Tuesday, September 25, 2012

MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes

Month of Volatility Plugins

Today's post will cover a Shellbags plugin for Volatility that is currently a work in progress and will be included in Volatility 2.3.

Background

"Shellbags" is a commonly used term to describe a collection of registry keys that allow the "Windows operating system to track user window viewing preferences specific to Windows Explorer". These keys can contain a wealth of information relevant for a forensic investigation and can help paint a clearer picture of user activity on a machine. For example, the following information can be found in Shellbags:
  • Windows sizes and preferences
  • Icon and folder view settings
  • Metadata such as MAC timestamps
  • Most recently used files and file type (zip, directory, installer) 
  • Files, folders, zip files, installers that existed at one point on the system (even if deleted).
  • Network Shares and folders within the shares
  • Metadata associated with any of the above types which may include timestamps and absolute paths
  • True crypt volumes
There has been a lot of research done on extracting Shellbag information from registries on disk, determining the data types used for decoding certain binary registry values, and figuring out how registry values indicate relationships between other registry keys. Here are some references we used, in no particular order:
The Volatility plugin has drawn on this previous research in order to efficiently parse and present Shellbag data from all user hives in memory.

Shellbag Locations

Shellbag entries can be found at the following locations (see Microsoft's KB 813711)
    Windows XP-Windows 7 (NTUSER.DAT)
      HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell
      HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags
      HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
      HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
      HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU
      HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags
    Vista+ (UsrClass.dat)
      HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
      HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
    Vista+ x64 (UsrClass.dat)
      HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\Bags
      HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
As indicated above these keys are found in the NTUSER.DAT and UsrClass.dat hives depending on the system involved. In testing this plugin against several samples from production 64 bit systems, there were no shellbag entries recovered from the last two key entries. It is not yet apparent how to produce entries under "Wow6432Node" keys, even when conducting experiments on virtual machines invoking a 32 bit explorer on a 64 bit system. Regardless, these keys are supported in the current plugin.

Methodology

The methodology for finding Shellbag data is simple. The plugin uses the RegistryApi to find the user hives and gather the binary values from the appropriate keys and then it parses that data using Shellbag data types and outputs the data. All open user hives are processed by the plugin.

We can see some of the code below, taken from the calculate function:

  1 regapi = registryapi.RegistryApi(self._config)
  2 regapi.reset_current()
  3 regapi.set_current('ntuser.dat')
  4 shellbag_data = []
  5 for bk in BAG_KEYS:
  6     for cat, current_path in regapi.reg_yield_key("ntuser.dat", bk):
  7         keys = [(k, bk + "\\" + k.Name) for k in regapi.reg_get_all_subkeys("ntuser.dat", key = None, given_root = cat)]
  8         for key, start in keys:
  9             if key.Name:
 10                 subkeys = [k for k in regapi.reg_get_all_subkeys("ntuser.dat", key = None, given_root = key)]
 11                 for k in subkeys:
 12                     keys.append((k, start + "\\" + k.Name))
 13                 items = self.parse_key(regapi, current_path, start, given_root = key)
 14                 if len(items) > 0:
 15                     shellbag_data.append((start, current_path, key, items))

Let's go over this line by line.
  • [1] The RegistryApi object is created, registries are searched for and populated. 
  • [2] The current hive of interest is reset (this is in case this plugin is inherited by another). 
  • [3] We set our current registry of interest to "ntuser.dat". This ensures that current actions will take place using all user's "NTUSER" registries. 
  • [4] Since we need to parse through all entries in order to build the folder tree, we save all metadata for later processing in this array. 
  • [5-12] Traverse through the registry keys and subkeys for NTUSER.DAT defined above. 
  • [13] Parse each of these keys and collect the Shellbag objects. 
  • [14-15] If Shellbag objects are collected, save the key path, registry path, key object and list of Shellbag objects for output processing. The same kind of methodology occurs for each of the UsrClass.dat registries as well, if applicable.
Data Structures

Some structures are variable length so they do not have concrete size definitions until runtime. Also some data structures vary depending on operating system. There are two main categories of Shellbag items: ITEMPOS entries and SHELLITEM entries. The ITEMPOS entries "specify locations for icons for a given desktop resolution". The SHELLITEM entries are used to describe files, folders, volumes, network shares and more. We can see the basic types for ITEMPOS and FILE_ENTRY, a SHELLITEM entry below:

>>> dt("SHELLITEM")
'SHELLITEM' (None bytes)
0x0   : Size                           ['unsigned short']
0x2   : Type                           ['unsigned char']

>>> dt("FILE_ENTRY")
'FILE_ENTRY' (None bytes)
0x0   : ShellItem                      ['SHELLITEM']
0x3   : Flags                          ['unsigned char']
0x4   : FileSize                       ['int']
0x8   : Attributes                     ['ATTRIBUTES']

>>> dt("ITEMPOS")
'ITEMPOS' (None bytes)
0x0   : Size                           ['unsigned short']
0x2   : Flags                          ['unsigned short']
0x4   : FileSize                       ['short']
0x8   : Attributes                     ['ATTRIBUTES']

One thing to note about the SHELLITEM definition is the Type field. This is what indicates which type of SHELLITEM entry we are dealing with. Possible type values are below:

SHELL_ITEM_TYPES = { 
    0x00:"UNKNOWN_00",              # Varied
    0x01:"UNKNOWN_01",
    0x2e:"UNKNOWN_2E",              # DEVICE from ShellBagMRU.py in RegistryDecoder
    0x31:"FILE_ENTRY",              # Folder
    0x32:"FILE_ENTRY",              # Zip file
    0xb1:"FILE_ENTRY",              # Hidden folder
    0x1f:"FOLDER_ENTRY",            # System folder
    0x2f:"VOLUME_NAME",
    0x41:"NETWORK_VOLUME_NAME",     # Windows Domain
    0x42:"NETWORK_VOLUME_NAME",     # Computer Name
    0x46:"NETWORK_VOLUME_NAME",     # MS Windows Network
    0x47:"NETWORK_VOLUME_NAME",     # Entire Network
    0xc3:"NETWORK_SHARE",           # Remote Share
    0x61:"URI",
    0x71:"CONTROL_PANEL",
    0x74:"UNKNOWN_74",              # System protected folder
}

Both ITEMPOS and FILE_ENTRY entries contain an ATTRIBUTES section, which contains metadata about the file. The total size is unknown until runtime, since it is dependent on the length of the filename. A definition for XP is shown below:

itempos_types_XP = { 
    'ATTRIBUTES': [ None, {
        'ModifiedDate': [ 0x0, ['DosDate']], 
        'FileAttrs': [ 0x4, ['unsigned short']],
        'FileName': [ 0x6, ['String', dict(length = 14)]], # 8.3 File name
        'FDataSize': [ lambda x: x.FileName.obj_offset + len(x.FileName) + (1 if len(x.FileName) % 2 == 1 else 2), ['unsigned short']],
        'EVersion': [ lambda x: x.FDataSize.obj_offset + 2, ['unsigned short']],
        'Unknown1': [ lambda x: x.EVersion.obj_offset + 2, ['unsigned short']],
        'Unknown2': [ lambda x: x.Unknown1.obj_offset + 2, ['unsigned short']], # 0xBEEF
        'CreatedDate': [ lambda x: x.Unknown2.obj_offset + 2, ['DosDate']],
        'AccessDate': [ lambda x: x.CreatedDate.obj_offset + 4, ['DosDate']],
        'Unknown3': [ lambda x: x.AccessDate.obj_offset + 4, ['unsigned int']],
        'UnicodeFilename': [ lambda x: x.Unknown3.obj_offset + 4, ['NullString', dict(length = 4096, encoding = 'utf8')]],
    } ],
[snip]

Example Raw Data: ITEMPOS Entries

We have seen the definitions for ITEMPOS entries, but we have not seen them in the raw. Below is a raw output of one of the Shellbag keys from one of the Honeynet Forensic Challenge samples. The "ItemPos*" values are highlighted in red and the start of ITEMPOS entries are highlighted in blue below. The data for "ItemPos*" values consists of an array of ITEMPOS entries. Each entry contains a field for the size for its data and there is also a padding section of 8 bytes in between each entry.

$ ./vol.py -f Bob.vmem --profile=WinXPSP2x86 printkey -K "Software\Microsoft\Windows\Shell\Bags\1\Desktop"
Volatile Systems Volatility Framework 2.3_alpha
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key name: Desktop (S)
Last updated: 2010-02-26 03:46:27 

Subkeys:

Values:
REG_DWORD     FFlags          : (S) 548
REG_DWORD     Mode            : (S) 1
REG_DWORD     ScrollPos1011x730(1).x : (S) 0
REG_DWORD     ScrollPos1011x730(1).y : (S) 0
REG_DWORD     Sort            : (S) 0
REG_DWORD     SortDir         : (S) 1
REG_DWORD     Col             : (S) 4294967295
REG_BINARY    ColInfo         : (S) 
0x00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000010  fd df df fd 0f 00 04 00 20 00 10 00 28 00 3c 00   ............(.<.
0x00000020  00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00   ................
0x00000030  b4 00 60 00 78 00 78 00 00 00 00 00 01 00 00 00   ..`.x.x.........
0x00000040  02 00 00 00 03 00 00 00 ff ff ff ff 00 00 00 00   ................
0x00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
REG_BINARY    ScrollPos1171x730(1).y : (S) 0
REG_BINARY    ItemPos1011x730(1) : (S) 
0x00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000010  b2 03 00 00 6a 02 00 00 14 00 1f 60 40 f0 5f 64   ....j......`@._d
0x00000020  81 50 1b 10 9f 08 00 aa 00 2f 95 4e b2 03 00 00   .P......./.N....
0x00000030  6a 02 00 00 00 00 00 00                           j.......
REG_DWORD     ScrollPos1171x730(1).x : (S) 0
REG_DWORD     ScrollPos1171x730(1).y : (S) 0
REG_BINARY    ItemPos1171x730(1) : (S) 
0x00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000010  17 00 00 00 02 00 00 00 14 00 1f 48 ba 8f 0d 45   ...........H...E
0x00000020  25 ad d0 11 98 a8 08 00 36 1b 11 03 17 00 00 00   %.......6.......
0x00000030  4f 00 00 00 14 00 1f 50 e0 4f d0 20 ea 3a 69 10   O......P.O...:i.
0x00000040  a2 d8 08 00 2b 30 30 9d 17 00 00 00 9c 00 00 00   ....+00.........
0x00000050  14 00 1f 58 60 2c 8d 20 ea 3a 69 10 a2 d7 08 00   ...X`,...:i.....
0x00000060  2b 30 30 9d bf 03 00 00 6a 02 00 00 14 00 1f 60   +00.....j......`
0x00000070  40 f0 5f 64 81 50 1b 10 9f 08 00 aa 00 2f 95 4e   @._d.P......./.N
0x00000080  17 00 00 00 e9 00 00 00 4e 00 32 00 c0 f8 f7 00   ........N.2.....
0x00000090  5a 3c b3 1d 20 00 41 43 52 4f 42 41 7e 31 2e 45   Z<....ACROBA~1.E
0x000000a0  58 45 00 00 32 00 03 00 04 00 ef be 5a 3c a9 1d   XE..2.......Z<..
0x000000b0  5a 3c b3 1d 14 00 00 00 61 00 63 00 72 00 6f 00   Z<......a.c.r.o.
0x000000c0  62 00 61 00 74 00 36 00 30 00 2e 00 65 00 78 00   b.a.t.6.0...e.x.
0x000000d0  65 00 00 00 1c 00 17 00 00 00 36 01 00 00 5c 00   e.........6...\.
0x000000e0  3a 00 cc 06 00 00 5a 3c cc 1d 20 00 41 44 4f 42   :.....Z<....ADOB
0x000000f0  45 52 7e 31 2e 4c 4e 4b 00 00 40 00 03 00 04 00   ER~1.LNK..@.....
0x00000100  ef be 5a 3c cc 1d 5a 3c cc 1d 14 00 00 00 41 00   ..Z<..Z<......A.
0x00000110  64 00 6f 00 62 00 65 00 20 00 52 00 65 00 61 00   d.o.b.e...R.e.a.
0x00000120  64 00 65 00 72 00 20 00 36 00 2e 00 30 00 2e 00   d.e.r...6...0...
0x00000130  6c 00 6e 00 6b 00 00 00 1c 00 17 00 00 00 36 01   l.n.k.........6.
0x00000140  00 00 00 00 00 00                                 ......

ITEMPOS entries can start at offset 0x18 in the binary data. Looking at the definition for ITEMPOS entries we can see that the highlighted parts are the size of the object. ITEMPOS entries that have a size smaller than 0x15 are invalid so we can see several invalid entries above.

The parse_key() function of the Volatility plugin is where most of the hard work takes place. It has to obtain the binary Shellbag data, determine which type of data it is in order to choose the correct data type. A dictionary of all Shellbag items is yielded later in the function after all items have been processed (not shown). Here's how the function looks:

  1 def parse_key(self, regapi, reg, thekey, given_root = None):
  2     items = {} # a dictionary of shellbag objects indexed by value name
  3     for value, data in regapi.reg_yield_values(None, thekey, thetype = 'REG_BINARY', given_root = given_root):
  4         if data == None or thekey.find("S-") != -1 or str(value).startswith("LastKnownState"):
  5             continue
  6         if str(value).startswith("ItemPos"):
  7             items[str(value)] = []
  8             bufferas = addrspace.BufferAddressSpace(self._config, data = data)
  9             i = 0x18
 10             while i < len(data) - 0x10:
 11                 item = obj.Object("ITEMPOS", offset = i, vm = bufferas)
 12                 if i == 0x18 and item.Size < 0x15:
 13                     i = 0x34
 14                     continue
 15                 if item != None and item.Size >= 0x15:
 16                     items[str(value)].append(item)
 17                 i += item.Size + 0x8 

We'll go through a few lines of this function.
  • [2] Create a dictionary for storing the key value name and a list of shell items that are parsed. 
  • [3] Collect all binary registry values from the current key. 
  • [4-5] If there is no data collected for that value or the value is not binary skip this value. Also skip any values if the key is "Local Settings\Software\Microsoft\Windows\Shell\Bags\<SID>_Classes" because it appears that this key may link back to itself in memory. We also want to avoid binary values associated with the value of "LastKnownState". 
  • [6-16] If the value is an "ItemPos" value, process the Shellbag items. 
  • [17] Advance to the next ITEMPOS Shellbag item (item size + 0x8 byte padding) and continue.
Example Plugin Output

Here we can see example output from the shellbags plugin of these ITEMPOS entries. The ARC file attribute stands for "archive" and denotes files that the archive bit is set. Included in the output is the Registry from which these values were parsed, the Key from which the values came as well as its LastWrite time, the Value name of the key from which the entry came, the 8.3 File Name, MAC times and the full Unicode Name of the file. Notice how the LastWrite time of the registry is after the MAC times of the LNK files. This is because the key is updated after any changes to preferences are made or after any files/folders/etc are accessed. Therefore in normal user activities the LastWrite time should fall after the MAC times of the SHELLITEM entry:

$ ./vol.py -f Bob.vmem shellbags
Volatile Systems Volatility Framework 2.3_alpha
Scanning for registries....
Gathering shellbag items and building path tree...
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT 
Key: Software\Microsoft\Windows\Shell\Bags\1\Desktop
Last updated: 2010-02-26 03:46:27 
Value                     File Name      Modified Date        Create Date          Access Date          File Attr                 Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
ItemPos1171x730(1)        ACROBA~1.EXE   2010-02-26 03:45:38  2010-02-26 03:45:18  2010-02-26 03:45:38  ARC                       acrobat60.exe 
ItemPos1171x730(1)        ADOBER~1.LNK   2010-02-26 03:46:24  2010-02-26 03:46:24  2010-02-26 03:46:24  ARC                       Adobe Reader 6.0.lnk 
***************************************************************************
[snip]

A full list of file attributes can be seen below. They were abbreviated because there can be more than one attribute set on a file and the output can become very cluttered if the attribute names are too long.

FILE_ATTRS = { 
    0x00000001:"RO",        #Is read-Only
    0x00000002:"HID",       #Is hidden
    0x00000004:"SYS",       #Is a system file or directory
    0x00000008:"VOL",       #Is a volume label
    0x00000010:"DIR",       #Is a directory
    0x00000020:"ARC",       #Should be archived
    0x00000040:"DEV",       #Is a device
    0x00000080:"NORM",      #Is normal None of the other flags should be set
    0x00000100:"TEMP",      #Is temporary
    0x00000200:"SPARSE",    #Is a sparse file
    0x00000400:"RP",        #Is a reparse point or symbolic link
    0x00000800:"COM",       #Is compressed
    0x00001000:"OFFLINE",   #Is offline The data of the file is stored on an offline storage.
    0x00002000:"NI",        #Do not index content The content of the file or directory should not be indexed by the indexing service.
    0x00004000:"ENC",       #Is encrypted
    0x00010000:"VIR",       #Is virtual
}

Example Raw Data: SHELLITEM Entries

There are other Shellbag types that must be parsed, however. These can be found in any of the previously mentioned keys. An example can be seen below. The registry value names are highlighted in red and the first part of the SHELLITEM entries (Size and Type) are highlighted in blue. We can see that the Types are all FILE_ENTRY (0x31) and more specifically, folders.

$ ./vol.py -f stuxnet.vmem printkey -K "Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0"
Volatile Systems Volatility Framework 2.3_alpha
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key name: 0 (S)
Last updated: 2011-06-03 04:24:36 

Subkeys:
  (S) 0
  (S) 1
  (S) 2
  (S) 3
  (S) 4
  (S) 5

Values:
REG_DWORD     NodeSlot        : (S) 1
REG_BINARY    MRUListEx       : (S) 
0x00000000  01 00 00 00 00 00 00 00 04 00 00 00 05 00 00 00   ................
0x00000010  03 00 00 00 02 00 00 00 ff ff ff ff               ............
REG_BINARY    0               : (S) 
0x00000000  4a 00 31 00 00 00 00 00 19 3d 81 b8 11 00 50 52   J.1......=....PR
0x00000010  4f 47 52 41 7e 31 00 00 32 00 03 00 04 00 ef be   OGRA~1..2.......
0x00000020  16 3d 18 6c 19 3d 8b b8 14 00 00 00 50 00 72 00   .=.l.=......P.r.
0x00000030  6f 00 67 00 72 00 61 00 6d 00 20 00 46 00 69 00   o.g.r.a.m...F.i.
0x00000040  6c 00 65 00 73 00 00 00 18 00 00 00               l.e.s.......
REG_BINARY    1               : (S) 
0x00000000  5c 00 31 00 00 00 00 00 16 3d c2 8c 10 00 44 4f   \.1......=....DO
0x00000010  43 55 4d 45 7e 31 00 00 44 00 03 00 04 00 ef be   CUME~1..D.......
0x00000020  16 3d 0d 6c 1a 3d 9a 08 14 00 00 00 44 00 6f 00   .=.l.=......D.o.
0x00000030  63 00 75 00 6d 00 65 00 6e 00 74 00 73 00 20 00   c.u.m.e.n.t.s...
0x00000040  61 00 6e 00 64 00 20 00 53 00 65 00 74 00 74 00   a.n.d...S.e.t.t.
0x00000050  69 00 6e 00 67 00 73 00 00 00 18 00 00 00         i.n.g.s.......
REG_BINARY    2               : (S) 
0x00000000  3c 00 31 00 00 00 00 00 1b 3d 10 74 10 00 53 79   <.1......=.t..Sy
0x00000010  6d 62 6f 6c 73 00 26 00 03 00 04 00 ef be 1b 3d   mbols.&........=
0x00000020  c1 73 1b 3d 10 74 14 00 00 00 53 00 79 00 6d 00   .s.=.t....S.y.m.
0x00000030  62 00 6f 00 6c 00 73 00 00 00 16 00 00 00         b.o.l.s.......
REG_BINARY    3               : (S) 
0x00000000  40 00 31 00 00 00 00 00 1a 3d 16 0a 10 00 50 79   @.1......=....Py
0x00000010  74 68 6f 6e 32 35 00 00 28 00 03 00 04 00 ef be   thon25..(.......
0x00000020  19 3d 8c b8 1b 3d 30 75 14 00 00 00 50 00 79 00   .=...=0u....P.y.
0x00000030  74 00 68 00 6f 00 6e 00 32 00 35 00 00 00 18 00   t.h.o.n.2.5.....
0x00000040  00 00                                             ..
REG_BINARY    4               : (S) 
0x00000000  3c 00 31 00 00 00 00 00 1a 3d cc 00 10 00 57 49   <.1......=....WI
0x00000010  4e 44 4f 57 53 00 26 00 03 00 04 00 ef be 16 3d   NDOWS.&........=
0x00000020  b1 6b 48 3d 74 1b 14 00 00 00 57 00 49 00 4e 00   .kH=t.....W.I.N.
0x00000030  44 00 4f 00 57 00 53 00 00 00 16 00 00 00         D.O.W.S.......
REG_BINARY    5               : (S) 
0x00000000  40 00 31 00 00 00 00 00 48 3d 28 1c 10 00 50 79   @.1.....H=(...Py
0x00000010  74 68 6f 6e 32 36 00 00 28 00 03 00 04 00 ef be   thon26..(.......
0x00000020  48 3d ac 1b 48 3d 28 1c 14 00 00 00 50 00 79 00   H=..H=(.....P.y.
0x00000030  74 00 68 00 6f 00 6e 00 32 00 36 00 00 00 18 00   t.h.o.n.2.6.....
0x00000040  00 00                                             ..

In addition to the SHELLITEM entries, another value of interest is the MRUListEx value. This shows the order in which these folders were used. This value is also parsed out by the plugin and shown in the output.

Below is part of the parse_key() function discussed earlier, which parses these SHELLITEM entries:

 18         elif len(data) > 0x10: 
 19             bufferas = addrspace.BufferAddressSpace(self._config, data = data)
 20             item = obj.Object("SHELLITEM", offset = 0, vm = bufferas)
 21             thetype = SHELL_ITEM_TYPES.get(int(item.Type), None)
 22             if thetype != None:
 23                 item = obj.Object(thetype, offset = 0, vm = bufferas)
 24                 if hasattr(item, "DataSize") and item.DataSize <= 0:
 25                     continue
 26                 if thetype in self.supported:
 27                     temp = "" 
 28                     if hasattr(item, "Attributes"):
 29                         temp = str(item.Attributes.UnicodeFilename)
 30                     elif hasattr(item, "Name"):
 31                         temp = str(item.Name)
 32                     self.paths[reg + ":" + thekey + ":" + str(value)] = temp
 33                     items[str(value)] = [] 
 34                     items[str(value)].append(item)
 35     return items

Let's go through this line by line.
  • [18] First check the size of the data is large enough. 
  • [19] Create a SHELLITEM object using the value data. 
  • [20-22] Figure out what type of SHELLITEM entry it is, it if is invalid, continue. 
  • [23] Create the appropriate SHELLITEM entry. 
  • [24-25] If the SHELLITEM entry has a DataSize member, make sure it is large enough to be valid, if not continue. 
  • [26] Make sure the type is in our supported types (since some SHELLITEM entry are not yet supported as of this writing). 
  • [27-31] Get the SHELLITEM entry's full name. 
  • [32] Save the SHELLITEM entry's full name in a dictionary indexed by registry, key and value. This ensures that we do not mix up full paths from other users and registries when we build the absolute path to the file. 
  • [33-35] Save the SHELLITEM entry in a dictionary indexed by value and return all SHELLITEM entries found for this registry key. One thing to note: it is possible to have several different types of Shellbag entries in one registry key.
Example Output

Below we can see some output from the shellbags plugin that shows these parsed SHELLITEM entries.

 $ ./vol.py -f stuxnet.vmem --profile=WinXPSP2x86 shellbags
Volatile Systems Volatility Framework 2.3_alpha
Scanning for registries....
Gathering shellbag items and building path tree...
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT 
Key: Software\Microsoft\Windows\Shell\BagMRU
Last updated: 2010-10-31 16:48:00 
Value   Mru   Entry Type     GUID                                     GUID Description     Folder IDs
------- ----- -------------- ---------------------------------------- -------------------- ----------
0       0     Folder Entry   208d2c60-3aea-1069-a2d7-08002b30309d     My Network Places    EXPLORER, MY_DOCUMENTS, MY_COMPUTER, NETWORK 
***************************************************************************

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT 
Key: Software\Microsoft\Windows\Shell\BagMRU\0
Last updated: 2010-10-31 16:47:28 
Value   Mru   Entry Type                Description          Name | Full Path
------- ----- ------------------------- -------------------- ----------------
0       0     Network Volume Name                            Entire Network | Entire Network
***************************************************************************

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT 
Key: Software\Microsoft\Windows\Shell\BagMRU\0\0
Last updated: 2010-10-31 16:47:28 
Value   Mru   Entry Type                Description          Name | Full Path
------- ----- ------------------------- -------------------- ----------------
0       0     Network Volume Name                            VMware Shared Folders | Entire Network\VMware Shared Folders
***************************************************************************

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT 
Key: Software\Microsoft\Windows\Shell\Bags\1\Desktop
Last updated: 2011-06-03 04:27:27 
Value                     File Name      Modified Date        Create Date          Access Date          File Attr                 Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
ItemPos800x600(1)         IDAPRO~1.LNK   2010-08-25 23:04:22  2010-08-25 23:04:22  2010-08-25 23:04:22  ARC                       IDA Pro Standard (32-bit).lnk 
ItemPos800x600(1)         IDAPRO~1.EXE   2010-03-22 13:47:48  2010-03-22 13:47:48  2010-08-25 23:02:44  ARC                       idapro_931_42287435c1a6ed5a6d6039345b7c49c2.exe 
ItemPos1118x838(1)        Cygwin.lnk     2010-10-08 03:59:32  2010-10-08 03:59:32  2010-10-31 13:48:48  ARC                       Cygwin.lnk 
ItemPos1118x838(1)        IMMUNI~1.LNK   2010-08-26 01:10:00  2010-08-26 01:10:00  2010-10-31 16:36:12  ARC                       Immunity Debugger.lnk 
ItemPos1118x838(1)        MOZILL~1.LNK   2010-08-25 23:14:48  2010-08-25 23:14:48  2010-10-31 13:48:48  ARC                       Mozilla Firefox.lnk 
ItemPos1118x838(1)        NOTEPA~1.LNK   2010-08-26 01:11:12  2010-08-26 01:11:12  2010-10-31 13:48:48  ARC                       Notepad++.lnk 
ItemPos1118x838(1)        VMWARE~1.LNK   2011-06-03 04:21:28  2010-10-31 16:47:08  2011-06-03 04:21:28  ARC                       VMware Shared Folders.lnk 
ItemPos1118x838(1)        SYMBOL~1.0_B   2010-08-27 14:49:08  2010-08-27 14:49:08  2011-06-03 04:21:32  DIR                       SymbolTypeViewer_v1.0_beta 

[snip]

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT 
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\6
Last updated: 2010-08-26 01:12:12 
Value   Mru   File Name      Modified Date        Create Date          Access Date          File Attr                 Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ---------
0       0     Downloads      -                    -                    -                    DIR                       Downloads
***************************************************************************

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT 
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0
Last updated: 2011-06-03 04:24:36 
Value   Mru   File Name      Modified Date        Create Date          Access Date          File Attr                 Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ---------
1       0     DOCUME~1       2010-08-22 17:38:04  2010-08-22 13:32:26  2010-08-26 01:04:52  DIR                       C:\Documents and Settings
0       1     PROGRA~1       2010-08-25 23:04:02  2010-08-22 13:32:48  2010-08-25 23:04:22  RO, DIR                   C:\Program Files
3       4     Python25       2010-08-26 01:16:44  2010-08-25 23:04:24  2010-08-27 14:41:32  DIR                       C:\Python25
2       5     Symbols        2010-08-27 14:32:32  2010-08-27 14:30:02  2010-08-27 14:32:32  DIR                       C:\Symbols
5       3     Python26       2010-10-08 03:33:16  2010-10-08 03:29:24  2010-10-08 03:33:16  DIR                       C:\Python26
4       2     WINDOWS        2010-08-26 00:06:24  2010-08-22 13:29:34  2010-10-08 03:27:40  DIR                       C:\WINDOWS
***************************************************************************

[snip]

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT 
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0\0
Last updated: 2010-10-31 16:36:18 
Value   Mru   File Name      Modified Date        Create Date          Access Date          File Attr                 Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ---------
1       7     IMPREC~1.7C    2008-03-11 01:43:32  2010-08-26 01:10:14  2010-08-26 01:17:14  DIR                       C:\Program Files\ImpREC 1.7c
0       1     IDA            2010-08-25 23:04:18  2010-08-25 23:04:02  2010-08-25 23:04:22  DIR                       C:\Program Files\IDA
3       5     ICESWO~1       2010-08-26 01:09:44  2010-08-26 01:09:42  2010-08-26 01:17:34  DIR                       C:\Program Files\IceSword122en
2       6     LPE-DL~1.41_   2010-08-26 01:10:44  2010-08-26 01:10:44  2010-08-26 01:17:14  DIR                       C:\Program Files\LPE-DLXb_1.41_UPD
5       3     PROCES~1.3-B   2010-08-26 01:12:40  2010-08-26 01:12:40  2010-08-26 01:17:56  DIR                       C:\Program Files\processhacker-2.3-bin
4       4     odbg200        2010-08-26 01:06:18  2010-08-26 01:06:18  2010-08-26 01:17:44  DIR                       C:\Program Files\odbg200
7       0     IMMUNI~1       2010-08-26 01:10:00  2010-08-26 01:10:00  2010-10-31 16:36:16  DIR                       C:\Program Files\Immunity Inc
6       2     REGSHO~1.2_S   2010-08-26 01:13:10  2010-08-26 01:13:10  2010-08-26 01:18:10  DIR                       C:\Program Files\regshot_1.8.2_src_bin
***************************************************************************

[snip]

We can see different types of Shellbag entries that are parsed by the plugin. Notice that for some SHELLITEM entries we can see when it was last used, since the MRUListEx value is placed in the output. We also have other attributes shown, such as MAC times for some items and absolute paths. The registry and key paths are given in the output to allow the investigator to further investigate or verify on his/her own as needed. Notice in the output, that sometimes the MAC times are not populated correctly, this may be due to corrupt or paged data in memory.

Looking at the output from the stuxnet.vmem sample we can tell from the various software listed that this is an analysis machine. We have several debuggers and malware analysis software installed. There are also different versions of Python installed. Also we can tell that this is a virtual machine, since we see that there are link files to VMWware Shared Folders which also appears as a network share.

SetRegTime

Some experiments with SetRegTime were carried out on a virtual machine to see if the LastWrite timestamps of a registry key would change on a running machine. A Shellbag key of interest was chosen and the SetRegTime application was run against the chosen registry key. The machine ran for another two minutes and then was suspended. The shellbags plugin was run. Below we can see that the SetRegTime application successfully changed the LastWrite timestamp (shown in red):

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT 
Key: Software\Microsoft\Windows\ShellNoRoam\Bags\63\Shell
Last updated: 3024-05-21 00:00:00 
Value                     File Name      Modified Date        Create Date          Access Date          File Attr                 Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
ItemPos1567x784(1)        BLAHBL~1.TXT   2012-08-17 14:15:14  2012-08-17 14:15:02  2012-09-25 11:49:32  ARC                       blah blah.txt 
ItemPos1567x784(1)        NEWTEX~1.TXT   2012-08-17 14:14:56  2012-08-17 14:14:50  2012-09-25 11:49:38  ARC                       New Text Document.txt 
ItemPos1567x784(1)        POISON~1.PY    2012-06-18 19:52:32  2012-08-17 14:15:18  2012-09-25 11:49:42  ARC                       poison_ivy.py 
***************************************************************************

The timestamp chosen for this experiment was, of course, ludicrous so that it would stand out enough as having been changed. One thing to note is that the timestamps of the Shellbag entries should date slightly before the LastWrite timestamp of the registry key from which they came. There may be some exceptions however, where the Shellbag entry's access timestamps are not updated in the registry. For SHELLITEM entries it seems that embedded entry timestamps are not updated upon later accesses, however ITEMPOS entries do appear to update.

Regardless, the embedded timestamps should still date prior to the LastWrite timestamp. We can see an example of SHELLITEM entry timestamps not changing in the output of the stuxnet.vmem sample above for the Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0 registry key (above). An example of timestamp changes for ITEMPOS entries can be seen below:

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT 
Key: Software\Microsoft\Windows\Shell\Bags\1\Desktop
Last updated: 2012-09-25 12:40:28
Value                     File Name      Modified Date        Create Date          Access Date          File Attr                 Unicode Name 
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------  
ItemPos1567x784(1)        ENCASE~1.LNK   2012-09-21 18:13:50  2012-09-21 18:13:50  2012-09-21 18:13:50  ARC                       EnCase v6.18.lnk
ItemPos1567x784(1)        TRUECR~1.LNK   2012-08-17 14:09:46  2012-08-17 14:09:46  2012-09-25 11:48:54  ARC                       TrueCrypt.lnk
ItemPos1567x784(1)        VMWARE~1.LNK   2012-09-25 11:53:26  2012-09-21 18:02:18  2012-09-25 11:53:26  ARC                       VMware Shared Folders.lnk 
ItemPos1567x784(1)        backup         2012-06-07 19:00:32  2012-06-07 18:56:22  2012-09-25 11:48:12  DIR                       backup
***************************************************************************

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\Shell\Bags\1\Desktop
Last updated: 2012-09-25 12:52:20
Value                     File Name      Modified Date        Create Date          Access Date          File Attr                 Unicode Name 
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------   
ItemPos1567x784(1)        ENCASE~1.LNK   2012-09-21 18:13:50  2012-09-21 18:13:50  2012-09-25 12:41:12  ARC                       EnCase v6.18.lnk     
ItemPos1567x784(1)        TRUECR~1.LNK   2012-08-17 14:09:46  2012-08-17 14:09:46  2012-09-25 11:48:54  ARC                       TrueCrypt.lnk  
ItemPos1567x784(1)        VMWARE~1.LNK   2012-09-25 11:53:26  2012-09-21 18:02:18  2012-09-25 11:53:26  ARC                       VMware Shared Folders.lnk
ItemPos1567x784(1)        backup         2012-06-07 19:00:32  2012-06-07 18:56:22  2012-09-25 12:51:18  DIR                       backup
***************************************************************************

If Shellbag entries are later added to a key whose LastWrite timestamp was stomped, the timestamp will be updated after the new Shellbag entry is added. If the Shellbag key hosts heavily used entries, like a system volume (C:\ for example), it would be difficult to ensure that the stomped LastWrite timestamp would endure regular system use. Also changes to the MruListEx or any other settings (some not covered in this post) under a Shellbag key will update the LastWrite timestamp.

Also, since we know that Shellbag entry timestamps have a somewhat predictable relationship with the LastWrite time, we may be able to use these different timestamps in order to find stomped timestamps. For example, if the LastWrite timestamp occurs prior to the Shellbag entry timestamps. In order to more correctly timestomp registry values, a tool would also have to change the timestamps of the Shellbag entries themselves or delete them. Missing common Shellbag entries would of course be suspicious and changed Shellbag entry MAC times could be checked against the file system itself or backup registry files.

Another thing to note is that changes to a Shellbag key's children can have an indirect effect on the Shellbag key itself, since accessing a child may update the MruListEx entry causing the Shellbag key's LastWrite timestamp to change as well.

SetRegTime Examples

First we start off with a timestomped key:

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT 
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1
Last updated: 3024-05-21 00:00:00 
Value   Mru   File Name      Modified Date        Create Date          Access Date          File Attr                 Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ----
1       0     WINDOWS        2010-08-09 22:22:28  2010-06-04 09:10:08  2010-08-17 17:04:38  DIR                       C:\WINDOWS
0       1     DOCUME~1       2010-06-04 13:37:26  2010-06-04 09:14:18  2010-08-17 17:04:36  DIR                       C:\Documents and Settings
3       2     Temp           2010-08-05 12:46:02  2010-08-05 12:46:02  2012-09-25 12:51:18  DIR                       C:\Temp
2       3     PROGRA~1       2010-10-25 20:22:02  2010-06-04 09:14:52  2010-10-25 20:22:02  RO, DIR                   C:\Program Files
***************************************************************************

Then we browse to C:\Temp open a folder and create and open another folder.

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1
Last updated: 2012-09-25 15:30:15
Value   Mru   File Name      Modified Date        Create Date          Access Date          File Attr                 Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ----
1       1     WINDOWS        2010-08-09 22:22:28  2010-06-04 09:10:08  2010-08-17 17:04:38  DIR                       C:\WINDOWS
0       2     DOCUME~1       2010-06-04 13:37:26  2010-06-04 09:14:18  2010-08-17 17:04:36  DIR                       C:\Documents and Settings
3       0     Temp           2010-08-05 12:46:02  2010-08-05 12:46:02  2012-09-25 12:51:18  DIR                       C:\Temp
2       3     PROGRA~1       2010-10-25 20:22:02  2010-06-04 09:14:52  2010-10-25 20:22:02  RO, DIR                   C:\Program Files
***************************************************************************

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\3
Last updated: 2012-09-25 15:30:38
Value   Mru   File Name      Modified Date        Create Date          Access Date          File Attr                 Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ----
1       0     blah           2012-09-25 15:30:26  2012-09-25 15:30:26  2012-09-25 15:30:26  DIR                       C:\Temp\blah
0       1     {9F5FB~1       2010-09-26 20:35:22  2010-08-05 12:46:02  2010-11-16 19:16:44  DIR                       C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
***************************************************************************

We can see that the LastWrite timestamp of Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1 changed because the Temp directory was the last directory used and the MruListEx was updated. Also notice how close in proximity the highlighted timestamps are. First the C:\Temp folder is opened at 2012-09-25 15:30:15. Second the folder C:\Temp\blah is created and accessed at 2012-09-25 15:30:26. Third the key that contains the Shellbag entry for C:\Temp\blah is updated to show that this is the last folder opened (MruListEx) at 2012-09-25 15:30:38.

Another experiment was conducted to see if the child folder would have an affect on the parent folder's key if it was browsed directly. For this experiment, the C:\WINDOWS folder was browsed first to make it first on the MruListEx list. Then the run command was used to open C:\Temp\blah directly. The final result shows that navigating directly to a child folder updates the parent folder's MruListEx value and thus LastWrite time of its registry key. The child folder's LastWrite timestamp on the registry key was not modified, however, since there was no change in the MruListEx value and its MAC timestamps are not updated.

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT 
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1
Last updated: 2012-09-25 15:48:03 
Value   Mru   File Name      Modified Date        Create Date          Access Date          File Attr                 Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ----
1       1     WINDOWS        2010-08-09 22:22:28  2010-06-04 09:10:08  2010-08-17 17:04:38  DIR                       C:\WINDOWS
0       3     DOCUME~1       2010-06-04 13:37:26  2010-06-04 09:14:18  2010-08-17 17:04:36  DIR                       C:\Documents and Settings
3       0     Temp           2010-08-05 12:46:02  2010-08-05 12:46:02  2012-09-25 12:51:18  DIR                       C:\Temp
2       2     PROGRA~1       2010-10-25 20:22:02  2010-06-04 09:14:52  2010-10-25 20:22:02  RO, DIR                   C:\Program Files
***************************************************************************

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT 
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\3
Last updated: 2012-09-25 15:30:38 
Value   Mru   File Name      Modified Date        Create Date          Access Date          File Attr                 Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ----
1       0     blah           2012-09-25 15:30:26  2012-09-25 15:30:26  2012-09-25 15:30:26  DIR                       C:\Temp\blah
0       1     {9F5FB~1       2010-09-26 20:35:22  2010-08-05 12:46:02  2010-11-16 19:16:44  DIR                       C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
***************************************************************************

TrueCrypt Volumes

TrueCrypt volumes also appear in Shellbag entries. Aside from the actual volume name (drive letter where the volume was mounted) the volumes themselves and their contents are often found in ITEMPOS entries, for example below are entries for a TrueCrypt volume (highlighted in red and a few of its files/folders which were opened:

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0
Last updated: 2012-09-25 13:22:43
Value   Mru   Entry Type     Path
------- ----- -------------- ----
1       0     Volume Name    C:\
3       1     Volume Name    Z:\
4       2     Volume Name    T:\
***************************************************************************

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT 
Key: Software\Microsoft\Windows\ShellNoRoam\Bags\52\Shell
Last updated: 2012-09-25 12:51:28 
Value                     File Name      Modified Date        Create Date          Access Date          File Attr                 Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
[snip] 
ItemPos1567x784(1)        UserData       2012-06-22 19:28:50  2012-06-22 19:28:50  2012-09-25 12:51:18  SYS, DIR                  UserData 
ItemPos1567x784(1)        RECENT~1.XBE   2010-10-18 14:00:50  2010-10-18 14:00:50  2010-10-18 14:00:50  ARC                       .recently-used.xbel
ItemPos1567x784(1)        MYTRUE~1       2012-08-17 14:13:48  2012-08-17 14:12:18  2012-09-25 11:48:46  ARC                       MyTrueCryptVolume 
ItemPos1567x784(1)        NTUSER.DAT     2012-09-25 11:50:08  2010-06-04 13:37:26  2012-09-25 12:18:44  ARC, HID                  NTUSER.DAT 
ItemPos1567x784(1)        NTUSER~1.LOG   2012-09-25 12:51:24  2010-06-04 13:37:26  2012-09-25 12:51:06  ARC, HID                  NTUSER.DAT.LOG 
***************************************************************************

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\Bags\63\Shell
Last updated: 3024-05-21 00:00:00
Value                     File Name      Modified Date        Create Date          Access Date          File Attr                 Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
ItemPos1567x784(1)        BLAHBL~1.TXT   2012-08-17 14:15:14  2012-08-17 14:15:02  2012-09-25 11:49:32  ARC                       blah blah.txt
ItemPos1567x784(1)        NEWTEX~1.TXT   2012-08-17 14:14:56  2012-08-17 14:14:50  2012-09-25 11:49:38  ARC                       New Text Document.txt
ItemPos1567x784(1)        POISON~1.PY    2012-06-18 19:52:32  2012-08-17 14:15:18  2012-09-25 11:49:42  ARC                       poison_ivy.py
***************************************************************************

Since ITEMPOS entries can be updated in the registry, the TrueCrypt volume name may disappear from entries if it is deleted or moved. Experiments showed that when the TrueCrypt volume was deleted and the machine restarted, the TrueCrypt volume disappeared from the ITEMPOS entry above, but the filenames for its accessed contents remained intact:

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0
Last updated: 2012-09-25 15:49:04
Value   Mru   Entry Type     Path
------- ----- -------------- ----
1       2     Volume Name    C:\
3       3     Volume Name    Z:\
4       0     Volume Name    T:\
***************************************************************************

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT 
Key: Software\Microsoft\Windows\ShellNoRoam\Bags\52\Shell
Last updated: 2012-09-25 14:31:53 
Value                     File Name      Modified Date        Create Date          Access Date          File Attr                 Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
[snip]
ItemPos1567x784(1)        UserData       2012-06-22 19:28:50  2012-06-22 19:28:50  2012-09-25 14:31:52  SYS, DIR                  UserData 
ItemPos1567x784(1)        RECENT~1.XBE   2010-10-18 14:00:50  2010-10-18 14:00:50  2010-10-18 14:00:50  ARC                       .recently-used.xbel 
ItemPos1567x784(1)        NTUSER.DAT     2012-09-25 13:33:28  2010-06-04 13:37:26  2012-09-25 14:31:18  ARC, HID                  NTUSER.DAT 
ItemPos1567x784(1)        NTUSER~1.LOG   2012-09-25 14:31:54  2010-06-04 13:37:26  2012-09-25 14:31:30  ARC, HID                  NTUSER.DAT.LOG 
***************************************************************************

***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\Bags\63\Shell
Last updated: 2012-09-25 15:49:32
Value                     File Name      Modified Date        Create Date          Access Date          File Attr                 Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
ItemPos1567x784(1)        BLAHBL~1.TXT   2012-09-25 15:49:16  2012-08-17 14:15:02  2012-09-25 15:49:16  ARC                       blah blah.txt
ItemPos1567x784(1)        NEWTEX~1.TXT   2012-08-17 14:14:56  2012-08-17 14:14:50  2012-09-25 12:52:06  ARC                       New Text Document.txt
ItemPos1567x784(1)        POISON~1.PY    2012-06-18 19:52:32  2012-08-17 14:15:18  2012-09-25 12:52:10  ARC                       poison_ivy.py
***************************************************************************

Conclusion

Shellbags are used widely in forensic investigations and until now Shellbag information was only easily extracted from registries on disk. This plugin will now empower investigators to conduct these types of investigations on memory samples and we've shown how it may be possible to heuristically determine time-stomped registry keys based on known/expected changes to the Shellbags keys during normal activity.


Notes

There are still some types that are not yet supported, however most data is represented at this time. This plugin was created due to a discussion on the vol-users listserv. Also the associations between Shell\Bags keys and Shell\BagMRU is left on the TODO list. The plugin might take a little while to run if there are several Shellbag keys; this is because the plugin has to iterate through all keys in order to build the path tree for the full path names.

Obtaining the Plugin

Since the shellbags plugin is scheduled for the Volatility 2.3 release, it is not in the main trunk yet, nor will it be in the 2.2 release. You can, however, obtain it from the 2.3-devel branch. Instructions are here: http://code.google.com/p/volatility/wiki/VolatilityBranches.

References

No comments:

Post a Comment

Post a Comment