|
|
| Line 1: |
Line 1: |
| − | The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
| |
| − | Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item
| |
| − | is undocumented and varies between Windows versions.
| |
| | | | |
| − | The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]].
| |
| − |
| |
| − | == Format ==
| |
| − |
| |
| − | The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
| |
| − |
| |
| − | There are multiple types of entries to specify different parts of the "path":
| |
| − | * volume
| |
| − | * network share
| |
| − | * file and directory
| |
| − | * URI
| |
| − |
| |
| − | Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
| |
| − |
| |
| − | == Example ==
| |
| − | An example of a shell item list taken from '''Calculator.lnk'''
| |
| − |
| |
| − | <pre>
| |
| − | shell item type : 0x1f
| |
| − | shell item flags : 0x50
| |
| − | shell item folder identifier : 20d04fe0-3aea-1069-a2d8-08002b30309d
| |
| − | shell item folder name : My Computer
| |
| − |
| |
| − | shell item type : 0x2f
| |
| − | shell item volume name : C:\
| |
| − |
| |
| − | shell item type : 0x31
| |
| − | shell item flags : 0x00
| |
| − | shell item file size : 0
| |
| − | shell item modification time : Dec 31, 2010 13:28:48 UTC
| |
| − | shell item file attribute flags : 0x0010
| |
| − | Is directory (FILE_ATTRIBUTE_DIRECTORY)
| |
| − |
| |
| − | shell item short name : WINDOWS
| |
| − | shell item extension size : 38
| |
| − | shell item extension version : 3
| |
| − | shell item creation time : Dec 31, 2010 13:26:18 UTC
| |
| − | shell item access time : Dec 31, 2010 13:28:52 UTC
| |
| − | shell item long name : WINDOWS
| |
| − |
| |
| − | shell item type : 0x31
| |
| − | shell item flags : 0x00
| |
| − | shell item file size : 0
| |
| − | shell item modification time : Dec 31, 2010 13:28:38 UTC
| |
| − | shell item file attribute flags : 0x0010
| |
| − | Is directory (FILE_ATTRIBUTE_DIRECTORY)
| |
| − |
| |
| − | shell item short name : system32
| |
| − | shell item extension size : 40
| |
| − | shell item extension version : 3
| |
| − | shell item creation time : Dec 31, 2010 13:26:18 UTC
| |
| − | shell item access time : Dec 31, 2010 13:28:38 UTC
| |
| − | shell item long name : system32
| |
| − |
| |
| − | shell item type : 0x32
| |
| − | shell item flags : 0x00
| |
| − | shell item file size : 115712
| |
| − | shell item modification time : Mar 25, 2003 12:00:00 UTC
| |
| − | shell item file attribute flags : 0x0020
| |
| − | Should be archived (FILE_ATTRIBUTE_ARCHIVE)
| |
| − |
| |
| − | shell item short name : calc.exe
| |
| − | shell item extension size : 40
| |
| − | shell item extension version : 3
| |
| − | shell item creation time : Dec 31, 2010 13:06:06 UTC
| |
| − | shell item access time : Dec 31, 2010 13:06:06 UTC
| |
| − | shell item long name : calc.exe
| |
| − | </pre>
| |
| − |
| |
| − | == External Links ==
| |
| − |
| |
| − | * [http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf MiTeC Registry Analyser], by Allan S Hay, December 2004
| |
| − | * [http://42llc.net/?p=385 Shell Bag Format Analysis], by Yogesh Khatri,
| |
| − | * [http://computer-forensics.sans.org/blog/2008/10/31/shellbags-registry-forensics/ ShellBags Registry Forensics], by johnmccash, October 2008
| |
| − | * [http://code.google.com/p/liblnk/downloads/detail?name=Windows%20Shell%20Item%20format.pdf Windows Shell Item format], by the [[liblnk|liblnk project]], July 2010, Work in progress
| |
| − | * [http://www.williballenthin.com/forensics/shellbags/index.html Windows shellbag forensics], by [[Willi Ballenthin]]
| |
| − | * [http://code.google.com/p/regripper/wiki/ShellBags RegRipper - ShellBags], by [[Harlan Carvey]]
| |
| − |
| |
| − | [[Category:Data Formats]]
| |
