Difference between pages "Cellebrite UFED" and "Shell Item"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
The Cellebrite 'Universal Forensic Extraction Device' , or UFED, is a unique and very cost effective mobile phone, smartphone, and PDA forensic device that is completely stand alone.
+
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
+
Shell Item is much like a "path", and is unique to its parent folder. The format of the Shell Item
 +
is undocumented and varies between Windows versions.
  
As of February 2009, the UFED is compatible with 1,888 mobile phones (including GSM, TDMS, CDMA, iDEN), with the standard package containing 72 different phone cables. The UFED has an intergrated SIM reader, with Wireless connection options also being integrated, such as IR and Bluetooth.
+
The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]].
  
 +
== Format ==
  
The UFED also supports native Apple iPOD Touch, and Apple iPHONE extraction on both 2G and 3G versions. This is clientless, and via a physical cable, and works on jailbroken and non-jailbroken devices.  
+
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
  
 +
There are multiple types of entries to specify different parts of the "path":
 +
* volume
 +
* network share
 +
* file and directory
 +
* URI
  
Using the MD5 Hash Algorithm, and SHA-256, subject data can be retrieved via logical extraction or via physical extraction (ie: hex dump). Moreover, all cable connectors from subject (source) side act as a write-blocker, being read only via the onboard hardware chipset. Extracted data includes:
+
Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
  
 +
== Example ==
 +
An example of a shell item list taken from '''Calculator.lnk'''
  
- Handset data (IMEI, ESN, Manufacturer, Model No., ect.)
+
<pre>
 +
shell item type                    : 0x1f
 +
shell item flags                    : 0x50
 +
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
 +
shell item folder name              : My Computer
  
– Phonebook
+
shell item type                    : 0x2f
+
shell item volume name              : C:\
– SMS and MMS messages
+
  
- SIM data
+
shell item type                    : 0x31
 +
shell item flags                    : 0x00
 +
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:48 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
  
- SIM cloning
+
shell item short name              : WINDOWS
 +
shell item extension size          : 38
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:52 UTC
 +
shell item long name                : WINDOWS
  
- Multimedia (images, videos, audio, ect.)
+
shell item type                    : 0x31
 +
shell item flags                    : 0x00
 +
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:38 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
  
- Date and Time stamps (with GMT and daylight savings options)
+
shell item short name              : system32
 +
shell item extension size          : 40
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:38 UTC
 +
shell item long name                : system32
  
- Deleted data
+
shell item type                    : 0x32
 +
shell item flags                    : 0x00
 +
shell item file size                : 115712
 +
shell item modification time        : Mar 25, 2003 12:00:00 UTC
 +
shell item file attribute flags    : 0x0020
 +
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)
  
- Fragmented or Partial data
+
shell item short name              : calc.exe
 +
shell item extension size          : 40
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:06:06 UTC
 +
shell item access time              : Dec 31, 2010 13:06:06 UTC
 +
shell item long name                : calc.exe
 +
</pre>
  
- HEX Dump
+
== External Links ==
  
- and much more.  
+
* [http://downloads.sourceforge.net/project/liblnk/Documentation/Windows%20Shell%20Item%20format/Windows%20Shell%20Item%20format.pdf Windows Shell Item format (work in progress)]
  
 
+
[[Category:Data Formats]]
The UFED is flexible enough to be used in many environments, such as:
+
 
+
 
+
- Fixed to a desk in a crime lab connect to a PC
+
 
+
- Fixed to a desk in a crime lab (stand alone with no PC)
+
 
+
- Mobile in a car or at a VCP (connected to car 12V power)
+
 
+
- Mobile in the field (using integrated battery kit)
+
 
+
 
+
The UFED is completely stand alone, allowing extraction to a USB Thumb Stick or USB HDD. With this said, additional software is also included to create specialised reports of the retrieved raw data on a PC/Laptop. Customised reports give the additional option of containing your own logo, case file number, address, etc.
+
 
+
Standard hardware options include a portable mobile phone battery charger set (with 42 plug heads), Faraday bag, and 9-in-1 media card reader.
+

Revision as of 03:14, 12 January 2011

The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A Shell Item is much like a "path", and is unique to its parent folder. The format of the Shell Item is undocumented and varies between Windows versions.

The Shell Item is used in Windows Shortcut (LNK) file and the ShellBags key in the Windows Registry.

Format

The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.

There are multiple types of entries to specify different parts of the "path":

  • volume
  • network share
  • file and directory
  • URI

Some shell item entries contain date and time values which can be used in Timeline Analysis.

Example

An example of a shell item list taken from Calculator.lnk

shell item type                     : 0x1f
shell item flags                    : 0x50
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
shell item folder name              : My Computer

shell item type                     : 0x2f
shell item volume name              : C:\

shell item type                     : 0x31
shell item flags                    : 0x00
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:48 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : WINDOWS
shell item extension size           : 38
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:52 UTC
shell item long name                : WINDOWS

shell item type                     : 0x31
shell item flags                    : 0x00
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:38 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : system32
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:38 UTC
shell item long name                : system32

shell item type                     : 0x32
shell item flags                    : 0x00
shell item file size                : 115712
shell item modification time        : Mar 25, 2003 12:00:00 UTC
shell item file attribute flags     : 0x0020
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)

shell item short name               : calc.exe
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:06:06 UTC
shell item access time              : Dec 31, 2010 13:06:06 UTC
shell item long name                : calc.exe

External Links