Difference between pages "Upcoming events" and "Shell Item"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
(External Links)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
is undocumented and varies between Windows versions.
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]].
  
This listing is divided into three sections (described as follows):<br>
+
== Format ==
<ol><li><b><u>[[Upcoming_events#Calls_For_Papers|Calls For Papers]]</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
<li><b><u>[[Upcoming_events#Conferences|Conferences]]</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>[[Training Courses and Providers]]</u></b> - Training </li><br></ol>
+
  
== Calls For Papers ==
+
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
+
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
There are multiple types of entries to specify different parts of the "path":
|- style="background:#bfbfbf; font-weight: bold"
+
* volume
! width="30%|Title
+
* network share
! width="15%"|Due Date
+
* file and directory
! width="15%"|Notification Date
+
* URI
! width="40%"|Website
+
|-
+
|9th International Conference on Cyber Warfare and Security (ICCWS-2014)
+
|Sep 02, 2013 (abstract)
+
|Sep 09, 2013 (abstract)<br>Dec 30, 2013 (final paper)
+
|http://academic-conferences.org/iciw/iciw2014/iciw14-call-papers.htm
+
|-
+
|IFIP WG 11.9 International Conference on Digital Forensics
+
|Sep 15, 2013
+
|Oct 15, 2013
+
|http://www.ifip119.org/Conferences/WG11-9-CFP-2014.pdf
+
|-
+
|}
+
  
See also [http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics WikiCFP 'Forensics']
+
Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
  
== Conferences ==
+
== Example ==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
An example of a shell item list taken from '''Calculator.lnk'''
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|22nd USENIX Security Symposium - USENIX Security '13
+
|Aug 14-16<br>Washington, DC
+
|https://www.usenix.org/conference/usenixsecurity13
+
|-
+
|6th International Workshop on Digital Forensics (WSDF 2013)
+
|Sep 02-06<br>Regensburg, Germany
+
|http://www.ares-conference.eu/conf/index.php?option=com_content&view=article&id=49&Itemid=95
+
|-
+
|2013 HTCIA International Conference & Training Expo
+
|Sep 08-11<br>Summerlin, NV
+
|http://www.htciaconference.org/
+
|-
+
|New Security Paradigms Workshop (NSPW)
+
|Sep 09-12<br>The Banff Center, Canada
+
|http://www.nspw.org/current/
+
|-
+
|Black Hat-Regional Summit
+
|Sep 10-12<br>Istanbul, Turkey
+
|https://www.blackhat.com/is-13/
+
|-
+
|French-Speaking Days on Digital Investigations-Journées Francophones de l'Investigation Numérique (AFSIN)
+
|Sep 10-12<br>Neuchâtel, Switzerland
+
|https://www.afsin.org/
+
|-
+
|5th International Conference on Digital Forensics & Cyber Crime
+
|Sep 25-27<br>Moscow, Russia
+
|http://d-forensics.org/2013/show/home
+
|-
+
|VB2013 - the 23rd Virus Bulletin International Conference
+
|Oct 02-04<br>Berlin, Germany
+
|http://www.virusbtn.com/conference/vb2013/index
+
|-
+
|8th International Conference on Malicious and Unwanted Software
+
|Oct 22-24<br>Fajardo, Puerto Rico, USA
+
|http://www.malwareconference.org/index.php?option=com_frontpage&Itemid=1
+
|-
+
|16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
+
|Oct 23-25<br>St. Lucia
+
|http://www.raid2013.org/
+
|-
+
|5th International Workshop on Managing Insider Security Threats
+
|Oct 24-25<br>Busan, South Korea
+
|http://isyou.info/conf/mist13/index.htm
+
|-
+
|4th Annual Open Source Digital Forensics Conference (OSDF)
+
|Nov 04-05<br>Chantilly, VA
+
|http://www.basistech.com/about-us/events/open-source-forensics-conference/
+
|-
+
|Paraben Forensic Innovations Conference
+
|Nov 13-15<br>Salt Lake City, UT
+
|http://www.pfic-conference.com/
+
|-
+
|8th International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE)
+
|Nov 21-22<br>Hong Kong, China
+
|http://conf.ncku.edu.tw/sadfe/sadfe13/
+
|-
+
|Black Hat-Regional Summit
+
|Nov 26-27<br>Sao Paulo, Brazil
+
|https://www.blackhat.com/sp-13
+
|-
+
|29th Annual Computer Security Applications Conference (ACSAC)
+
|Dec 09-13<br>New Orleans, LA
+
|http://www.acsac.org
+
|-
+
|IFIP WG 11.9 International Conference on Digital Forensics
+
|Jan 08-10<br>Vienna, Austria
+
|http://www.ifip119.org/Conferences/
+
|-
+
|AAFS 66th Annual Scientific Meeting
+
|Feb 17-22<br>Seattle, WA
+
|http://www.aafs.org/aafs-66th-annual-scientific-meeting
+
|-
+
|21st Network & Distributed System Security Symposium
+
|Feb 23-26<br>San Diego, CA
+
|http://www.internetsociety.org/events/ndss-symposium-2014/
+
|-
+
|9th International Conference on Cyber Warfare and Security (ICCWS-2014)
+
|Mar 24-25<br>West Lafayette, IN
+
|http://academic-conferences.org/iciw/iciw2014/iciw14-home.htm
+
|-
+
|2014 IEEE Symposium on Security and Privacy
+
|May 16-23<br>Berkley, CA
+
|http://www.ieee.org/conferences_events/conferences/conferencedetails/index.html?Conf_ID=16517
+
|-
+
|Techno-Security and Forensics Conference
+
|Jun 01-04<br>Myrtle Beach, SC
+
|http://www.techsec.com/html/Security%20Conference%202014.html
+
|-
+
|Mobile Forensics World
+
|Jun 01-04<br>Myrtle Beach, SC
+
|http://www.techsec.com/html/MFC-2014-Spring.html
+
|-
+
|}
+
  
==See Also==
+
<pre>
* [[Training Courses and Providers]]
+
shell item type                    : 0x1f
==References==
+
shell item sort order              : 0x50
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
shell item folder name              : My Computer
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
 
 +
shell item type                    : 0x2f
 +
shell item volume name              : C:\
 +
 
 +
shell item type                    : 0x31
 +
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:48 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
 +
 
 +
shell item short name              : WINDOWS
 +
shell item extension size          : 38
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:52 UTC
 +
shell item long name                : WINDOWS
 +
 
 +
shell item type                    : 0x31
 +
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:38 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
 +
 
 +
shell item short name              : system32
 +
shell item extension size          : 40
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:38 UTC
 +
shell item long name                : system32
 +
 
 +
shell item type                    : 0x32
 +
shell item file size                : 115712
 +
shell item modification time        : Mar 25, 2003 12:00:00 UTC
 +
shell item file attribute flags    : 0x0020
 +
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)
 +
 
 +
shell item short name              : calc.exe
 +
shell item extension size          : 40
 +
shell item extension version        : 3
 +
shell item creation time            : Dec 31, 2010 13:06:06 UTC
 +
shell item access time              : Dec 31, 2010 13:06:06 UTC
 +
shell item long name                : calc.exe
 +
</pre>
 +
 
 +
== See Also ==
 +
* [[Jump Lists]]
 +
* [[LNK]]
 +
 
 +
== External Links ==
 +
 
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/cc144090(v=vs.85).aspx MSDN: Introduction to the Shell Namespace (Windows)]
 +
* [http://netez.com/2xExplorer/shellFAQ/bg_shell.html Fundamental Shell Concepts]
 +
* [http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf MiTeC Registry Analyser], by [[Allan Hay|Allan S Hay]], December 2004
 +
* [http://computer-forensics.sans.org/blog/2008/10/31/shellbags-registry-forensics/ ShellBags Registry Forensics], by johnmccash, October 2008
 +
* [http://42llc.net/?p=385 Shell Bag Format Analysis], by [[Yogesh Khatri]], October 2009 (appears to be no longer available)
 +
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using shellbag information to reconstruct user activities], by Yuandong Zhu, Pavel Gladyshev, Joshua James, 2009
 +
* [https://googledrive.com/host/0B3fBvzttpiiSajVqblZQT3FYZzg/Windows%20Shell%20Item%20format.pdf Windows Shell Item format], by the [[libfwsi|libfwsi project]], July 2010 (work in progress)
 +
* [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)], by [[Jordi Sánchez López]], August 13, 2010
 +
* [http://www.williballenthin.com/forensics/shellbags/index.html Windows shellbag forensics], by [[Willi Ballenthin]]
 +
* [http://code.google.com/p/regripper/wiki/ShellBags RegRipper - ShellBags], by [[Harlan Carvey]]
 +
* [http://volatility-labs.blogspot.ca/2012/09/movp-32-shellbags-in-memory-setregtime.html MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes], [[Jamie Levy]], September 2012
 +
* [http://windowsir.blogspot.ch/2012/10/shellbag-analysis-revisitedsome-testing.html Shellbag Analysis, Revisited...Some Testing], by [[Harlan Carvey]], October 2012
 +
* [http://tech.groups.yahoo.com/group/win4n6/message/7623 Shellbag research], by [[Sebastien Bourdon-Richard]], October 2012
 +
 
 +
[[Category:Data Formats]]

Revision as of 16:23, 15 August 2013

The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item is undocumented and varies between Windows versions.

The Shell Item is used in Windows Shortcut (LNK) file and the ShellBags key in the Windows Registry.

Format

The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.

There are multiple types of entries to specify different parts of the "path":

  • volume
  • network share
  • file and directory
  • URI

Some shell item entries contain date and time values which can be used in Timeline Analysis.

Example

An example of a shell item list taken from Calculator.lnk

shell item type                     : 0x1f
shell item sort order               : 0x50
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
shell item folder name              : My Computer

shell item type                     : 0x2f
shell item volume name              : C:\

shell item type                     : 0x31
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:48 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : WINDOWS
shell item extension size           : 38
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:52 UTC
shell item long name                : WINDOWS

shell item type                     : 0x31
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:38 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : system32
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:38 UTC
shell item long name                : system32

shell item type                     : 0x32
shell item file size                : 115712
shell item modification time        : Mar 25, 2003 12:00:00 UTC
shell item file attribute flags     : 0x0020
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)

shell item short name               : calc.exe
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:06:06 UTC
shell item access time              : Dec 31, 2010 13:06:06 UTC
shell item long name                : calc.exe

See Also

External Links