Tuesday, December 3, 2013

Final Summary

     My paper is complete and I have learned a lot from doing it. For creation behavior I learned what caused ShellBag entries to be created and how that changed based on where the folder was located. The location of a folder determines when a ShellBag entry is created. However, it was consistent across all locations that if a user visited a folder they had not visited before a ShellBag entry was created. The below graphic maps out some of the common locations that users create folders and how they handle when ShellBag entries are created.


     Update behavior for ShellBags follows a different set of rules. It appears the actions that cause a ShellBag entry to be updated are the same in all locations. These actions include creating a folder, creating a file and saving a file.  When a folder has its ShellBag entry updated, it does not just update that one folder. It updates all of the folders that share a folder with it. It also does not update any subfolders of the folder that is updated. The graphic below explains that concept.



     This work is important because it helps investigators better understand an important part of the Windows Registry. Knowing what actions cause a ShellBag entry to be created and updated helps investigators piece together a time line that can be used to help figure out what folders the user actually visited. It also can be useful in looking at to see if the user visited folders on network shares that they should not have been accessing. There is still more work to be done particularly dealing with update behavior but I am happy with what I accomplished.

     Thank you for reading and if you have any questions feel free to post them in the comments below.