Difference between pages "Shell Item" and "JTAG Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
 
Line 1: Line 1:
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
+
== Definition ==
Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item
+
=== From Wikipedia ([http://en.wikipedia.org/wiki/Joint_Test_Action_Group http://en.wikipedia.org/wiki/Joint_Test_Action_Group ]): ===
is undocumented and varies between Windows versions.
+
  
The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]].
+
Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.
  
== Format ==
+
=== Forensic Application ===
  
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
+
JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.
  
There are multiple types of entries to specify different parts of the "path":
+
== Tools and Equipment ==
* volume
+
* network share
+
* file and directory
+
* URI
+
  
Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
+
* [[JTAG and Chip-Off Tools and Equipment]]
  
== Example ==
+
== Procedures ==
An example of a shell item list taken from '''Calculator.lnk'''
+
  
<pre>
+
* [[JTAG HTC Wildfire S]]
shell item type                    : 0x1f
+
* [[JTAG Samsung Galaxy S4 (SGH-I337)]]
shell item sort order              : 0x50
+
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
+
shell item folder name              : My Computer
+
 
+
shell item type                    : 0x2f
+
shell item volume name              : C:\
+
 
+
shell item type                    : 0x31
+
shell item file size                : 0
+
shell item modification time        : Dec 31, 2010 13:28:48 UTC
+
shell item file attribute flags    : 0x0010
+
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
+
 
+
shell item short name              : WINDOWS
+
shell item extension size          : 38
+
shell item extension version        : 3
+
shell item creation time            : Dec 31, 2010 13:26:18 UTC
+
shell item access time              : Dec 31, 2010 13:28:52 UTC
+
shell item long name                : WINDOWS
+
 
+
shell item type                    : 0x31
+
shell item file size                : 0
+
shell item modification time        : Dec 31, 2010 13:28:38 UTC
+
shell item file attribute flags    : 0x0010
+
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
+
 
+
shell item short name              : system32
+
shell item extension size          : 40
+
shell item extension version        : 3
+
shell item creation time            : Dec 31, 2010 13:26:18 UTC
+
shell item access time              : Dec 31, 2010 13:28:38 UTC
+
shell item long name                : system32
+
 
+
shell item type                    : 0x32
+
shell item file size                : 115712
+
shell item modification time        : Mar 25, 2003 12:00:00 UTC
+
shell item file attribute flags    : 0x0020
+
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)
+
 
+
shell item short name              : calc.exe
+
shell item extension size          : 40
+
shell item extension version        : 3
+
shell item creation time            : Dec 31, 2010 13:06:06 UTC
+
shell item access time              : Dec 31, 2010 13:06:06 UTC
+
shell item long name                : calc.exe
+
</pre>
+
 
+
== See Also ==
+
* [[Jump Lists]]
+
* [[LNK]]
+
 
+
== External Links ==
+
 
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/cc144090(v=vs.85).aspx MSDN: Introduction to the Shell Namespace (Windows)]
+
* [http://netez.com/2xExplorer/shellFAQ/bg_shell.html Fundamental Shell Concepts]
+
* [http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf MiTeC Registry Analyser], by [[Allan Hay|Allan S Hay]], December 2004
+
* [http://computer-forensics.sans.org/blog/2008/10/31/shellbags-registry-forensics/ ShellBags Registry Forensics], by johnmccash, October 2008
+
* [http://42llc.net/?p=385 Shell Bag Format Analysis], by [[Yogesh Khatri]], October 2009 (appears to be no longer available)
+
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using shellbag information to reconstruct user activities], by Yuandong Zhu, Pavel Gladyshev, Joshua James, 2009
+
* [https://googledrive.com/host/0B3fBvzttpiiSajVqblZQT3FYZzg/Windows%20Shell%20Item%20format.pdf Windows Shell Item format], by the [[libfwsi|libfwsi project]], July 2010 (work in progress)
+
* [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)], by [[Jordi Sánchez López]], August 13, 2010
+
* [http://www.williballenthin.com/forensics/shellbags/index.html Windows shellbag forensics], by [[Willi Ballenthin]]
+
* [http://code.google.com/p/regripper/wiki/ShellBags RegRipper - ShellBags], by [[Harlan Carvey]]
+
* [http://volatility-labs.blogspot.ca/2012/09/movp-32-shellbags-in-memory-setregtime.html MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes], [[Jamie Levy]], September 2012
+
* [http://windowsir.blogspot.ch/2012/10/shellbag-analysis-revisitedsome-testing.html Shellbag Analysis, Revisited...Some Testing], by [[Harlan Carvey]], October 2012
+
* [http://tech.groups.yahoo.com/group/win4n6/message/7623 Shellbag research], by [[Sebastien Bourdon-Richard]], October 2012
+
 
+
[[Category:Data Formats]]
+

Revision as of 19:09, 17 August 2013

Definition

From Wikipedia (http://en.wikipedia.org/wiki/Joint_Test_Action_Group ):

Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.

Forensic Application

JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.

Tools and Equipment

Procedures