Difference between pages "Common Log File System (CLFS)" and "Shell Item"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Overview)
 
(External Links)
 
Line 1: Line 1:
The '''Common Log File System''' ('''CLFS''') is a special purpose file (sub)system designed for transaction logging and/or recovery. The CLFS is not a file system in the traditional meaning of a disk file system, but more of a logical (special purpose) file system that operates in combination with a disk file system like [[NTFS]].
+
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
 +
Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item
 +
is undocumented and varies between Windows versions.
  
== Overview ==
+
The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]].
A CLFS log consists of a base log file (.blf) and one or more container files.
+
  
There are two types of logs:
+
== Format ==
* dedicated logs; contains a single stream of log records.
+
* multiplexed (or common) logs; contains several streams of log records.
+
  
== Implementation ==
+
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
  
According to Wikipedia CLFS was introduced in Windows server 2003 R2.
+
There are multiple types of entries to specify different parts of the "path":
 +
* volume
 +
* network share
 +
* file and directory
 +
* URI
  
In Windows Vista the CLFS is implemented as a driver named: clfs.sys. User space equivalent functionality is provided by clfsw32.dll, which communicates to the driver by DeviceIoControl calls.
+
Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
  
== Also see ==
+
== Example ==
Windows Internals 5 by Mark E. Russinovich and David A. Solomon
+
An example of a shell item list taken from '''Calculator.lnk'''
  
== External links ==
+
<pre>
[http://msdn.microsoft.com/en-us/library/bb986747%28VS.85%29.aspx MSDN on Common Log File System]
+
shell item type                    : 0x1f
 +
shell item flags                    : 0x50
 +
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
 +
shell item folder name              : My Computer
  
[http://en.wikipedia.org/wiki/Common_Log_File_System Wikipedia on Common Log File System]
+
shell item type                    : 0x2f
 +
shell item volume name              : C:\
  
[[Category:Logical file systems]]
+
shell item type                    : 0x31
 +
shell item flags                    : 0x00
 +
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:48 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
 +
 
 +
shell item short name              : WINDOWS
 +
shell item extension size          : 38
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:52 UTC
 +
shell item long name                : WINDOWS
 +
 
 +
shell item type                    : 0x31
 +
shell item flags                    : 0x00
 +
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:38 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
 +
 
 +
shell item short name              : system32
 +
shell item extension size          : 40
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:38 UTC
 +
shell item long name                : system32
 +
 
 +
shell item type                    : 0x32
 +
shell item flags                    : 0x00
 +
shell item file size                : 115712
 +
shell item modification time        : Mar 25, 2003 12:00:00 UTC
 +
shell item file attribute flags    : 0x0020
 +
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)
 +
 
 +
shell item short name              : calc.exe
 +
shell item extension size          : 40
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:06:06 UTC
 +
shell item access time              : Dec 31, 2010 13:06:06 UTC
 +
shell item long name                : calc.exe
 +
</pre>
 +
 
 +
== External Links ==
 +
 
 +
* [http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf MiTeC Registry Analyser], by Allan S Hay, December 2004
 +
* [http://42llc.net/?p=385 Shell Bag Format Analysis], by Yogesh Khatri,
 +
* [http://computer-forensics.sans.org/blog/2008/10/31/shellbags-registry-forensics/ ShellBags Registry Forensics], by johnmccash, October 2008
 +
* [http://code.google.com/p/liblnk/downloads/detail?name=Windows%20Shell%20Item%20format.pdf Windows Shell Item format], by the [[liblnk|liblnk project]], July 2010, Work in progress
 +
* [http://www.williballenthin.com/forensics/shellbags/index.html Windows shellbag forensics], by [[Willi Ballenthin]]
 +
* [http://code.google.com/p/regripper/wiki/ShellBags RegRipper - ShellBags], by [[Harlan Carvey]]
 +
 
 +
[[Category:Data Formats]]

Revision as of 00:32, 13 August 2012

The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item is undocumented and varies between Windows versions.

The Shell Item is used in Windows Shortcut (LNK) file and the ShellBags key in the Windows Registry.

Format

The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.

There are multiple types of entries to specify different parts of the "path":

  • volume
  • network share
  • file and directory
  • URI

Some shell item entries contain date and time values which can be used in Timeline Analysis.

Example

An example of a shell item list taken from Calculator.lnk

shell item type                     : 0x1f
shell item flags                    : 0x50
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
shell item folder name              : My Computer

shell item type                     : 0x2f
shell item volume name              : C:\

shell item type                     : 0x31
shell item flags                    : 0x00
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:48 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : WINDOWS
shell item extension size           : 38
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:52 UTC
shell item long name                : WINDOWS

shell item type                     : 0x31
shell item flags                    : 0x00
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:38 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : system32
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:38 UTC
shell item long name                : system32

shell item type                     : 0x32
shell item flags                    : 0x00
shell item file size                : 115712
shell item modification time        : Mar 25, 2003 12:00:00 UTC
shell item file attribute flags     : 0x0020
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)

shell item short name               : calc.exe
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:06:06 UTC
shell item access time              : Dec 31, 2010 13:06:06 UTC
shell item long name                : calc.exe

External Links