Difference between pages "Tools:File Analysis" and "Shell Item"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (moved Pasco, Galleta, Rifiuti to Open Source Tools (marked them as non-GPL).)
 
 
Line 1: Line 1:
== Image Analysis ==
+
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
; [[SurfRecon LE rapid image analysis tool]] by SurfRecon, Inc.
+
Shell Item is much like a "path", and is unique to its parent folder. The format of the Shell Item
: http://www.surfrecon.com
+
is undocumented and varies between Windows versions.
  
== Open Source Tools ==
+
The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]].
  
; [[file]]
+
== Format ==
: The file command determines the file type of a given file, depending on its contents and not on e.g. its extension or filename. In order to do that, it uses a magic configuration file that identifies filetypes.
+
  
; [[ldd]]
+
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
: List dynamic dependencies of executable files.
+
  
; [[truss]]
+
There are multiple types of entries to specify different parts of the "path":
: Solaris tool used to trace the system/library calls (not user calls) and signals made/received by a new or existing process. It sends the output to stderr.
+
* volume
: http://docs.sun.com/app/docs/doc/819-2239/truss-1?l=en&a=view&q=truss
+
* network share
 +
* file and directory
 +
* URI
  
; [[ltrace]]
+
Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
: Library call tracer.
+
: http://linux.die.net/man/1/ltrace
+
  
; [[strace]]
+
== Example ==
: System Call Tracer.
+
An example of a shell item list taken from '''Calculator.lnk'''
: http://sourceforge.net/projects/strace/
+
  
; [[xtrace]]
+
<pre>
: eXtended trace utility, similar to strace, ptrace, truss, but with extended functionality and unique features, such as dumping function calls (dynamically or statically linked), dumping call stack and more.
+
shell item type                    : 0x1f
: http://sourceforge.net/projects/xtrace/
+
shell item flags                    : 0x50
 +
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
 +
shell item folder name              : My Computer
  
; [[ktrace]]
+
shell item type                    : 0x2f
: Enables kernel process tracing on OpenBSD.
+
shell item volume name              : C:\
: http://www.openbsd.org/cgi-bin/man.cgi?query=ktrace&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
+
  
; [[Valgrind]]
+
shell item type                    : 0x31
: Executes a program under emulation, performing analysis according to one of the many plug-in modules as desired. You can write your own plug-in module as desired.
+
shell item flags                    : 0x00
: http://valgrind.org/
+
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:48 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
  
; [[DTrace]]
+
shell item short name              : WINDOWS
: Comprehensive dynamic tracing framework for Solaris (also ported to MacOS X - XRays and FreeBSD). DTrace provides a powerful infrastructure to permit investigation of the behavior of the operating system and user programs.
+
shell item extension size          : 38
: http://www.sun.com/bigadmin/content/dtrace/
+
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:52 UTC
 +
shell item long name                : WINDOWS
  
; [[strings]]
+
shell item type                    : 0x31
: Strings will print the strings of printable characters in files. It allows choosing different charactersets (ASCII, UNICODE). It is a quick way to browse through files/partitions/... in order to look for words, filenames, keywords etc.
+
shell item flags                    : 0x00
 +
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:38 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
  
; The [[Open Computer Forensics Architecture]]
+
shell item short name              : system32
: http://ocfa.sourceforge.net/
+
shell item extension size          : 40
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:38 UTC
 +
shell item long name                : system32
  
; [[Rifiuti]] (not GPL)
+
shell item type                    : 0x32
: Examines the INFO2 file in the Recycle Bin.
+
shell item flags                    : 0x00
: http://www.foundstone.com/us/resources/proddesc/rifiuti.htm
+
shell item file size                : 115712
 +
shell item modification time        : Mar 25, 2003 12:00:00 UTC
 +
shell item file attribute flags    : 0x0020
 +
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)
  
; [[Pasco]] (not GPL)
+
shell item short name              : calc.exe
: Parses ''index.dat'' files.
+
shell item extension size          : 40
: http://www.foundstone.com/us/resources/proddesc/pasco.htm
+
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:06:06 UTC
 +
shell item access time              : Dec 31, 2010 13:06:06 UTC
 +
shell item long name                : calc.exe
 +
</pre>
  
; [[Galleta]] (not GPL)
+
== External Links ==
: Parses cookie files.
+
: http://www.foundstone.com/us/resources/proddesc/galleta.htm
+
  
; dumpster_dive.pl
+
* [http://downloads.sourceforge.net/project/liblnk/Documentation/Windows%20Shell%20Item%20format/Windows%20Shell%20Item%20format.pdf Windows Shell Item format (work in progress)]
: MS Windows Recycle Bin INFO2 parser
+
: http://jafat.sourceforge.net/files.html
+
  
; cookie_cruncher.pl
+
[[Category:Data Formats]]
: MS IE cookie file parser
+
: http://jafat.sourceforge.net/files.html
+
 
+
; [[yim2text]]
+
: Extracts the 'encrypted' info in Yahoo Instant Messenger log files.
+
: http://www.1vs0.com/tools.html
+
 
+
; [[Hachoir]]
+
: Determines the file type using file header/footer (hachoir-metadata --type), able to list strings in Unicode (hachoir-grep), etc. Support more than 60 file formats.
+
 
+
; [[Cygwin]]
+
: http://www.cygwin.com/
+
: Linux like environment for Windows.
+
 
+
; [[UnxUtils]]
+
: http://unxutils.sourceforge.net/
+
: Common unix utilities compiled for a Windows environment.
+
 
+
; [[GnuWin32]]
+
: http://gnuwin32.sourceforge.net/
+
: Common GNU utilities compiled for a Windows Environment.
+
 
+
; [[SUA]]
+
: http://www.microsoft.com/windowsserver2003/R2/unixcomponents/webinstall.mspx
+
: Microsoft Subsystem for UNIX-based Applications.
+
 
+
== File Sharing Analysis Tools ==
+
; [[P2PMarshal|P2P Marshal]]
+
: Tools to discover and analyze peer-to-peer files for Windows.
+
 
+
== [[NDA]] and [[scoped distribution]] tools ==
+

Revision as of 03:14, 12 January 2011

The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A Shell Item is much like a "path", and is unique to its parent folder. The format of the Shell Item is undocumented and varies between Windows versions.

The Shell Item is used in Windows Shortcut (LNK) file and the ShellBags key in the Windows Registry.

Format

The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.

There are multiple types of entries to specify different parts of the "path":

  • volume
  • network share
  • file and directory
  • URI

Some shell item entries contain date and time values which can be used in Timeline Analysis.

Example

An example of a shell item list taken from Calculator.lnk

shell item type                     : 0x1f
shell item flags                    : 0x50
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
shell item folder name              : My Computer

shell item type                     : 0x2f
shell item volume name              : C:\

shell item type                     : 0x31
shell item flags                    : 0x00
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:48 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : WINDOWS
shell item extension size           : 38
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:52 UTC
shell item long name                : WINDOWS

shell item type                     : 0x31
shell item flags                    : 0x00
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:38 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : system32
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:38 UTC
shell item long name                : system32

shell item type                     : 0x32
shell item flags                    : 0x00
shell item file size                : 115712
shell item modification time        : Mar 25, 2003 12:00:00 UTC
shell item file attribute flags     : 0x0020
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)

shell item short name               : calc.exe
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:06:06 UTC
shell item access time              : Dec 31, 2010 13:06:06 UTC
shell item long name                : calc.exe

External Links