My paper is complete and I have learned a lot from doing it.
For creation behavior I learned what caused ShellBag entries to be created and
how that changed based on where the folder was located. The location of a
folder determines when a ShellBag entry is created. However, it was consistent
across all locations that if a user visited a folder they had not visited
before a ShellBag entry was created. The below graphic maps out some of the
common locations that users create folders and how they handle when ShellBag
entries are created.
Update behavior for ShellBags follows a different set of rules.
It appears the actions that cause a ShellBag entry to be updated are the same in
all locations. These actions include creating a folder, creating a file and
saving a file. When a folder has its
ShellBag entry updated, it does not just update that one folder. It updates all
of the folders that share a folder with it. It also does not update any
subfolders of the folder that is updated. The graphic below explains that
concept.
This work is important because it helps investigators better
understand an important part of the Windows Registry. Knowing what actions
cause a ShellBag entry to be created and updated helps investigators piece together
a time line that can be used to help figure out what folders the user actually
visited. It also can be useful in looking at to see if the user visited folders
on network shares that they should not have been accessing. There is still more
work to be done particularly dealing with update behavior but I am happy with
what I accomplished.
Thank you for reading and if you have any questions feel free to post them in the comments below.
No comments:
Post a Comment