Difference between pages "VPN" and "Shell Item"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(VPNs and anonymity)
 
 
Line 1: Line 1:
{{expand}}
+
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
 +
Shell Item is much like a "path", and is unique to its parent folder. The format of the Shell Item
 +
is undocumented and varies between Windows versions.
  
'''VPN''' (Virtual Private Network) is a class of technology that allows remote machines to interconnect by creating a virtual network layer, on top of the physical network connection, that in practice is used to maintain the privacy of data shared over this virtual network connection (essentially all VPN toolsets use some form of packet-level [[encryption]]). There are many different modern implementations of the VPN concept itself, to the point where categorizing them together becomes somewhat questionable.  
+
The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]].
  
== Overview ==
+
== Format ==
  
Virtual Private Networks are deployed by organizations and individuals for different purposes:
+
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
  
* Protecting confidential information in organizations, when connecting geographically distant office networks;
+
There are multiple types of entries to specify different parts of the "path":
* Providing "work from home" or traveling employees with secure remote access to office network resources;
+
* volume
* Securing general Internet traffic in particularly insecure network usage settings (e.g. open wireless networks);
+
* network share
* Encrypting all internet traffic to and from a home connection, to prevent ISP packet shaping and/or surveillance (i.e. Torrentfreedom Privacy, www.torrentfreedom.net).
+
* file and directory
 +
* URI
  
When used for Internet connectivity, VPN service also acts as a form of proxy and protects the user's physical IP address from public display. As a result, they are an increasingly popular form of anonymity protection for internet users. While there are some concerns that the availability of anonymous connectivity would encourage true fraud, in practice those engaged in commercial fraud online use other, existing tools to keep their activities from being discovered - there is no known case of a commercial VPN service being used to further a fraudulent activity online, thus far.
+
Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
  
== VPNs and anonymity ==
+
== Example ==
 +
An example of a shell item list taken from '''Calculator.lnk'''
  
* Log files: VPN services may maintain usage logs which could then be used to track the activities of the user of those services, after the fact. However some commercial consumer-oriented VPN services specifically configure their servers not to retain any logfile information of this type. An example is [[Cryptocloud_VPN]].
+
<pre>
 +
shell item type                    : 0x1f
 +
shell item flags                    : 0x50
 +
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
 +
shell item folder name              : My Computer
  
* Protocol stack: [[TCP timestamps]] and IP ID values may be used in correlating incoming (encrypted) and outgoing (unencrypted) network streams. This type of "traffic analysis" can, in theory, be used to gather information about a fully-encrypted VPN connection - in practice, there are no known examples of traffic analysis being used against commercial VPN service providers.
+
shell item type                     : 0x2f
 +
shell item volume name              : C:\
  
== See Also ==
+
shell item type                    : 0x31
 +
shell item flags                    : 0x00
 +
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:48 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
  
* [[Cryptocloud VPN]]
+
shell item short name              : WINDOWS
* [[Tor]]
+
shell item extension size          : 38
* [[Proxy server]]
+
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:52 UTC
 +
shell item long name                : WINDOWS
  
[[Category:Anti-Forensics]]
+
shell item type                    : 0x31
[[Category:Network Forensics]]
+
shell item flags                    : 0x00
[[Category:Encryption]]
+
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:38 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
 +
 
 +
shell item short name              : system32
 +
shell item extension size          : 40
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:38 UTC
 +
shell item long name                : system32
 +
 
 +
shell item type                    : 0x32
 +
shell item flags                    : 0x00
 +
shell item file size                : 115712
 +
shell item modification time        : Mar 25, 2003 12:00:00 UTC
 +
shell item file attribute flags    : 0x0020
 +
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)
 +
 
 +
shell item short name              : calc.exe
 +
shell item extension size          : 40
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:06:06 UTC
 +
shell item access time              : Dec 31, 2010 13:06:06 UTC
 +
shell item long name                : calc.exe
 +
</pre>
 +
 
 +
== External Links ==
 +
 
 +
* [http://downloads.sourceforge.net/project/liblnk/Documentation/Windows%20Shell%20Item%20format/Windows%20Shell%20Item%20format.pdf Windows Shell Item format (work in progress)]
 +
 
 +
[[Category:Data Formats]]

Revision as of 03:14, 12 January 2011

The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A Shell Item is much like a "path", and is unique to its parent folder. The format of the Shell Item is undocumented and varies between Windows versions.

The Shell Item is used in Windows Shortcut (LNK) file and the ShellBags key in the Windows Registry.

Format

The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.

There are multiple types of entries to specify different parts of the "path":

  • volume
  • network share
  • file and directory
  • URI

Some shell item entries contain date and time values which can be used in Timeline Analysis.

Example

An example of a shell item list taken from Calculator.lnk

shell item type                     : 0x1f
shell item flags                    : 0x50
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
shell item folder name              : My Computer

shell item type                     : 0x2f
shell item volume name              : C:\

shell item type                     : 0x31
shell item flags                    : 0x00
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:48 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : WINDOWS
shell item extension size           : 38
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:52 UTC
shell item long name                : WINDOWS

shell item type                     : 0x31
shell item flags                    : 0x00
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:38 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : system32
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:38 UTC
shell item long name                : system32

shell item type                     : 0x32
shell item flags                    : 0x00
shell item file size                : 115712
shell item modification time        : Mar 25, 2003 12:00:00 UTC
shell item file attribute flags     : 0x0020
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)

shell item short name               : calc.exe
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:06:06 UTC
shell item access time              : Dec 31, 2010 13:06:06 UTC
shell item long name                : calc.exe

External Links