Difference between pages "Shell Item" and "Second Look"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
 
Line 1: Line 1:
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
+
{{Infobox_Software |
Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item
+
  name = Second Look |
is undocumented and varies between Windows versions.
+
  maintainer = [[Raytheon Pikewerks Corporation]] |
 +
  os = {{Linux}} |
 +
  genre = {{Memory analysis}} |
 +
  license = commercial |
 +
  website = [http://secondlookforensics.com/ secondlookforensics.com/] |
 +
}}
  
The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]].
+
[[File:second_look_logo.png]]
  
== Format ==
+
The Incident Response edition of '''Second Look®: Linux Memory Forensics''' is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.
 +
Second Look® is a product of [[Raytheon Pikewerks Corporation]].
  
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
+
== Memory Acquisition ==
 +
Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds.  A command-line script allows for acquisition of memory from running systems without introducing any additional software.  A memory access driver is provided for use on systems without a native interface to physical memory.
  
There are multiple types of entries to specify different parts of the "path":
+
== Memory Analysis ==
* volume
+
Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors.  A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel.  Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.
* network share
+
* file and directory
+
* URI
+
  
Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
+
Second Look® also applies an integrity verification approach for the analysis of each process in memory.  This enables it to detect unauthorized applications as well as stealthy user-level malware.
  
== Example ==
+
== Supported Systems ==
An example of a shell item list taken from '''Calculator.lnk'''
+
Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions. The following are its capabilities as of April 2012:
 
+
* Supported target kernels: 2.6.x, 3.x up to 3.2
<pre>
+
* Supported target architectures: x86 32- and 64-bit
shell item type                    : 0x1f
+
* Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!
shell item flags                    : 0x50
+
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
+
shell item folder name              : My Computer
+
 
+
shell item type                    : 0x2f
+
shell item volume name              : C:\
+
 
+
shell item type                    : 0x31
+
shell item flags                    : 0x00
+
shell item file size                : 0
+
shell item modification time        : Dec 31, 2010 13:28:48 UTC
+
shell item file attribute flags    : 0x0010
+
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
+
 
+
shell item short name              : WINDOWS
+
shell item extension size          : 38
+
shell item extension version        : 3
+
shell item creation time            : Dec 31, 2010 13:26:18 UTC
+
shell item access time              : Dec 31, 2010 13:28:52 UTC
+
shell item long name                : WINDOWS
+
 
+
shell item type                    : 0x31
+
shell item flags                    : 0x00
+
shell item file size                : 0
+
shell item modification time        : Dec 31, 2010 13:28:38 UTC
+
shell item file attribute flags    : 0x0010
+
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
+
 
+
shell item short name              : system32
+
shell item extension size          : 40
+
shell item extension version        : 3
+
shell item creation time            : Dec 31, 2010 13:26:18 UTC
+
shell item access time              : Dec 31, 2010 13:28:38 UTC
+
shell item long name                : system32
+
 
+
shell item type                    : 0x32
+
shell item flags                    : 0x00
+
shell item file size                : 115712
+
shell item modification time        : Mar 25, 2003 12:00:00 UTC
+
shell item file attribute flags    : 0x0020
+
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)
+
 
+
shell item short name              : calc.exe
+
shell item extension size          : 40
+
shell item extension version        : 3
+
shell item creation time            : Dec 31, 2010 13:06:06 UTC
+
shell item access time              : Dec 31, 2010 13:06:06 UTC
+
shell item long name                : calc.exe
+
</pre>
+
  
 
== External Links ==
 
== External Links ==
 
+
* [http://secondlookforensics.com Second Look®]
* [http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf MiTeC Registry Analyser], by [[Allan Hay|Allan S Hay]], December 2004
+
* [http://secondlookforensics.com/linux-memory-images/ Linux Memory Images]
* [http://computer-forensics.sans.org/blog/2008/10/31/shellbags-registry-forensics/ ShellBags Registry Forensics], by johnmccash, October 2008
+
* [http://42llc.net/?p=385 Shell Bag Format Analysis], by [[Yogesh Khatri]], October 2009 (appears to be no longer available)
+
* [http://code.google.com/p/liblnk/downloads/detail?name=Windows%20Shell%20Item%20format.pdf Windows Shell Item format], by the [[liblnk|liblnk project]], July 2010 (work in progress)
+
* [http://www.williballenthin.com/forensics/shellbags/index.html Windows shellbag forensics], by [[Willi Ballenthin]]
+
* [http://code.google.com/p/regripper/wiki/ShellBags RegRipper - ShellBags], by [[Harlan Carvey]]
+
* [http://volatility-labs.blogspot.ca/2012/09/movp-32-shellbags-in-memory-setregtime.html MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes], [[Jamie Levy]], September 2012
+
* [http://windowsir.blogspot.ch/2012/10/shellbag-analysis-revisitedsome-testing.html Shellbag Analysis, Revisited...Some Testing], by [[Harlan Carvey]], October 2012
+
 
+
[[Category:Data Formats]]
+

Revision as of 04:54, 27 July 2012

Second Look
Maintainer: Raytheon Pikewerks Corporation
OS: Linux
Genre: Memory Analysis
License: commercial
Website: secondlookforensics.com/
Second look logo.png

The Incident Response edition of Second Look®: Linux Memory Forensics is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities. Second Look® is a product of Raytheon Pikewerks Corporation.

Contents

Memory Acquisition

Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.

Memory Analysis

Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.

Second Look® also applies an integrity verification approach for the analysis of each process in memory. This enables it to detect unauthorized applications as well as stealthy user-level malware.

Supported Systems

Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions. The following are its capabilities as of April 2012:

  • Supported target kernels: 2.6.x, 3.x up to 3.2
  • Supported target architectures: x86 32- and 64-bit
  • Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!

External Links