|
|
| Line 1: |
Line 1: |
| − | The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
| + | Binary plists are the files that Apple products use to store information. The easiest way to view them is to convert them to xml. |
| − | Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item
| + | |
| − | is undocumented and varies between Windows versions. | + | |
| | | | |
| − | The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]]. | + | The program plutil is native to OSX (as of 10.2), however it is also included when iTunes is installed on a Windows PC. |
| | | | |
| − | == Format ==
| + | plutil on a Windows PC is stored in: |
| | | | |
| − | The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
| + | ''Program Files (x86)\Common Files\Apple\Apple Application Support'' |
| | | | |
| − | There are multiple types of entries to specify different parts of the "path":
| + | Which can be added to the PATH in Environmental variables so plutil can be run from anywhere |
| − | * volume
| + | |
| − | * network share
| + | |
| − | * file and directory
| + | |
| − | * URI
| + | |
| | | | |
| − | Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
| + | To convert Binary plists to XML run the command: |
| | + | '''plutil -convert xml1 file.plist''' |
| | | | |
| − | == Example ==
| |
| − | An example of a shell item list taken from '''Calculator.lnk'''
| |
| | | | |
| − | <pre>
| |
| − | shell item type : 0x1f
| |
| − | shell item flags : 0x50
| |
| − | shell item folder identifier : 20d04fe0-3aea-1069-a2d8-08002b30309d
| |
| − | shell item folder name : My Computer
| |
| | | | |
| − | shell item type : 0x2f
| |
| − | shell item volume name : C:\
| |
| | | | |
| − | shell item type : 0x31
| |
| − | shell item flags : 0x00
| |
| − | shell item file size : 0
| |
| − | shell item modification time : Dec 31, 2010 13:28:48 UTC
| |
| − | shell item file attribute flags : 0x0010
| |
| − | Is directory (FILE_ATTRIBUTE_DIRECTORY)
| |
| − |
| |
| − | shell item short name : WINDOWS
| |
| − | shell item extension size : 38
| |
| − | shell item extension version : 3
| |
| − | shell item creation time : Dec 31, 2010 13:26:18 UTC
| |
| − | shell item access time : Dec 31, 2010 13:28:52 UTC
| |
| − | shell item long name : WINDOWS
| |
| − |
| |
| − | shell item type : 0x31
| |
| − | shell item flags : 0x00
| |
| − | shell item file size : 0
| |
| − | shell item modification time : Dec 31, 2010 13:28:38 UTC
| |
| − | shell item file attribute flags : 0x0010
| |
| − | Is directory (FILE_ATTRIBUTE_DIRECTORY)
| |
| − |
| |
| − | shell item short name : system32
| |
| − | shell item extension size : 40
| |
| − | shell item extension version : 3
| |
| − | shell item creation time : Dec 31, 2010 13:26:18 UTC
| |
| − | shell item access time : Dec 31, 2010 13:28:38 UTC
| |
| − | shell item long name : system32
| |
| − |
| |
| − | shell item type : 0x32
| |
| − | shell item flags : 0x00
| |
| − | shell item file size : 115712
| |
| − | shell item modification time : Mar 25, 2003 12:00:00 UTC
| |
| − | shell item file attribute flags : 0x0020
| |
| − | Should be archived (FILE_ATTRIBUTE_ARCHIVE)
| |
| − |
| |
| − | shell item short name : calc.exe
| |
| − | shell item extension size : 40
| |
| − | shell item extension version : 3
| |
| − | shell item creation time : Dec 31, 2010 13:06:06 UTC
| |
| − | shell item access time : Dec 31, 2010 13:06:06 UTC
| |
| − | shell item long name : calc.exe
| |
| − | </pre>
| |
| | | | |
| | == External Links == | | == External Links == |
| − | | + | * [[http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/plutil.1.html - Apple plutil man page]] |
| − | * [http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf MiTeC Registry Analyser], by [[Allan Hay|Allan S Hay]], December 2004 | + | * [http://cgit.sukimashita.com/libplist.git/ A library to handle Apple Property List format in binary or XML] |
| − | * [http://computer-forensics.sans.org/blog/2008/10/31/shellbags-registry-forensics/ ShellBags Registry Forensics], by johnmccash, October 2008
| + | |
| − | * [http://42llc.net/?p=385 Shell Bag Format Analysis], by [[Yogesh Khatri]], October 2009 (appears to be no longer available)
| + | |
| − | * [http://code.google.com/p/liblnk/downloads/detail?name=Windows%20Shell%20Item%20format.pdf Windows Shell Item format], by the [[liblnk|liblnk project]], July 2010 (work in progress)
| + | |
| − | * [http://www.williballenthin.com/forensics/shellbags/index.html Windows shellbag forensics], by [[Willi Ballenthin]]
| + | |
| − | * [http://code.google.com/p/regripper/wiki/ShellBags RegRipper - ShellBags], by [[Harlan Carvey]] | + | |
| − | * [http://volatility-labs.blogspot.ca/2012/09/movp-32-shellbags-in-memory-setregtime.html MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes], [[Jamie Levy]], September 2012
| + | |
| − | * [http://windowsir.blogspot.ch/2012/10/shellbag-analysis-revisitedsome-testing.html Shellbag Analysis, Revisited...Some Testing], by [[Harlan Carvey]], October 2012
| + | |
| − | * [http://tech.groups.yahoo.com/group/win4n6/message/7623 Shellbag research], by [[Sebastien Bourdon-Richard]], October 2012
| + | |
| − | | + | |
| − | [[Category:Data Formats]]
| + | |
Binary plists are the files that Apple products use to store information. The easiest way to view them is to convert them to xml.
The program plutil is native to OSX (as of 10.2), however it is also included when iTunes is installed on a Windows PC.
Which can be added to the PATH in Environmental variables so plutil can be run from anywhere
