Difference between pages "Shell Item" and "Golden G. Richard III"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
m
 
Line 1: Line 1:
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
 
Shell Item list is much like a "path", and is unique to its parent folder. The format of the Shell Item
 
is undocumented and varies between Windows versions.
 
  
The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]].
+
Golden G. Richard III is Professor of Computer Science, University Research Professor, and Director of the Greater New Orleans Center for Information Assurance (GNOCIA) at the University of New Orleans, where he has taught and done research in cybersecurity, operating systems internals, reverse engineering, and malware analysis since 1994.  Golden earned a Ph.D. in Computer Science from The Ohio State University in 1995.  He is also the Founder and Owner of Arcane Alloy, LLC, a private digital forensics and cybersecurity firm, the original author of the [[Scalpel]] file [[Carving|carving]] tool, a pioneer in applying high performance computing principles to digital forensics, and a professional music photographer.
  
== Format ==
+
He maintains a [[Blogs|blog]] called "Outlook Purple" and can be found on Twitter at @nolaforensix.
  
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
+
== See Also ==
  
There are multiple types of entries to specify different parts of the "path":
+
[[Forensics on GPUs]]
* volume
+
* network share
+
* file and directory
+
* URI
+
 
+
Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
+
 
+
== Example ==
+
An example of a shell item list taken from '''Calculator.lnk'''
+
 
+
<pre>
+
shell item type                    : 0x1f
+
shell item sort order              : 0x50
+
shell item folder identifier        : 20d04fe0-3aea-1069-a2d8-08002b30309d
+
shell item folder name              : My Computer
+
 
+
shell item type                    : 0x2f
+
shell item volume name              : C:\
+
 
+
shell item type                    : 0x31
+
shell item file size                : 0
+
shell item modification time        : Dec 31, 2010 13:28:48 UTC
+
shell item file attribute flags    : 0x0010
+
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
+
 
+
shell item short name              : WINDOWS
+
shell item extension size          : 38
+
shell item extension version        : 3
+
shell item creation time            : Dec 31, 2010 13:26:18 UTC
+
shell item access time              : Dec 31, 2010 13:28:52 UTC
+
shell item long name                : WINDOWS
+
 
+
shell item type                    : 0x31
+
shell item file size                : 0
+
shell item modification time        : Dec 31, 2010 13:28:38 UTC
+
shell item file attribute flags    : 0x0010
+
        Is directory (FILE_ATTRIBUTE_DIRECTORY)
+
 
+
shell item short name              : system32
+
shell item extension size          : 40
+
shell item extension version        : 3
+
shell item creation time            : Dec 31, 2010 13:26:18 UTC
+
shell item access time              : Dec 31, 2010 13:28:38 UTC
+
shell item long name                : system32
+
 
+
shell item type                    : 0x32
+
shell item file size                : 115712
+
shell item modification time        : Mar 25, 2003 12:00:00 UTC
+
shell item file attribute flags    : 0x0020
+
        Should be archived (FILE_ATTRIBUTE_ARCHIVE)
+
 
+
shell item short name              : calc.exe
+
shell item extension size          : 40
+
shell item extension version        : 3
+
shell item creation time            : Dec 31, 2010 13:06:06 UTC
+
shell item access time              : Dec 31, 2010 13:06:06 UTC
+
shell item long name                : calc.exe
+
</pre>
+
 
+
== See Also ==
+
* [[Jump Lists]]
+
* [[LNK]]
+
  
 
== External Links ==
 
== External Links ==
  
* [http://msdn.microsoft.com/en-us/library/windows/desktop/cc144090(v=vs.85).aspx MSDN: Introduction to the Shell Namespace (Windows)]
+
* [http://www.cs.uno.edu/~golden/ Official website]
* [http://netez.com/2xExplorer/shellFAQ/bg_shell.html Fundamental Shell Concepts]
+
* [http://www.arcanealloy.com / Arcane Alloy, LLC]
* [http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf MiTeC Registry Analyser], by [[Allan Hay|Allan S Hay]], December 2004
+
* [http://outlookpurple.blogspot.com / Outlook Purple]
* [http://computer-forensics.sans.org/blog/2008/10/31/shellbags-registry-forensics/ ShellBags Registry Forensics], by johnmccash, October 2008
+
* [http://www.highisomusic.com / High ISO Music]
* [http://42llc.net/?p=385 Shell Bag Format Analysis], by [[Yogesh Khatri]], October 2009 (appears to be no longer available)
+
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using shellbag information to reconstruct user activities], by Yuandong Zhu, Pavel Gladyshev, Joshua James, 2009
+
* [https://googledrive.com/host/0B3fBvzttpiiSajVqblZQT3FYZzg/Windows%20Shell%20Item%20format.pdf Windows Shell Item format], by the [[libfwsi|libfwsi project]], July 2010 (work in progress)
+
* [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)], by [[Jordi Sánchez López]], August 13, 2010
+
* [http://www.williballenthin.com/forensics/shellbags/index.html Windows shellbag forensics], by [[Willi Ballenthin]]
+
* [http://code.google.com/p/regripper/wiki/ShellBags RegRipper - ShellBags], by [[Harlan Carvey]]
+
* [http://volatility-labs.blogspot.ca/2012/09/movp-32-shellbags-in-memory-setregtime.html MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes], [[Jamie Levy]], September 2012
+
* [http://windowsir.blogspot.ch/2012/10/shellbag-analysis-revisitedsome-testing.html Shellbag Analysis, Revisited...Some Testing], by [[Harlan Carvey]], October 2012
+
* [http://tech.groups.yahoo.com/group/win4n6/message/7623 Shellbag research], by [[Sebastien Bourdon-Richard]], October 2012
+
* [http://www.4n6k.com/2013/12/shellbags-forensics-addressing.html Shellbags Forensics: Addressing a Misconception (interpretation, step-by-step testing, new findings, and more)], by Dan Pullega, December 4, 2013
+
  
[[Category:Data Formats]]
+
[[Category:People]]

Revision as of 16:32, 28 January 2014

Golden G. Richard III is Professor of Computer Science, University Research Professor, and Director of the Greater New Orleans Center for Information Assurance (GNOCIA) at the University of New Orleans, where he has taught and done research in cybersecurity, operating systems internals, reverse engineering, and malware analysis since 1994. Golden earned a Ph.D. in Computer Science from The Ohio State University in 1995. He is also the Founder and Owner of Arcane Alloy, LLC, a private digital forensics and cybersecurity firm, the original author of the Scalpel file carving tool, a pioneer in applying high performance computing principles to digital forensics, and a professional music photographer.

He maintains a blog called "Outlook Purple" and can be found on Twitter at @nolaforensix.

See Also

Forensics on GPUs

External Links