Difference between pages "Forensic 408-Windows in Depth" and "Shell Item"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Example)
 
Line 1: Line 1:
FOR408: COMPUTER FORENSIC INVESTIGATIONS - WINDOWS IN-DEPTH focuses on the critical knowledge of the Windows Operating System that every digital forensic analyst needs to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that can be used in internal investigations or civil/criminal litigation.
+
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
 +
Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item
 +
is undocumented and varies between Windows versions.
  
This course covers the methodology of in-depth computer forensic examinations, digital investigative analysis, and media exploitation so each student will have complete qualifications to work as a computer forensic investigator helping to solve and fight crime. In addition to in-depth technical knowledge of Windows Digital Forensics (Windows XP through Windows 8 and Server 2012), you will learn about well-known computer forensic tools such as Access Datas Forensic Toolkit (FTK), Guidance Softwares EnCase, Registry Analyzer, FTK Imager, Prefetch Analyzer, and much more. Many of the tools covered in the course are freeware, comprising a full-featured forensic laboratory that students can take with them.
+
The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]].
  
 +
== Format ==
  
'''COMPUTER FORENSIC INVESTIGATIONS - WINDOWS IN-DEPTH COURSE TOPICS'''
+
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
  
Windows File System Foundations
+
There are multiple types of entries to specify different parts of the "path":
 +
* volume
 +
* network share
 +
* file and directory
 +
* URI
  
Evidence Acquisition Tools and Techniques
+
Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
  
Law Enforcement Bag and Tag
+
== Example ==
 +
An example of a shell item list taken from '''Calculator.lnk'''
  
Evidence Integrity
+
<pre>
 +
shell item type                    : 0x1f
 +
shell item sort order              : 0x50
 +
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
 +
shell item folder name              : My Computer
  
Registry Forensics
+
shell item type                    : 0x2f
 +
shell item volume name              : C:\
  
 +
shell item type                    : 0x31
 +
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:48 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
  
'''Windows Artifact Analysis'''
+
shell item short name              : WINDOWS
 +
shell item extension size          : 38
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:52 UTC
 +
shell item long name                : WINDOWS
  
Facebook, Gmail, Hotmail, Yahoo Chat and Webmail Analysis
+
shell item type                    : 0x31
 +
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:38 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
  
E-Mail Forensics (Host, Server, Web)
+
shell item short name              : system32
 +
shell item extension size          : 40
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:38 UTC
 +
shell item long name                : system32
  
Microsoft Office Document Analysis
+
shell item type                    : 0x32
 +
shell item file size                : 115712
 +
shell item modification time        : Mar 25, 2003 12:00:00 UTC
 +
shell item file attribute flags    : 0x0020
 +
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)
  
Windows Link File Investigation
+
shell item short name              : calc.exe
 +
shell item extension size          : 40
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:06:06 UTC
 +
shell item access time              : Dec 31, 2010 13:06:06 UTC
 +
shell item long name                : calc.exe
 +
</pre>
  
Windows Recycle Bin Analysis
+
== See Also ==
 +
* [[Jump Lists]]
 +
* [[LNK]]
  
File and Picture Metadata Tracking and Examination
+
== External Links ==
  
Prefetch Analysis
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/cc144090(v=vs.85).aspx MSDN: Introduction to the Shell Namespace (Windows)]
 +
* [http://netez.com/2xExplorer/shellFAQ/bg_shell.html Fundamental Shell Concepts]
 +
* [http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf MiTeC Registry Analyser], by [[Allan Hay|Allan S Hay]], December 2004
 +
* [http://computer-forensics.sans.org/blog/2008/10/31/shellbags-registry-forensics/ ShellBags Registry Forensics], by johnmccash, October 2008
 +
* [http://42llc.net/?p=385 Shell Bag Format Analysis], by [[Yogesh Khatri]], October 2009 (appears to be no longer available)
 +
* [https://googledrive.com/host/0B3fBvzttpiiSajVqblZQT3FYZzg/Windows%20Shell%20Item%20format.pdf Windows Shell Item format], by the [[liblnk|liblnk project]], July 2010 (work in progress)
 +
* [http://www.williballenthin.com/forensics/shellbags/index.html Windows shellbag forensics], by [[Willi Ballenthin]]
 +
* [http://code.google.com/p/regripper/wiki/ShellBags RegRipper - ShellBags], by [[Harlan Carvey]]
 +
* [http://volatility-labs.blogspot.ca/2012/09/movp-32-shellbags-in-memory-setregtime.html MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes], [[Jamie Levy]], September 2012
 +
* [http://windowsir.blogspot.ch/2012/10/shellbag-analysis-revisitedsome-testing.html Shellbag Analysis, Revisited...Some Testing], by [[Harlan Carvey]], October 2012
 +
* [http://tech.groups.yahoo.com/group/win4n6/message/7623 Shellbag research], by [[Sebastien Bourdon-Richard]], October 2012
  
Event Log File Analysis
+
[[Category:Data Formats]]
 
+
Firefox, Chrome, and Internet Explorer Browser Forensics
+
 
+
Deleted File Recovery
+
 
+
String Searching and Data Carving
+
 
+
Examination of Cases involving Windows XP, VISTA, and Windows 7, and Windows 8
+
 
+
'''Media Analysis And Exploitation involving:'''
+
 
+
Tracking user communications using a Windows PC (e-mail, chat, IM, webmail)
+
 
+
Identifying if and how the suspect downloaded a specific file to the PC
+
 
+
Determining the exact time and number of times a suspect executed a program
+
 
+
Showing when any file was first and last opened by a suspect
+
 
+
Determining if a suspect had knowledge of a specific file
+
 
+
Showing the exact physical location of the system
+
 
+
Tracking and analysis of USB devices
+
 
+
Showing how the suspect logged on to the machine via the console, RDP, or network
+
 
+
Recovering and examining browser artifacts, even those used in private browsing mode
+
 
+
Forensic Analysis Report Writing
+
 
+
Fully Updated to include Windows 8 and Server 2012 Examinations
+

Revision as of 03:57, 22 June 2013

The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item is undocumented and varies between Windows versions.

The Shell Item is used in Windows Shortcut (LNK) file and the ShellBags key in the Windows Registry.

Format

The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.

There are multiple types of entries to specify different parts of the "path":

  • volume
  • network share
  • file and directory
  • URI

Some shell item entries contain date and time values which can be used in Timeline Analysis.

Example

An example of a shell item list taken from Calculator.lnk

shell item type                     : 0x1f
shell item sort order               : 0x50
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
shell item folder name              : My Computer

shell item type                     : 0x2f
shell item volume name              : C:\

shell item type                     : 0x31
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:48 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : WINDOWS
shell item extension size           : 38
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:52 UTC
shell item long name                : WINDOWS

shell item type                     : 0x31
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:38 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : system32
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:38 UTC
shell item long name                : system32

shell item type                     : 0x32
shell item file size                : 115712
shell item modification time        : Mar 25, 2003 12:00:00 UTC
shell item file attribute flags     : 0x0020
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)

shell item short name               : calc.exe
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:06:06 UTC
shell item access time              : Dec 31, 2010 13:06:06 UTC
shell item long name                : calc.exe

See Also

External Links