tag:blogger.com,1999:blog-9518042.post9030609604329247685..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: ShellBag AnalysisUnknownnoreply@blogger.comBlogger7125tag:blogger.com,1999:blog-9518042.post-87903675416928677152013-07-12T18:14:16.988-05:002013-07-12T18:14:16.988-05:00Ethan,
First, thanks for the comment.
To Saad...Ethan,<br /><br />First, thanks for the comment.<br /><br />To Saad's comment, I just verified today that sbag64 v0.30 still misses some types of shell items, and when it hits those, it doesn't traverse the tree. <br /><br /><i>...never hurts to run pertinent items like Shellbags against multiple tools to validate the results..</i><br /><br />I have a bit of an issue with using one tool to validate another...what if both are wrong, in the same way? What if both miss things, but different things? <br /><br />I think that this form of tool validation is a myth-odology, one of those myths of DFIR work that is passed down so many times that it's assumed to be true...<br /><br />Thanks again!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-39259049663126956932013-07-12T14:48:25.500-05:002013-07-12T14:48:25.500-05:00Despite the fact that I'm commenting a bit lat...Despite the fact that I'm commenting a bit late on this, I read this post again today before starting to do some Windows 8 research into shellbags.<br /><br />I am mainly commenting towards Saad,<br /><br /><i>On the tool side, I exclusively use TZWorks Shellbag Parser (sbag) which have worked reliably for me so far.</i><br /><br />Although it has been extremely reliable, and maybe to date you have changed your technique, it never hurts to run pertinent items like Shellbags against multiple tools to validate the results. One scripts output may be incorrect, afterall. <br /><br />Harlan, <br /><br />A small side note, but your second summary sentence seems to be incomplete. Not a big concern considering, just thought I'd point it out since I noticed!Ethan Fleisherhttps://www.blogger.com/profile/00806309855263286461noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-8253124882401819792012-09-03T10:09:52.038-05:002012-09-03T10:09:52.038-05:00Saad,
Thanks for the comment.
I didn't write...Saad,<br /><br />Thanks for the comment.<br /><br />I didn't write my own plugin in order to be different...I did so in order to better understand the nature of the structures, and in doing so I found out that there can be considerably more information available than what is provided by most tools. <br /><br />Also, this allows me to rewrite the output of the plugin in order to more easily add it to a timeline, which has been extremely valuable just in the few times I've done that so far...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-42237400849770878872012-09-03T10:06:10.298-05:002012-09-03T10:06:10.298-05:00Thank you for this excellent blog post Harlan.
Wh...Thank you for this excellent blog post Harlan.<br /><br />When I incorporated Windows Shellbags into my forensics routine sometime ago, this helped quite a lot and even confirmed some hypothesis that were made about "cold cases". On the tool side, I exclusively use TZWorks Shellbag Parser (sbag) which have worked reliably for me so far.<br /><br />Saad.Saad Kadhihttp://www.upbeat.fr/noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-75242842117829144102012-08-19T22:46:26.451-05:002012-08-19T22:46:26.451-05:00One of my favourite uses for shellbags is to show ...One of my favourite uses for shellbags is to show the contents of encrypted volumes to which we don't have access. Being able to see the last-accessed times and matching the drive letter up with a mounted Truecrypt volume from elsewhere in the registry has provided some extremely compelling evidence on a number of occasions.<br /><br />There's a handy tool called Windows Registry Analyzer floating around that does a pretty HTML report of shellbags. It was bought up by Paraben and withdrawn from the author's site, but if you can get hold of it it's another useful tool in the armoury.Happy Monkeynoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-26602877283713178702012-08-17T06:21:37.692-05:002012-08-17T06:21:37.692-05:00Yogesh,
I'd love to hear your thoughts on thi...Yogesh,<br /><br />I'd love to hear your thoughts on this. I'm sure that the analysis could also be used across multiple LNK files in a similar fashion, particularly those that are in the same path.<br /><br />Thanks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-41704018898716892912012-08-17T01:52:29.316-05:002012-08-17T01:52:29.316-05:00Its most useful feature is getting details about a...Its most useful feature is getting details about accessed files/folders on networks \\xx.xx.xx.xx\C$\...<br />and removable drives <br /><br />On the analysis side, one area where I haven't seen any research is the possible usefullness of the multiple timestamps in each entry. There is a timestamp for every folder leading up to the file. I believe there may be some useful insight gained by gathering all such timestamps for a single folder and comparing them.<br /><br />Yogesh<br />www.swiftforensics.comYogesh Khatrihttps://www.blogger.com/profile/18391374024639697695noreply@blogger.com