Settings\Software\Microsoft\Windows\Shell\Bags
Note; both are user specific
\Software\Microsoft\Windows\Shell\BagMRU-
Note; we have:
-MRUlistEx
-NodeSlot
-NodeSlots
MRUlistEx-
This is a 4-byte value, which indicates the order in which folders were accessed; this shows the most
recent first.
recent first.
NodeSlot-
Points to bags key, which stores the data for customisation.
NodeSlots-
Updated upon creation of new Shellbag.
Testing a tool out
So, we know what shellbags are and why they are important. Using shellbags explorer by XX we will now at
the use for an investigation.
the use for an investigation.
So we run the exe, which has a GUI:
We then actively load our directory-
Note; in an investigation you would load the offline hive.
We should then see the following:
So here we have 837 instances of shellbags
4 drives (C,D,E and F)
700 artefacts
Amongst other things.
Now lets say, as an investigator, we were informed that the suspect had videos of interest. Navigating to this
in the GUI shows the difference between using the program, and simply looking at a logical level:
in the GUI shows the difference between using the program, and simply looking at a logical level:
Here we have proof that the folder labelled “Secret Info” has been deleted. The access to this had to
occur for it to be deleted.
occur for it to be deleted.
We export this to CSV format so we can further analyse it in excel.
Since we know the name, we can search for our folder. Interestingly, we can now see the MFT entry.
This will allow us to easily navigate the MFT and then find even more information about the folder.
This will allow us to easily navigate the MFT and then find even more information about the folder.
Comments
Post a Comment