 |
| https://blogs.sans.org/computer-forensics/files/2011/06/Shellbags.png |
Not much is known however, about what actions cause
the ShellBags keys to update the time stamps and how long it takes the keys to update in the Registry. Together with David Cowen, I have come up with some questions that I will try to answer
throughout the year.
When browsing in explorer what activity triggers the creation of a
ShellBag entry if there is no previous entry?
What activity does not trigger the creation of a ShellBag entry if
there is no previous entry?
What activity updates an existing ShellBag entry when viewing a
directory that has a previous entry?
What activity does not update an existing ShellBag entry when
viewing a directory that has a previous entry?
Does creating a new directory cause a ShellBag entry to be created?
Does browsing to a directory with sub directories cause ShellBags
to be created for the sub directories if they were never visited?
When the MAC times of a directory change, when does the ShellBag
MAC times change?
What devices create ShellBag entries when accessed through
explorer (iPods, iPads, iPhones, Android phones) and how do they differ?
How accurate are the last update timestamps for the ShellBag
registry keys, when does it get updated in relation to when the actual visit
occurs?
I will try to answer
all of the above questions over the course over the next few months. If you have any additional questions feel free to put them in the comments below and I will try to answer them. I am planning on updating this blog regularly. Thanks for reading.
No comments:
Post a Comment