Difference between pages "Windows" and "Shell Item"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(External Links)
 
Line 1: Line 1:
{{Expand}}
+
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
 +
Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item
 +
is undocumented and varies between Windows versions.
  
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
+
The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]].
  
There are 2 main branches of Windows:
+
== Format ==
* the DOS-branch: i.e. Windows 95, 98, ME
+
* the NT-branch: i.e. Windows NT 4, XP, Vista
+
  
== Features ==
+
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
+
  
=== Introduced in Windows NT ===
+
There are multiple types of entries to specify different parts of the "path":
* [[NTFS]]
+
* volume
 +
* network share
 +
* file and directory
 +
* URI
  
=== Introduced in Windows 2000 ===
+
Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
  
=== Introduced in Windows XP ===
+
== Example ==
* [[Prefetch]]
+
An example of a shell item list taken from '''Calculator.lnk'''
* System Restore (Restore Points); also present in Windows ME
+
  
==== SP2 ====
 
* Windows Firewall
 
 
=== Introduced in Windows Server 2003 ===
 
* Volume Shadow Copies
 
 
=== Introduced in [[Windows Vista]] ===
 
* [[BitLocker Disk Encryption | BitLocker]]
 
* [[Windows Desktop Search | Search]] integrated in operating system
 
* [[ReadyBoost]]
 
* [[SuperFetch]]
 
* [[NTFS|Transactional NTFS (TxF)]]
 
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
 
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
 
* $Recycle.Bin
 
* [[Windows XML Event Log (EVTX)]]
 
* [[User Account Control (UAC)]]
 
 
=== Introduced in Windows Server 2008 ===
 
 
=== Introduced in [[Windows 7]] ===
 
* [[BitLocker Disk Encryption | BitLocker To Go]]
 
* [[Jump Lists]]
 
* [[Sticky Notes]]
 
 
=== Introduced in [[Windows 8]] ===
 
* [[Windows File History | File History]]
 
* [[Windows Storage Spaces | Storage Spaces]]
 
* [[Search Charm History]]
 
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
 
 
=== Introduced in Windows Server 2012 ===
 
* [[Resilient File System (ReFS)]]
 
 
== Forensics ==
 
 
=== Partition layout ===
 
Default partition layout, first partition starts:
 
* at sector 63 in Windows 2000, XP, 2003
 
* at sector 2048 in Windows Vista, 2008, 7
 
 
=== Filesystems ===
 
* [[FAT]], [[FAT|exFAT]]
 
* [[NTFS]]
 
* [[Resilient File System (ReFS) | ReFS]]
 
 
=== Recycle Bin ===
 
 
==== RECYCLER ====
 
Used by Windows 2000, XP.
 
Uses INFO2 file.
 
 
See: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf]
 
 
==== $RECYCLE.BIN ====
 
Used by Windows Vista.
 
Uses $I and $R files.
 
 
See: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf]
 
 
=== Registry ===
 
 
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
 
 
=== Thumbs.db Files ===
 
 
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
 
 
See also: [[Vista thumbcache]].
 
 
=== Browser Cache ===
 
 
=== Browser History ===
 
 
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
 
 
=== Search ===
 
See [[Windows Desktop Search]]
 
 
=== Setup log files (setupapi.log) ===
 
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
 
 
=== Sleep/Hibernation ===
 
 
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
 
 
=== Users ===
 
Windows stores a users Security identifiers (SIDs) under the following registry key:
 
 
<pre>
 
<pre>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
+
shell item type                    : 0x1f
</pre>
+
shell item sort order              : 0x50
 +
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
 +
shell item folder name              : My Computer
  
The %SID%\ProfileImagePath value should also contain the username.
+
shell item type                    : 0x2f
 +
shell item volume name              : C:\
  
=== Windows Error Reporting (WER) ===
+
shell item type                    : 0x31
 +
shell item file size                : 0
 +
shell item modification time        : Dec 31, 2010 13:28:48 UTC
 +
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
  
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
+
shell item short name              : WINDOWS
<pre>
+
shell item extension size          : 38
C:\ProgramData\Microsoft\Windows\WER\
+
shell item extension version        : 3
</pre>
+
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:52 UTC
 +
shell item long name                : WINDOWS
  
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
+
shell item type                    : 0x31
<pre>
+
shell item file size                : 0
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
+
shell item modification time        : Dec 31, 2010 13:28:38 UTC
</pre>
+
shell item file attribute flags    : 0x0010
 +
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
  
Corresponding registry key:
+
shell item short name              : system32
<pre>
+
shell item extension size          : 40
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
+
shell item extension version        : 3
</pre>
+
shell item creation time            : Dec 31, 2010 13:26:18 UTC
 +
shell item access time              : Dec 31, 2010 13:28:38 UTC
 +
shell item long name                : system32
  
== Advanced Format (4KB Sector) Hard Drives ==
+
shell item type                    : 0x32
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
+
shell item file size                : 115712
 +
shell item modification time        : Mar 25, 2003 12:00:00 UTC
 +
shell item file attribute flags    : 0x0020
 +
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)
  
== %SystemRoot% ==
+
shell item short name              : calc.exe
The actual value of %SystemRoot% is store in the following registry value:
+
shell item extension size          : 40
<pre>
+
shell item extension version        : 3
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
+
shell item creation time            : Dec 31, 2010 13:06:06 UTC
Value: SystemRoot
+
shell item access time              : Dec 31, 2010 13:06:06 UTC
 +
shell item long name                : calc.exe
 
</pre>
 
</pre>
  
 
== See Also ==
 
== See Also ==
* [[Windows Event Log (EVT)]]
+
* [[Jump Lists]]
* [[Windows XML Event Log (EVTX)]]
+
* [[LNK]]
* [[Windows Vista]]
+
* [[Windows 7]]
+
* [[Windows 8]]
+
  
 
== External Links ==
 
== External Links ==
  
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/cc144090(v=vs.85).aspx MSDN: Introduction to the Shell Namespace (Windows)]
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
+
* [http://netez.com/2xExplorer/shellFAQ/bg_shell.html Fundamental Shell Concepts]
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
+
* [http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf MiTeC Registry Analyser], by [[Allan Hay|Allan S Hay]], December 2004
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
+
* [http://computer-forensics.sans.org/blog/2008/10/31/shellbags-registry-forensics/ ShellBags Registry Forensics], by johnmccash, October 2008
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
+
* [http://42llc.net/?p=385 Shell Bag Format Analysis], by [[Yogesh Khatri]], October 2009 (appears to be no longer available)
 
+
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using shellbag information to reconstruct user activities], by Yuandong Zhu, Pavel Gladyshev, Joshua James, 2009
=== Malware/Rootkits ===
+
* [https://googledrive.com/host/0B3fBvzttpiiSajVqblZQT3FYZzg/Windows%20Shell%20Item%20format.pdf Windows Shell Item format], by the [[libfwsi|libfwsi project]], July 2010 (work in progress)
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
+
* [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)], by [[Jordi Sánchez López]], August 13, 2010
 
+
* [http://www.williballenthin.com/forensics/shellbags/index.html Windows shellbag forensics], by [[Willi Ballenthin]]
=== Tracking removable media ===
+
* [http://code.google.com/p/regripper/wiki/ShellBags RegRipper - ShellBags], by [[Harlan Carvey]]
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
+
* [http://volatility-labs.blogspot.ca/2012/09/movp-32-shellbags-in-memory-setregtime.html MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes], [[Jamie Levy]], September 2012
 
+
* [http://windowsir.blogspot.ch/2012/10/shellbag-analysis-revisitedsome-testing.html Shellbag Analysis, Revisited...Some Testing], by [[Harlan Carvey]], October 2012
=== Under the hood ===
+
* [http://tech.groups.yahoo.com/group/win4n6/message/7623 Shellbag research], by [[Sebastien Bourdon-Richard]], October 2012
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
+
* [http://www.4n6k.com/2013/12/shellbags-forensics-addressing.html Shellbags Forensics: Addressing a Misconception (interpretation, step-by-step testing, new findings, and more)], by Dan Pullega, December 4, 2013
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
+
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
+
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
+
 
+
==== MSI ====
+
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
+
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
+
 
+
==== Side-by-side (WinSxS) ====
+
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
+
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
+
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
+
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
+
 
+
==== Application Experience and Compatibility ====
+
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
+
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
+
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
+
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
+
* [http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
+
* [http://journeyintoir.blogspot.ch/2013/12/revealing-recentfilecachebcf-file.html Revealing the RecentFileCache.bcf File], by [[Corey Harrell]], December 2, 2013
+
 
+
==== System Restore (Restore Points) ====
+
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
+
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
+
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
+
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
+
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
+
 
+
==== Crash dumps ====
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
+
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
+
 
+
==== RPC ====
+
* [http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx RPC to Go v.1], by Michael Platts, October 24, 2008
+
* [http://blogs.technet.com/b/networking/archive/2008/12/04/rpc-to-go-v-2.aspx RPC to Go v.2], by Michael Platts, December 4, 2008
+
 
+
==== USB ====
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf USBKEY Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf USB Drive Enclosure Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
+
 
+
==== WMI ====
+
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf Understanding WMI Malware], by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
+
 
+
==== Windows Error Reporting (WER) ====
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
+
 
+
==== Windows Firewall ====
+
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
+
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
+
 
+
==== Windows 32-bit on Windows 64-bit (WoW64) ====
+
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
+
 
+
=== Windows XP ===
+
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
+
  
[[Category:Operating systems]]
+
[[Category:Data Formats]]

Revision as of 01:21, 5 December 2013

The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item is undocumented and varies between Windows versions.

The Shell Item is used in Windows Shortcut (LNK) file and the ShellBags key in the Windows Registry.

Contents

Format

The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.

There are multiple types of entries to specify different parts of the "path":

  • volume
  • network share
  • file and directory
  • URI

Some shell item entries contain date and time values which can be used in Timeline Analysis.

Example

An example of a shell item list taken from Calculator.lnk

shell item type                     : 0x1f
shell item sort order               : 0x50
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
shell item folder name              : My Computer

shell item type                     : 0x2f
shell item volume name              : C:\

shell item type                     : 0x31
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:48 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : WINDOWS
shell item extension size           : 38
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:52 UTC
shell item long name                : WINDOWS

shell item type                     : 0x31
shell item file size                : 0
shell item modification time        : Dec 31, 2010 13:28:38 UTC
shell item file attribute flags     : 0x0010
        Is directory (FILE_ATTRIBUTE_DIRECTORY)

shell item short name               : system32
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:26:18 UTC
shell item access time              : Dec 31, 2010 13:28:38 UTC
shell item long name                : system32

shell item type                     : 0x32
shell item file size                : 115712
shell item modification time        : Mar 25, 2003 12:00:00 UTC
shell item file attribute flags     : 0x0020
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)

shell item short name               : calc.exe
shell item extension size           : 40
shell item extension version        : 3
shell item creation time            : Dec 31, 2010 13:06:06 UTC
shell item access time              : Dec 31, 2010 13:06:06 UTC
shell item long name                : calc.exe

See Also

External Links