Difference between pages "Mdd" and "Shell Item"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(External Links)
 
Line 1: Line 1:
{{Deprecated Software}}
+
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
 +
Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item
 +
is undocumented and varies between Windows versions.
  
{{Infobox_Software |
+
The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]].
  name = mdd |
+
  maintainer = [[ManTech|ManTech International Corporation]] |
+
  os = {{Windows}} |
+
  genre = Memory acquisition |
+
  license = {{GPL}} |
+
  website = [http://sourceforge.net/projects/mdd/ sourceforge.net/projects/mdd/] |
+
}}
+
  
'''mdd''', also known as '''[[ManTech|ManTech dd]]''' or '''Memory dd''', is a command line program to acquire an image of the memory of a running [[Windows]] computer. The program has been included in the [[Helix]] incident response tool.
+
== Format ==
  
== Status ==
+
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
The current version of mdd (mdd_1.3.exe) runs on Window XP to SP3 and Vista to SP 2, and may run on other versions. However, development seems to have stopped. For a more full-featured memory dumper, consider [[WinDD]].
+
  
The driver uses the [[Memory Imaging| Physical Memory Object Memory Imaging Mehod]] and returns a file handle to a user-mode program via an IOCTL on the device file named:
+
There are multiple types of entries to specify different parts of the "path":
<pre>
+
* volume
\\.\memdd.
+
* network share
</pre>
+
* file and directory
 +
* URI
  
Once the file handle has been returned the driver and associated memdd device is no longer required and can be removed, which is what the mdd utility does.
+
Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
  
== Building from source ==
+
== Example ==
# Load the x64 Free Build Environment from the WDK (in start menu)
+
An example of a shell item list taken from '''Calculator.lnk'''
# Go to the mdd directory, e.g. C:\src\mdd\driver\mdd\ and run build
+
# You should now have mdd.sys in C:\src\mdd\driver\mdd\objfre_win7_amd64\amd64
+
  
=== Signing the driver ===
 
* Make sure the WDK is installed, you need that for the signing.
 
* Get the right cross certificate file, see [http://msdn.microsoft.com/en-us/windows/hardware/gg487315 Cross-Certificates for Kernel Mode Code Signing]
 
* Convert the key you have to pfx, if its cert + key you want:
 
** setup a secure spot to put the private key, this should not be on corp or unprotected at any time
 
 
<pre>
 
<pre>
openssl pkcs12 -export -out out.pfx -inkey in.key -in in.crt -certfile ca.crt
+
shell item type                    : 0x1f
</pre>
+
shell item flags                    : 0x50
** use a strong password
+
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
** shred the .key immediately after use
+
shell item folder name              : My Computer
* Sign the driver by running:
+
<pre>
+
signTool sign /v /ac <crosscertificatefile> /f <pathtopfx> /p <pfx password> /t http://timestamp.verisign.com/scripts/timestamp.dll <driver.sys>
+
</pre>
+
  
Also see: [http://www.microsoft.com/whdc/winlogo/drvsign/kmsigning.mspx Digital Signatures for Kernel Modules on Windows]
+
shell item type                    : 0x2f
 +
shell item volume name              : C:\
  
== Usage ==
+
shell item type                    : 0x31
To execute mdd, you must start cmd.exe. The options are:
+
shell item flags                    : 0x00
* -o ''filename'' - required to actually run mdd
+
shell item file size                : 0
* -w - license information
+
shell item modification time        : Dec 31, 2010 13:28:48 UTC
* -v - verbose
+
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
  
To run mdd, the account you are using must have administrator access to the machine you wish to image (however, it does not have to be the Administrator account; it only needs to be in the local Administrator group). The program works by installing a service, called mdd, although see below for problems.
+
shell item short name              : WINDOWS
 +
shell item extension size          : 38
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:52 UTC
 +
shell item long name                : WINDOWS
 +
 
 +
shell item type                    : 0x31
 +
shell item flags                    : 0x00
 +
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:38 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
 +
 
 +
shell item short name              : system32
 +
shell item extension size          : 40
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:38 UTC
 +
shell item long name                : system32
 +
 
 +
shell item type                    : 0x32
 +
shell item flags                    : 0x00
 +
shell item file size                : 115712
 +
shell item modification time        : Mar 25, 2003 12:00:00 UTC
 +
shell item file attribute flags    : 0x0020
 +
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)
 +
 
 +
shell item short name              : calc.exe
 +
shell item extension size          : 40
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:06:06 UTC
 +
shell item access time              : Dec 31, 2010 13:06:06 UTC
 +
shell item long name                : calc.exe
 +
</pre>
  
== Known Issues ==
+
== External Links ==
These are the known problems with mdd.
+
===Error 1073===
+
This is a Windows Service Manager error. mdd executes by registering itself as a service, so it can run as administrator, although this does not mean you can run mdd without having administrator access. At the end of a normal execution, the service is deleted. However, mdd can accidentally leave the service installed, and this prevents further imaging. This could be caused by the system crashing (or an intentional system crash) during imaging, or by attempting to stop the imaging with control-c.
+
If this happens, a knowledgeable Windows user will open up the Services tab in Computer Manager, but unfortunately, Windows has a wonderful feature that allows services, when they are registered, to state whether or not they wish to be seen in the Service Manager. This amazing concept allows services to run less visibly, and should be considered a class-a security flaw.
+
Fortunately, there's a way around this, using the command line (cmd.exe).
+
* Run cmd.exe
+
* In cmd.exe, run "sc help" to see the service manager command line tool
+
* Run "sc query" to see all of the currently registered services, but note that this list will overflow the default line buffer of cmd.exe (this is adjustable, but not necessary for our purposes)
+
* Run "sc query mdd" and - ta-da - you'll see the mdd service
+
* Run "sc delete mdd" and it's gone, and mdd can now be run again.
+
  
==Error 1062==
+
* [http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf MiTeC Registry Analyser], by [[Allan Hay|Allan S Hay]], December 2004
John Judd will be entering text here.
+
* [http://computer-forensics.sans.org/blog/2008/10/31/shellbags-registry-forensics/ ShellBags Registry Forensics], by johnmccash, October 2008
 +
* [http://42llc.net/?p=385 Shell Bag Format Analysis], by [[Yogesh Khatri]], October 2009 (appears to be no longer available)
 +
* [http://code.google.com/p/liblnk/downloads/detail?name=Windows%20Shell%20Item%20format.pdf Windows Shell Item format], by the [[liblnk|liblnk project]], July 2010 (work in progress)
 +
* [http://www.williballenthin.com/forensics/shellbags/index.html Windows shellbag forensics], by [[Willi Ballenthin]]
 +
* [http://code.google.com/p/regripper/wiki/ShellBags RegRipper - ShellBags], by [[Harlan Carvey]]
 +
* [http://volatility-labs.blogspot.ca/2012/09/movp-32-shellbags-in-memory-setregtime.html MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes], [[Jamie Levy]], September 2012
 +
* [http://windowsir.blogspot.ch/2012/10/shellbag-analysis-revisitedsome-testing.html Shellbag Analysis, Revisited...Some Testing], by [[Harlan Carvey]], October 2012
 +
* [http://tech.groups.yahoo.com/group/win4n6/message/7623 Shellbag research], by [[Sebastien Bourdon-Richard]], October 2012
  
==Can't Use Network Share in Vista==
+
[[Category:Data Formats]]
In Vista, even if you are in the administrator group, you do not necessarily run programs with administrator access (this is actually a major improvement to the security model of Windows). You can start programs, including cmd.exe, with admin privileges, but in this case, that won't help. You will not be able to image to a Network Share from Vista. There is no known workaround. This problem may exist in Windows 7.
+

Revision as of 02:03, 2 November 2012

The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item is undocumented and varies between Windows versions.

The Shell Item is used in Windows Shortcut (LNK) file and the ShellBags key in the Windows Registry.

Format

The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.

There are multiple types of entries to specify different parts of the "path":

  • volume
  • network share
  • file and directory
  • URI

Some shell item entries contain date and time values which can be used in Timeline Analysis.

Example

An example of a shell item list taken from Calculator.lnk

shell item type                     : 0x1f
shell item flags                    : 0x50
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
shell item folder name              : My Computer

shell item type                     : 0x2f
shell item volume name              : C:\

shell item type                     : 0x31
shell item flags                    : 0x00
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:48 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : WINDOWS
shell item extension size           : 38
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:52 UTC
shell item long name                : WINDOWS

shell item type                     : 0x31
shell item flags                    : 0x00
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:38 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : system32
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:38 UTC
shell item long name                : system32

shell item type                     : 0x32
shell item flags                    : 0x00
shell item file size                : 115712
shell item modification time        : Mar 25, 2003 12:00:00 UTC
shell item file attribute flags     : 0x0020
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)

shell item short name               : calc.exe
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:06:06 UTC
shell item access time              : Dec 31, 2010 13:06:06 UTC
shell item long name                : calc.exe

External Links