Final Summary

     My paper is complete and I have learned a lot from doing it. For creation behavior I learned what caused ShellBag entries to be created and how that changed based on where the folder was located. The location of a folder determines when a ShellBag entry is created. However, it was consistent across all locations that if a user visited a folder they had not visited before a ShellBag entry was created. The below graphic maps out some of the common locations that users create folders and how they handle when ShellBag entries are created.

     Update behavior for ShellBags follows a different set of rules. It appears the actions that cause a ShellBag entry to be updated are the same in all locations. These actions include creating a folder, creating a file and saving a file.  When a folder has its ShellBag entry updated, it does not just update that one folder. It updates all of the folders that share a folder with it. It also does not update any subfolders of the folder that is updated. The graphic below explains that concept.

     This work is important because it helps investigators better understand an important part of the Windows Registry. Knowing what actions cause a ShellBag entry to be created and updated helps investigators piece together a time line that can be used to help figure out what folders the user actually visited. It also can be useful in looking at to see if the user visited folders on network shares that they should not have been accessing. There is still more work to be done particularly dealing with update behavior but I am happy with what I accomplished.

     Thank you for reading and if you have any questions feel free to post them in the comments below. 

Removable Device Problems

What an Android phone looks
like in Windows Explore

It’s been a few weeks since I last updated. One of the problems that I ran into with my research was with figuring out the difference between removable devices. For this I used an Android phone, a couple flash drives and an iPhone. When I used sbag I was only able to see what appeared to be a disk UUID of the device. So you cannot tell what kind of device it is. You cannot tell what folders they opened on the device but you can tell they opened multiple folders. Each folder is given a different entry but there is no way to tell what folder is visited. 

This is a problem because it becomes harder to figure out 

what devices they might have stored data on.

ShellBag entries in sbag for the Android phone

However, using RegRipper I was able to get around this problem. RegRipper correctly parses the devices name so it allowed me to see the device name as it shows up when it is plugged into the computer. I can also mostly what folders they went too. The one exemption is that on the iPhone it does not record the folders below the internal storage one. That is not a big deal because on an iPhone that is not jail broken there is only one folder path. You can tell exactly what kind of android phone is plugged in but I do not think you can tell what kind of iPhone was plugged in. 

ShellBag Entries in RegRipper for the same Android phone

I am almost done with my research and have started on writing a paper on my findings which will be done in December at the latest. In the mean time I will update a few more times on a few different parts of my research. If anyone has any preference to what topics I cover or has any questions please leave a comment below. Thanks for reading.

First Update

I have started doing my research into ShellBags. It appears that depending on the location of the folder ShellBag entries are created at different times.

On the Desktop If the folder is visited by the user the ShellBag entry is created immediately. If the ShellBags entry is not created before shutdown, it will be created on shutdown. So far I have not been able to create a folder on the Desktop that does not have a ShellBag entry after shutdown.

If you create a folder in the root of the C drive a ShellBags entry is immediately created even if you do not visit it. This behavior appears to continue down into a user profile. Once you get into the documents folder things change.  I have not quite figured out the behavior in the documents folder yet because the windows path to the documents folder C:\Users\Chad\Documents and the path you get when you click the documents under the library tab it has the path Libraries\Documents. So you get entries that look like the one below.

This is what the shell bag entry looks like if someone goes to the folder Champlain through Library\Documents 

The normal path should look like this.

Another thing that I have noticed is that there is a pattern of what the two Windows Registry files that contain ShellBags information USRCLASS.DAT and NTUSER.DAT contain. The NTUSER.DAT file has the ShellBag keys of things located on the Desktop and USRCLASS.DAT shows all the other places. So if you know a folder was on the desktop you can look straight at the NTUSER.DAT file instead of having to go through both.

I’m working on answering the questions I posted in my first blog and I am getting close to answering the rest of them.

ShellBag Forensics

https://blogs.sans.org/computer-forensics/files/2011/06/Shellbags.png

     ShellBags keys are Windows Registry artifacts that keep track of folders that a user has visited. These keys are stored in the NTUSER.DAT and the USRCLASS.DAT hives.  Using a tool like Windows ShellBag Parser (sbag) from Tzworks, a forensic examiner can parse the relevant keys to see metadata about folders the user has visited. ShellBags can be useful because it can show that the user visited folders on a removable drive that is missing or folders they visited that are now deleted.

     Not much is known however, about what actions cause the ShellBags keys to update the time stamps and how long it takes the keys to update in the Registry. Together with David Cowen, I have come up with some questions that I will try to answer throughout the year.

When browsing in explorer what activity triggers the creation of a ShellBag entry if there is no previous entry?

What activity does not trigger the creation of a ShellBag entry if there is no previous entry?

What activity updates an existing ShellBag entry when viewing a directory that has a previous entry?

What activity does not update an existing ShellBag entry when viewing a directory that has a previous entry?

Does creating a new directory cause a ShellBag entry to be created?

Does browsing to a directory with sub directories cause ShellBags to be created for the sub directories if they were never visited?

When the MAC times of a directory change, when does the ShellBag MAC times change?

What devices create ShellBag entries when accessed through explorer (iPods, iPads, iPhones, Android phones) and how do they differ?

How accurate are the last update timestamps for the ShellBag registry keys, when does it get updated in relation to when the actual visit occurs?

I will try to answer all of the above questions over the course over the next few months. If you have any additional questions feel free to put them in the comments below and I will try to answer them. I am planning on updating this blog regularly. Thanks for reading.