Difference between pages "Past Selected Articles" and "Shell Item"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
''Archived past selected research articles''
+
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
<small>2008-Oct-18</small>
+
Shell Item is much like a "path", and is unique to its parent folder. The format of the Shell Item
; [http://www.cs.umass.edu/~miklau/pubs/sigmod2007LMS/stahlberg07forensicDB.pdf Threats to Privacy in the Forensic Analysis of Database Systems]
+
is undocumented and varies between Windows versions.
:Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine
+
:Proceedings of the 2007 ACM SIGMOD international conference on Management of data table of contents
+
Beijing, China.
+
This paper looks at residual data left behind in databases after DELETE, UPDATE, and VACUUM operations. The authors show that residual data is a real issue in databases, and that it's pretty easy to modify a database so that no residual data is left behind. MySQL with MyISM tables has clean delete, but InnoDB does not. Very much worth reading.
+
  
<small>2008-Aug-13</small>
+
The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]].
; [http://www.usenix.org/events/sec08/tech/halderman.html Lest We Remember: Cold Boot Attacks on Encryption Keys]
+
:J. Alex Halderman, Princeton University; Seth D. Schoen, Electronic Frontier Foundation; Nadia Heninger and William Clarkson, Princeton University; William Paul, Wind River Systems; Joseph A. Calandrino and Ariel J. Feldman, Princeton University; Jacob Appelbaum; Edward W. Felten, Princeton University
+
:[http://www.usenix.org/events/sec08/ USENIX Security '08 Refereed Paper]
+
:Awarded Best Student Paper
+
  
:Increasingly memory analysis is of interest in forensic research---both because new malware only resides in memory, and because memory analysis is frequently the only way for analysts to get the keys that are used to protect cryptographic file systems. In this paper the authors show that cryptographic keys in memory are vulnerable to exploitation ''after the computer is turned off.'' The authors show that the contents of dynamic RAM are retained seconds, and sometimes minutes, after power is turned off. By chilling the memory the data can be retained as long as necessary. And while most laptops wipe their memory when they reboot, the authors show that the chilled memory can be moved from one laptop that wipes to another laptop that does not wipe. Finally, the authors show that it is possible to find the cryptographic keys in memory and correct random bit errors by using the AES key schedule as an error-correction code. The authors demonstrate an attack USB stick which reboots a computer protected with BitLocker, finds the cryptographic keys, and then allows access to the cleartext information on the disk.
+
== Format ==
  
<small>2008-July-27</small>
+
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
The [http://cups.cs.cmu.edu/soups/2008  Symposium on Usable Privacy and Security (2008)] concluded this past week in Pittsburgh, PA. One paper that appeared which is interesting to the network forensics crowd is [http://cups.cs.cmu.edu/soups/2008/proceedings/p107Werlinger.pdf The Challenges of Using an Intrusion Detection System: Is It Worth the Effort?], by Rodrigo Werlinger, Kirstie Hawkey, Kasia Muldner, Pooya Jaferian and Konstantin Beznosov. [http://cups.cs.cmu.edu/soups/2008/slides/hawkey_soups.ppt slides]
+
  
In this article, the authors conducted interviews with 9 IT security practitioners who have worked with IDSs performed ethnographic observations within an organization that was deploying a new IDS. They found that security practitioners were heavily divided on the value of the IDS, and learned that the an IDS really only generates value if the network is well-understood before the IDS is deployed.
+
There are multiple types of entries to specify different parts of the "path":
 +
* volume
 +
* network share
 +
* file and directory
 +
* URI
  
<small>2008-July-20</small>
+
Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
The [http://www.utica.edu/academic/institutes/ecii/ijde/ International Journal of Digital Evidence] is one of two publications by the [http://www.utica.edu/academic/institutes/ecii/ Electronic Crime Institute (ECI)] at Utica College. Current and previous issues are available online.  
+
  
The current Fall 2007 issue has an interesting article [http://www.utica.edu/academic/institutes/ecii/publications/articles/1C33DF76-D8D3-EFF5-47AE3681FD948D68.pdf Mobile Phone Forensics Tool Testing: A Database Drive Approach] by Baggili, Mislan, and Rogers at Purdue University. Given that phones are increasingly a primary source of forensic information in many cases, we need to be sure that the tools that are used for forensic analysis present data that is accurate and repeatable. Unfortunately they frequently aren't because of there are so many different kinds of phones on the market and the forensic tools lag far behind the market.
+
== Example ==
 +
An example of a shell item list taken from '''Calculator.lnk'''
  
<bibtex>
+
<pre>
@article{title="Mobile Phone Forensics Tool Testing: A Database Driven Approach",
+
shell item type                    : 0x1f
author="Ibrahim M. Baggili and Richard Mislan and Marcus Rogers",
+
shell item flags                    : 0x50
journal="International Journal of Digital Evidence",
+
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
year=2007,
+
shell item folder name              : My Computer
volume=6,
+
issue=2,
+
url="http://www.utica.edu/academic/institutes/ecii/publications/articles/1C33DF76-D8D3-EFF5-47AE3681FD948D68.pdf",
+
abstract="The Daubert process used in the admissibility of evidence contains major guidelines
+
applied in assessing forensic procedures, two of which are testing and error rates. The
+
Digital Forensic Science (DFS) community is growing and the error rates for the forensic
+
tools need to be continuously re-evaluated as the technology changes. This becomes
+
more difficult in the case of mobile phone forensics, because they are proprietary. This
+
paper discusses a database driven approach that could be used to store data about the
+
mobile phone evidence acquisition testing process. This data can then be used to
+
calculate tool error rates, which can be published and used to validate or invalidate the
+
mobile phone acquisition tools. "
+
}
+
</bibtex>
+
  
 +
shell item type                    : 0x2f
 +
shell item volume name              : C:\
  
<small>2008-July-12</small>
+
shell item type                    : 0x31
 +
shell item flags                    : 0x00
 +
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:48 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
  
<bibtex>
+
shell item short name              : WINDOWS
@article{
+
shell item extension size          : 38
  misc="",
+
shell item extension version        : 3
  publisher="DFRWS 2008",
+
shell item creation time            : Dec 31, 2010 13:26:18 UTC
  author="Anandabrata Pal and Taha Sencar and Nasir Memon",
+
shell item access time              : Dec 31, 2010 13:28:52 UTC
  title="Detecting File Fragmentation Point Using Sequential Hypothesis Testing",
+
shell item long name                : WINDOWS
  year=2008,
+
  abstract="Abstract—File carving is a technique whereby data files are
+
extracted from a digital device without the assistance of file
+
tables or other disk meta-data. One of the primary challenges in
+
file carving can be found in attempting to recover files that are
+
fragmented. In this paper, we show how detecting the point of
+
fragmentation of a file can benefit fragmented file recovery. We
+
then present a sequential hypothesis testing procedure to identify
+
the fragmentation point of a file by sequentially comparing
+
adjacent pairs of blocks from the starting block of a file until
+
the fragmentation point is reached. By utilizing serial analysis we
+
are able to to minimize the errors in detecting the fragmentation
+
points. The performance results obtained from the fragmented
+
test-sets of DFRWS 2006 and 2007 show that the method can be
+
effectively used in recovery of fragmented files.
+
clear that recovery of fragmented files is a critical problem in
+
forensics. ",
+
  url="http://www.digital-assembly.com/technology/research/pubs/dfrws2008.pdf"
+
}
+
</bibtex>
+
  
This DFRWS 2008 article presents an improved approach for carving fragmented JPEGs using sequential hypothesis testing. According to the authors, "The technique begins with a header block identifying the start of a file and then attempts to validate via SHT each subsequent block following the header block. The fragmentation point is identified when SHT identifies a block as not belonging to the file. By utilizing this technique, we are able to correctly and efficiently recover JPEG images from the DFRWS 2006 [1] and 2007 [2] test sets even in the presence of tens of thousands of blocks and files fragmented into 3 or more parts. The bifragment gap carving technique enhanced with SHT allows us to improve the performance result of DFRWS 2006 challenge test-sets,
+
shell item type                    : 0x31
although the technique cannot be used for DFRWS 2007. We then show how Parallel Unique Path enhanced with SHT is able to recover all fragmented JPEGs from DFRWS 2006 and all recoverable JPEGs from 2007 challenge test-sets. As far as we are aware, no other automated technique can recover multi-fragmented JPEGs from the DFRWS 2007 test set."
+
shell item flags                    : 0x00
 +
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:38 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
  
 +
shell item short name              : system32
 +
shell item extension size          : 40
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:38 UTC
 +
shell item long name                : system32
  
 +
shell item type                    : 0x32
 +
shell item flags                    : 0x00
 +
shell item file size                : 115712
 +
shell item modification time        : Mar 25, 2003 12:00:00 UTC
 +
shell item file attribute flags    : 0x0020
 +
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)
  
 +
shell item short name              : calc.exe
 +
shell item extension size          : 40
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:06:06 UTC
 +
shell item access time              : Dec 31, 2010 13:06:06 UTC
 +
shell item long name                : calc.exe
 +
</pre>
  
 +
== External Links ==
  
<small>2008-July-5</small>
+
* [http://downloads.sourceforge.net/project/liblnk/Documentation/Windows%20Shell%20Item%20format/Windows%20Shell%20Item%20format.pdf Windows Shell Item format (work in progress)]
  
<bibtex>
+
[[Category:Data Formats]]
@article{
+
  publisher="Taylor & Francis",
+
  journal="Journal of Digital Forensic Practice", 
+
  author="Yoginder Singh Dandass and Nathan Joseph Necaise and Sherry Reede Thomas",
+
  title="An Empirical Analysis of Disk Sector Hashes for Data Carving",
+
  year=2008,
+
  volume=2,
+
  issue=2,
+
  pages="95--106",
+
  abstract="Discovering known illicit material on digital storage devices is an important component of a digital forensic investigation. Using existing data carving techniques and tools, it is typically difficult to recover remaining fragments of deleted illicit files whose file system metadata and file headers have been overwritten by newer files. In such cases, a sector-based scan can be used to locate those sectors whose content matches those of sectors from known illicit files. However, brute-force sector-by-sector comparison is prohibitive in terms of time required. Techniques that compute and compare hash-based signatures of sectors in order to filter out those sectors that do not produce the same signatures as sectors from known illicit files are required for accelerating the process.
+
 
+
This article reports the results of a case study in which the hashes for over 528 million sectors extracted from over 433,000 files of different types were analyzed. The hashes were computed using SHA1, MD5, CRC64, and CRC32 algorithms and hash collisions of sectors from JPEG and WAV files to other sectors were recorded. The analysis of the results shows that although MD5 and SHA1 produce no false-positive indications, the occurrence of false positives is relatively low for CRC32 and especially CRC64. Furthermore, the CRC-based algorithms produce considerably smaller hashes than SHA1 and MD5, thereby requiring smaller storage capacities. CRC64 provides a good compromise between number of collisions and storage capacity required for practical implementations of sector-scanning forensic tools.",
+
  url="http://www.informaworld.com/10.1080/15567280802050436"
+
}
+
</bibtex>
+
 
+
Authors Dandass ''et. al'' analyzed 528 million sectors from 433,630 unique files. They computed the CRC32, CRC64, MD5 and SHA-1 of each sector. Not surprisingly, they find that the MD5 and SHA-1s of the sectors are different if the sectors are different. They find 94 CRC64 collisions and 30 million CRC32 collisions. The conclusion is that, if you are search for a single sector or building a database of single sector hashes, you are better off building a database of CRC64s because they are easier to store and dramatically faster to calculate than the traditional hash functions, and they are nearly as accurate.
+

Revision as of 03:14, 12 January 2011

The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A Shell Item is much like a "path", and is unique to its parent folder. The format of the Shell Item is undocumented and varies between Windows versions.

The Shell Item is used in Windows Shortcut (LNK) file and the ShellBags key in the Windows Registry.

Format

The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.

There are multiple types of entries to specify different parts of the "path":

  • volume
  • network share
  • file and directory
  • URI

Some shell item entries contain date and time values which can be used in Timeline Analysis.

Example

An example of a shell item list taken from Calculator.lnk

shell item type                     : 0x1f
shell item flags                    : 0x50
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
shell item folder name              : My Computer

shell item type                     : 0x2f
shell item volume name              : C:\

shell item type                     : 0x31
shell item flags                    : 0x00
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:48 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : WINDOWS
shell item extension size           : 38
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:52 UTC
shell item long name                : WINDOWS

shell item type                     : 0x31
shell item flags                    : 0x00
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:38 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : system32
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:38 UTC
shell item long name                : system32

shell item type                     : 0x32
shell item flags                    : 0x00
shell item file size                : 115712
shell item modification time        : Mar 25, 2003 12:00:00 UTC
shell item file attribute flags     : 0x0020
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)

shell item short name               : calc.exe
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:06:06 UTC
shell item access time              : Dec 31, 2010 13:06:06 UTC
shell item long name                : calc.exe

External Links