Difference between revisions of "Shell Item"

From ForensicsWiki
Jump to: navigation, search
(External Links)
 
(6 intermediate revisions by the same user not shown)
Line 22: Line 22:
 
<pre>
 
<pre>
 
shell item type                    : 0x1f
 
shell item type                    : 0x1f
shell item flags                    : 0x50
+
shell item sort order              : 0x50
 
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
 
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
 
shell item folder name              : My Computer
 
shell item folder name              : My Computer
Line 30: Line 30:
  
 
shell item type                    : 0x31
 
shell item type                    : 0x31
shell item flags                    : 0x00
 
 
shell item file size                : 0
 
shell item file size                : 0
 
shell item modification time        : Dec 31, 2010 13:28:48 UTC
 
shell item modification time        : Dec 31, 2010 13:28:48 UTC
Line 44: Line 43:
  
 
shell item type                    : 0x31
 
shell item type                    : 0x31
shell item flags                    : 0x00
 
 
shell item file size                : 0
 
shell item file size                : 0
 
shell item modification time        : Dec 31, 2010 13:28:38 UTC
 
shell item modification time        : Dec 31, 2010 13:28:38 UTC
Line 58: Line 56:
  
 
shell item type                    : 0x32
 
shell item type                    : 0x32
shell item flags                    : 0x00
 
 
shell item file size                : 115712
 
shell item file size                : 115712
 
shell item modification time        : Mar 25, 2003 12:00:00 UTC
 
shell item modification time        : Mar 25, 2003 12:00:00 UTC
Line 83: Line 80:
 
* [http://computer-forensics.sans.org/blog/2008/10/31/shellbags-registry-forensics/ ShellBags Registry Forensics], by johnmccash, October 2008
 
* [http://computer-forensics.sans.org/blog/2008/10/31/shellbags-registry-forensics/ ShellBags Registry Forensics], by johnmccash, October 2008
 
* [http://42llc.net/?p=385 Shell Bag Format Analysis], by [[Yogesh Khatri]], October 2009 (appears to be no longer available)
 
* [http://42llc.net/?p=385 Shell Bag Format Analysis], by [[Yogesh Khatri]], October 2009 (appears to be no longer available)
* [http://code.google.com/p/liblnk/downloads/detail?name=Windows%20Shell%20Item%20format.pdf Windows Shell Item format], by the [[liblnk|liblnk project]], July 2010 (work in progress)
+
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using shellbag information to reconstruct user activities], by Yuandong Zhu, Pavel Gladyshev, Joshua James, 2009
 +
* [https://googledrive.com/host/0B3fBvzttpiiSajVqblZQT3FYZzg/Windows%20Shell%20Item%20format.pdf Windows Shell Item format], by the [[libfwsi|libfwsi project]], July 2010 (work in progress)
 +
* [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)], by [[Jordi Sánchez López]], August 13, 2010
 +
* [http://computer-forensics.sans.org/blog/2011/07/05/shellbags Computer Forensic Artifacts: Windows 7 Shellbags], Chad Tilbury, July 5, 2011
 
* [http://www.williballenthin.com/forensics/shellbags/index.html Windows shellbag forensics], by [[Willi Ballenthin]]
 
* [http://www.williballenthin.com/forensics/shellbags/index.html Windows shellbag forensics], by [[Willi Ballenthin]]
 
* [http://code.google.com/p/regripper/wiki/ShellBags RegRipper - ShellBags], by [[Harlan Carvey]]
 
* [http://code.google.com/p/regripper/wiki/ShellBags RegRipper - ShellBags], by [[Harlan Carvey]]
Line 89: Line 89:
 
* [http://windowsir.blogspot.ch/2012/10/shellbag-analysis-revisitedsome-testing.html Shellbag Analysis, Revisited...Some Testing], by [[Harlan Carvey]], October 2012
 
* [http://windowsir.blogspot.ch/2012/10/shellbag-analysis-revisitedsome-testing.html Shellbag Analysis, Revisited...Some Testing], by [[Harlan Carvey]], October 2012
 
* [http://tech.groups.yahoo.com/group/win4n6/message/7623 Shellbag research], by [[Sebastien Bourdon-Richard]], October 2012
 
* [http://tech.groups.yahoo.com/group/win4n6/message/7623 Shellbag research], by [[Sebastien Bourdon-Richard]], October 2012
 +
* [http://www.4n6k.com/2013/12/shellbags-forensics-addressing.html Shellbags Forensics: Addressing a Misconception (interpretation, step-by-step testing, new findings, and more)], by Dan Pullega, December 4, 2013
  
 
[[Category:Data Formats]]
 
[[Category:Data Formats]]

Latest revision as of 02:27, 5 December 2013

The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item is undocumented and varies between Windows versions.

The Shell Item is used in Windows Shortcut (LNK) file and the ShellBags key in the Windows Registry.

Format

The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.

There are multiple types of entries to specify different parts of the "path":

  • volume
  • network share
  • file and directory
  • URI

Some shell item entries contain date and time values which can be used in Timeline Analysis.

Example

An example of a shell item list taken from Calculator.lnk

shell item type                     : 0x1f
shell item sort order               : 0x50
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
shell item folder name              : My Computer

shell item type                     : 0x2f
shell item volume name              : C:\

shell item type                     : 0x31
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:48 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : WINDOWS
shell item extension size           : 38
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:52 UTC
shell item long name                : WINDOWS

shell item type                     : 0x31
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:38 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : system32
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:38 UTC
shell item long name                : system32

shell item type                     : 0x32
shell item file size                : 115712
shell item modification time        : Mar 25, 2003 12:00:00 UTC
shell item file attribute flags     : 0x0020
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)

shell item short name               : calc.exe
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:06:06 UTC
shell item access time              : Dec 31, 2010 13:06:06 UTC
shell item long name                : calc.exe

See Also

External Links