Difference between pages "Shell Item" and "Belkasoft"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
m (small updates)
 
Line 1: Line 1:
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
+
'''About Belkasoft'''
Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item
+
is undocumented and varies between Windows versions.
+
  
The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]].
+
Belkasoft is a computer and mobile phone forensic software manufacturer since 2002. The company develops a range of forensic products aimed at law enforcement officials, investigators and experts in IT security and intelligence. The company delivers solutions that work right out of the box, without requiring a steep learning curve or any specific skills to operate
  
== Format ==
+
'''Products'''
  
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
+
The company’s flagship product is '''Belkasoft Evidence Center''', an all-in-one solution for searching, analysing, managing and sharing digital evidence discovered on suspects’ hard drives and RAM. Supported types of evidence include information found in instant messenger logs, internet browser histories, mailboxes of popular email clients, social network remnants, peer-to-peer data, multi-player game chats, office documents, pictures, videos, encrypted files, mobile backups and system files. Belkasoft Evidence Center is available in four major editions: Chat Analyzer, Chat & Social Analyzer, Professional, and Ultimate. The fifth Enterprise edition brings in centralized evidence processing with server-based operation and user-level permission management. A Portable edition requiring no installation and running off a USB pen drive is also available.
  
There are multiple types of entries to specify different parts of the "path":
+
'''Belkasoft Forgery Detection''' offers the ability to discover digital pictures that were altered, modified or otherwise manipulated. The tool applies a range of image analysis algorithms and a decisive neural network to produce a single numeric estimate of images’ authenticity.
* volume
+
* network share
+
* file and directory
+
* URI
+
  
Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
+
In addition to commercial products, Belkasoft offers a range of free forensic tools.
  
== Example ==
+
'''Belkasoft Facebook Profile Saver''' captures information publicly available in Facebook profiles. This small utility is designed for computer forensic and security specialists who need to automate the downloading of Facebook pages to their local computers. A local copy of public Facebook pages may be required for performing investigations and/or presented as court evidence.
An example of a shell item list taken from '''Calculator.lnk'''
+
  
<pre>
+
'''Belkasoft Live RAM Capturer''' is a tiny free forensic tool to reliably extract the entire content of the computer's volatile memory - even if protected by an active anti-debugging or anti-dumping system. Separate 32-bit and 64-bit builds are available in order to minimize the tool's footprint as much as possible. Memory dumps captured with Belkasoft Live RAM Capturer can be analyzed with any forensic tool including Live RAM Analysis in Belkasoft Evidence Center.
shell item type                    : 0x1f
+
shell item sort order              : 0x50
+
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
+
shell item folder name              : My Computer
+
  
shell item type                    : 0x2f
+
'''Belkasoft Evidence Reader''' enables Evidence Center users to share evidence collected with the main suite. Users of Evidence Reader can access evidence collected during an investigation from any computer, even if Belkasoft Evidence Center is not installed on that PC.
shell item volume name              : C:\
+
  
shell item type                    : 0x31
+
'''Customer Base'''
shell item file size                : 0
+
shell item modification time        : Dec 31, 2010 13:28:48 UTC
+
shell item file attribute flags    : 0x0010
+
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
+
  
shell item short name              : WINDOWS
+
Belkasoft customers include government and private organizations in more than 60 countries, including the FBI, US Army, DHS, police departments in Germany, Norway, Australia and New Zealand, PricewaterhouseCoopers, and Ernst & Young.
shell item extension size          : 38
+
shell item extension version        : 3
+
shell item creation time            : Dec 31, 2010 13:26:18 UTC
+
shell item access time              : Dec 31, 2010 13:28:52 UTC
+
shell item long name                : WINDOWS
+
  
shell item type                    : 0x31
+
'''Credentials'''
shell item file size                : 0
+
shell item modification time        : Dec 31, 2010 13:28:38 UTC
+
shell item file attribute flags    : 0x0010
+
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
+
  
shell item short name              : system32
+
Belkasoft D-U-N-S number is 683524694.
shell item extension size          : 40
+
Belkasoft NATO Commercial and Government Entity (NCAGE, also CAGE) code is SKF09.
shell item extension version        : 3
+
Belkasoft is also registered within Central Contractor Registration (CCR), ORCA and WAWF.
shell item creation time            : Dec 31, 2010 13:26:18 UTC
+
Belkasoft is a registered trademark.
shell item access time              : Dec 31, 2010 13:28:38 UTC
+
shell item long name                : system32
+
 
+
shell item type                    : 0x32
+
shell item file size                : 115712
+
shell item modification time        : Mar 25, 2003 12:00:00 UTC
+
shell item file attribute flags    : 0x0020
+
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)
+
 
+
shell item short name              : calc.exe
+
shell item extension size          : 40
+
shell item extension version        : 3
+
shell item creation time            : Dec 31, 2010 13:06:06 UTC
+
shell item access time              : Dec 31, 2010 13:06:06 UTC
+
shell item long name                : calc.exe
+
</pre>
+
 
+
== See Also ==
+
* [[Jump Lists]]
+
* [[LNK]]
+
  
 
== External Links ==
 
== External Links ==
 +
* [http://belkasoft.com/ Official website]
  
* [http://msdn.microsoft.com/en-us/library/windows/desktop/cc144090(v=vs.85).aspx MSDN: Introduction to the Shell Namespace (Windows)]
 
* [http://netez.com/2xExplorer/shellFAQ/bg_shell.html Fundamental Shell Concepts]
 
* [http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf MiTeC Registry Analyser], by [[Allan Hay|Allan S Hay]], December 2004
 
* [http://computer-forensics.sans.org/blog/2008/10/31/shellbags-registry-forensics/ ShellBags Registry Forensics], by johnmccash, October 2008
 
* [http://42llc.net/?p=385 Shell Bag Format Analysis], by [[Yogesh Khatri]], October 2009 (appears to be no longer available)
 
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using shellbag information to reconstruct user activities], by Yuandong Zhu, Pavel Gladyshev, Joshua James, 2009
 
* [https://googledrive.com/host/0B3fBvzttpiiSajVqblZQT3FYZzg/Windows%20Shell%20Item%20format.pdf Windows Shell Item format], by the [[libfwsi|libfwsi project]], July 2010 (work in progress)
 
* [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)], by [[Jordi Sánchez López]], August 13, 2010
 
* [http://www.williballenthin.com/forensics/shellbags/index.html Windows shellbag forensics], by [[Willi Ballenthin]]
 
* [http://code.google.com/p/regripper/wiki/ShellBags RegRipper - ShellBags], by [[Harlan Carvey]]
 
* [http://volatility-labs.blogspot.ca/2012/09/movp-32-shellbags-in-memory-setregtime.html MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes], [[Jamie Levy]], September 2012
 
* [http://windowsir.blogspot.ch/2012/10/shellbag-analysis-revisitedsome-testing.html Shellbag Analysis, Revisited...Some Testing], by [[Harlan Carvey]], October 2012
 
* [http://tech.groups.yahoo.com/group/win4n6/message/7623 Shellbag research], by [[Sebastien Bourdon-Richard]], October 2012
 
  
[[Category:Data Formats]]
+
[[Category:Vendors]]

Latest revision as of 09:21, 8 June 2014

About Belkasoft

Belkasoft is a computer and mobile phone forensic software manufacturer since 2002. The company develops a range of forensic products aimed at law enforcement officials, investigators and experts in IT security and intelligence. The company delivers solutions that work right out of the box, without requiring a steep learning curve or any specific skills to operate

Products

The company’s flagship product is Belkasoft Evidence Center, an all-in-one solution for searching, analysing, managing and sharing digital evidence discovered on suspects’ hard drives and RAM. Supported types of evidence include information found in instant messenger logs, internet browser histories, mailboxes of popular email clients, social network remnants, peer-to-peer data, multi-player game chats, office documents, pictures, videos, encrypted files, mobile backups and system files. Belkasoft Evidence Center is available in four major editions: Chat Analyzer, Chat & Social Analyzer, Professional, and Ultimate. The fifth Enterprise edition brings in centralized evidence processing with server-based operation and user-level permission management. A Portable edition requiring no installation and running off a USB pen drive is also available.

Belkasoft Forgery Detection offers the ability to discover digital pictures that were altered, modified or otherwise manipulated. The tool applies a range of image analysis algorithms and a decisive neural network to produce a single numeric estimate of images’ authenticity.

In addition to commercial products, Belkasoft offers a range of free forensic tools.

Belkasoft Facebook Profile Saver captures information publicly available in Facebook profiles. This small utility is designed for computer forensic and security specialists who need to automate the downloading of Facebook pages to their local computers. A local copy of public Facebook pages may be required for performing investigations and/or presented as court evidence.

Belkasoft Live RAM Capturer is a tiny free forensic tool to reliably extract the entire content of the computer's volatile memory - even if protected by an active anti-debugging or anti-dumping system. Separate 32-bit and 64-bit builds are available in order to minimize the tool's footprint as much as possible. Memory dumps captured with Belkasoft Live RAM Capturer can be analyzed with any forensic tool including Live RAM Analysis in Belkasoft Evidence Center.

Belkasoft Evidence Reader enables Evidence Center users to share evidence collected with the main suite. Users of Evidence Reader can access evidence collected during an investigation from any computer, even if Belkasoft Evidence Center is not installed on that PC.

Customer Base

Belkasoft customers include government and private organizations in more than 60 countries, including the FBI, US Army, DHS, police departments in Germany, Norway, Australia and New Zealand, PricewaterhouseCoopers, and Ernst & Young.

Credentials

Belkasoft D-U-N-S number is 683524694. Belkasoft NATO Commercial and Government Entity (NCAGE, also CAGE) code is SKF09. Belkasoft is also registered within Central Contractor Registration (CCR), ORCA and WAWF. Belkasoft is a registered trademark.

External Links