Today's post will cover a Shellbags plugin for Volatility that is currently a work in progress and will be included in Volatility 2.3.
Background
"Shellbags" is a commonly used term to describe a collection of registry keys that allow the "Windows operating system to track user window viewing preferences specific to Windows Explorer". These keys can contain a wealth of information relevant for a forensic investigation and can help paint a clearer picture of user activity on a machine. For example, the following information can be found in Shellbags:
- Windows sizes and preferences
- Icon and folder view settings
- Metadata such as MAC timestamps
- Most recently used files and file type (zip, directory, installer)
- Files, folders, zip files, installers that existed at one point on the system (even if deleted).
- Network Shares and folders within the shares
- Metadata associated with any of the above types which may include timestamps and absolute paths
- True crypt volumes
- Shellbags RegRipper plugin by Harlan Carvey
- Windows shellbag forensics by Willi Ballenthin
- ShellBagMRU.py plugin for Registry Decoder by Kevin Moore
- sbag by TZWorks LLC.
Shellbag Locations
Shellbag entries can be found at the following locations (see Microsoft's KB 813711)
- Windows XP-Windows 7 (NTUSER.DAT)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
- HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
- HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU
- HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags
- Vista+ (UsrClass.dat)
- HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
- HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
- Vista+ x64 (UsrClass.dat)
- HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\Bags
- HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Methodology
The methodology for finding Shellbag data is simple. The plugin uses the RegistryApi to find the user hives and gather the binary values from the appropriate keys and then it parses that data using Shellbag data types and outputs the data. All open user hives are processed by the plugin.
We can see some of the code below, taken from the calculate function:
1 regapi = registryapi.RegistryApi(self._config)
2 regapi.reset_current()
3 regapi.set_current('ntuser.dat')
4 shellbag_data = []
5 for bk in BAG_KEYS:
6 for cat, current_path in regapi.reg_yield_key("ntuser.dat", bk):
7 keys = [(k, bk + "\\" + k.Name) for k in regapi.reg_get_all_subkeys("ntuser.dat", key = None, given_root = cat)]
8 for key, start in keys:
9 if key.Name:
10 subkeys = [k for k in regapi.reg_get_all_subkeys("ntuser.dat", key = None, given_root = key)]
11 for k in subkeys:
12 keys.append((k, start + "\\" + k.Name))
13 items = self.parse_key(regapi, current_path, start, given_root = key)
14 if len(items) > 0:
15 shellbag_data.append((start, current_path, key, items))
Let's go over this line by line.
- [1] The RegistryApi object is created, registries are searched for and populated.
- [2] The current hive of interest is reset (this is in case this plugin is inherited by another).
- [3] We set our current registry of interest to "ntuser.dat". This ensures that current actions will take place using all user's "NTUSER" registries.
- [4] Since we need to parse through all entries in order to build the folder tree, we save all metadata for later processing in this array.
- [5-12] Traverse through the registry keys and subkeys for NTUSER.DAT defined above.
- [13] Parse each of these keys and collect the Shellbag objects.
- [14-15] If Shellbag objects are collected, save the key path, registry path, key object and list of Shellbag objects for output processing. The same kind of methodology occurs for each of the UsrClass.dat registries as well, if applicable.
Some structures are variable length so they do not have concrete size definitions until runtime. Also some data structures vary depending on operating system. There are two main categories of Shellbag items: ITEMPOS entries and SHELLITEM entries. The ITEMPOS entries "specify locations for icons for a given desktop resolution". The SHELLITEM entries are used to describe files, folders, volumes, network shares and more. We can see the basic types for ITEMPOS and FILE_ENTRY, a SHELLITEM entry below:
>>> dt("SHELLITEM")
'SHELLITEM' (None bytes)
0x0 : Size ['unsigned short']
0x2 : Type ['unsigned char']
>>> dt("FILE_ENTRY")
'FILE_ENTRY' (None bytes)
0x0 : ShellItem ['SHELLITEM']
0x3 : Flags ['unsigned char']
0x4 : FileSize ['int']
0x8 : Attributes ['ATTRIBUTES']
>>> dt("ITEMPOS")
'ITEMPOS' (None bytes)
0x0 : Size ['unsigned short']
0x2 : Flags ['unsigned short']
0x4 : FileSize ['short']
0x8 : Attributes ['ATTRIBUTES']
One thing to note about the SHELLITEM definition is the Type field. This is what indicates which type of SHELLITEM entry we are dealing with. Possible type values are below:
SHELL_ITEM_TYPES = {
0x00:"UNKNOWN_00", # Varied
0x01:"UNKNOWN_01",
0x2e:"UNKNOWN_2E", # DEVICE from ShellBagMRU.py in RegistryDecoder
0x31:"FILE_ENTRY", # Folder
0x32:"FILE_ENTRY", # Zip file
0xb1:"FILE_ENTRY", # Hidden folder
0x1f:"FOLDER_ENTRY", # System folder
0x2f:"VOLUME_NAME",
0x41:"NETWORK_VOLUME_NAME", # Windows Domain
0x42:"NETWORK_VOLUME_NAME", # Computer Name
0x46:"NETWORK_VOLUME_NAME", # MS Windows Network
0x47:"NETWORK_VOLUME_NAME", # Entire Network
0xc3:"NETWORK_SHARE", # Remote Share
0x61:"URI",
0x71:"CONTROL_PANEL",
0x74:"UNKNOWN_74", # System protected folder
}
Both ITEMPOS and FILE_ENTRY entries contain an ATTRIBUTES section, which contains metadata about the file. The total size is unknown until runtime, since it is dependent on the length of the filename. A definition for XP is shown below:
itempos_types_XP = {
'ATTRIBUTES': [ None, {
'ModifiedDate': [ 0x0, ['DosDate']],
'FileAttrs': [ 0x4, ['unsigned short']],
'FileName': [ 0x6, ['String', dict(length = 14)]], # 8.3 File name
'FDataSize': [ lambda x: x.FileName.obj_offset + len(x.FileName) + (1 if len(x.FileName) % 2 == 1 else 2), ['unsigned short']],
'EVersion': [ lambda x: x.FDataSize.obj_offset + 2, ['unsigned short']],
'Unknown1': [ lambda x: x.EVersion.obj_offset + 2, ['unsigned short']],
'Unknown2': [ lambda x: x.Unknown1.obj_offset + 2, ['unsigned short']], # 0xBEEF
'CreatedDate': [ lambda x: x.Unknown2.obj_offset + 2, ['DosDate']],
'AccessDate': [ lambda x: x.CreatedDate.obj_offset + 4, ['DosDate']],
'Unknown3': [ lambda x: x.AccessDate.obj_offset + 4, ['unsigned int']],
'UnicodeFilename': [ lambda x: x.Unknown3.obj_offset + 4, ['NullString', dict(length = 4096, encoding = 'utf8')]],
} ],
[snip]
Example Raw Data: ITEMPOS Entries
We have seen the definitions for ITEMPOS entries, but we have not seen them in the raw. Below is a raw output of one of the Shellbag keys from one of the Honeynet Forensic Challenge samples. The "ItemPos*" values are highlighted in red and the start of ITEMPOS entries are highlighted in blue below. The data for "ItemPos*" values consists of an array of ITEMPOS entries. Each entry contains a field for the size for its data and there is also a padding section of 8 bytes in between each entry.
$ ./vol.py -f Bob.vmem --profile=WinXPSP2x86 printkey -K "Software\Microsoft\Windows\Shell\Bags\1\Desktop"
Volatile Systems Volatility Framework 2.3_alpha
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key name: Desktop (S)
Last updated: 2010-02-26 03:46:27
Subkeys:
Values:
REG_DWORD FFlags : (S) 548
REG_DWORD Mode : (S) 1
REG_DWORD ScrollPos1011x730(1).x : (S) 0
REG_DWORD ScrollPos1011x730(1).y : (S) 0
REG_DWORD Sort : (S) 0
REG_DWORD SortDir : (S) 1
REG_DWORD Col : (S) 4294967295
REG_BINARY ColInfo : (S)
0x00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000010 fd df df fd 0f 00 04 00 20 00 10 00 28 00 3c 00 ............(.<.
0x00000020 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 ................
0x00000030 b4 00 60 00 78 00 78 00 00 00 00 00 01 00 00 00 ..`.x.x.........
0x00000040 02 00 00 00 03 00 00 00 ff ff ff ff 00 00 00 00 ................
0x00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
REG_BINARY ScrollPos1171x730(1).y : (S) 0
REG_BINARY ItemPos1011x730(1) : (S)
0x00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000010 b2 03 00 00 6a 02 00 00 14 00 1f 60 40 f0 5f 64 ....j......`@._d
0x00000020 81 50 1b 10 9f 08 00 aa 00 2f 95 4e b2 03 00 00 .P......./.N....
0x00000030 6a 02 00 00 00 00 00 00 j.......
REG_DWORD ScrollPos1171x730(1).x : (S) 0
REG_DWORD ScrollPos1171x730(1).y : (S) 0
REG_BINARY ItemPos1171x730(1) : (S)
0x00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000010 17 00 00 00 02 00 00 00 14 00 1f 48 ba 8f 0d 45 ...........H...E
0x00000020 25 ad d0 11 98 a8 08 00 36 1b 11 03 17 00 00 00 %.......6.......
0x00000030 4f 00 00 00 14 00 1f 50 e0 4f d0 20 ea 3a 69 10 O......P.O...:i.
0x00000040 a2 d8 08 00 2b 30 30 9d 17 00 00 00 9c 00 00 00 ....+00.........
0x00000050 14 00 1f 58 60 2c 8d 20 ea 3a 69 10 a2 d7 08 00 ...X`,...:i.....
0x00000060 2b 30 30 9d bf 03 00 00 6a 02 00 00 14 00 1f 60 +00.....j......`
0x00000070 40 f0 5f 64 81 50 1b 10 9f 08 00 aa 00 2f 95 4e @._d.P......./.N
0x00000080 17 00 00 00 e9 00 00 00 4e 00 32 00 c0 f8 f7 00 ........N.2.....
0x00000090 5a 3c b3 1d 20 00 41 43 52 4f 42 41 7e 31 2e 45 Z<....ACROBA~1.E
0x000000a0 58 45 00 00 32 00 03 00 04 00 ef be 5a 3c a9 1d XE..2.......Z<..
0x000000b0 5a 3c b3 1d 14 00 00 00 61 00 63 00 72 00 6f 00 Z<......a.c.r.o.
0x000000c0 62 00 61 00 74 00 36 00 30 00 2e 00 65 00 78 00 b.a.t.6.0...e.x.
0x000000d0 65 00 00 00 1c 00 17 00 00 00 36 01 00 00 5c 00 e.........6...\.
0x000000e0 3a 00 cc 06 00 00 5a 3c cc 1d 20 00 41 44 4f 42 :.....Z<....ADOB
0x000000f0 45 52 7e 31 2e 4c 4e 4b 00 00 40 00 03 00 04 00 ER~1.LNK..@.....
0x00000100 ef be 5a 3c cc 1d 5a 3c cc 1d 14 00 00 00 41 00 ..Z<..Z<......A.
0x00000110 64 00 6f 00 62 00 65 00 20 00 52 00 65 00 61 00 d.o.b.e...R.e.a.
0x00000120 64 00 65 00 72 00 20 00 36 00 2e 00 30 00 2e 00 d.e.r...6...0...
0x00000130 6c 00 6e 00 6b 00 00 00 1c 00 17 00 00 00 36 01 l.n.k.........6.
0x00000140 00 00 00 00 00 00 ......
ITEMPOS entries can start at offset 0x18 in the binary data. Looking at the definition for ITEMPOS entries we can see that the highlighted parts are the size of the object. ITEMPOS entries that have a size smaller than 0x15 are invalid so we can see several invalid entries above.
The parse_key() function of the Volatility plugin is where most of the hard work takes place. It has to obtain the binary Shellbag data, determine which type of data it is in order to choose the correct data type. A dictionary of all Shellbag items is yielded later in the function after all items have been processed (not shown). Here's how the function looks:
1 def parse_key(self, regapi, reg, thekey, given_root = None):
2 items = {} # a dictionary of shellbag objects indexed by value name
3 for value, data in regapi.reg_yield_values(None, thekey, thetype = 'REG_BINARY', given_root = given_root):
4 if data == None or thekey.find("S-") != -1 or str(value).startswith("LastKnownState"):
5 continue
6 if str(value).startswith("ItemPos"):
7 items[str(value)] = []
8 bufferas = addrspace.BufferAddressSpace(self._config, data = data)
9 i = 0x18
10 while i < len(data) - 0x10:
11 item = obj.Object("ITEMPOS", offset = i, vm = bufferas)
12 if i == 0x18 and item.Size < 0x15:
13 i = 0x34
14 continue
15 if item != None and item.Size >= 0x15:
16 items[str(value)].append(item)
17 i += item.Size + 0x8
We'll go through a few lines of this function.
- [2] Create a dictionary for storing the key value name and a list of shell items that are parsed.
- [3] Collect all binary registry values from the current key.
- [4-5] If there is no data collected for that value or the value is not binary skip this value. Also skip any values if the key is "Local Settings\Software\Microsoft\Windows\Shell\Bags\<SID>_Classes" because it appears that this key may link back to itself in memory. We also want to avoid binary values associated with the value of "LastKnownState".
- [6-16] If the value is an "ItemPos" value, process the Shellbag items.
- [17] Advance to the next ITEMPOS Shellbag item (item size + 0x8 byte padding) and continue.
Here we can see example output from the shellbags plugin of these ITEMPOS entries. The ARC file attribute stands for "archive" and denotes files that the archive bit is set. Included in the output is the Registry from which these values were parsed, the Key from which the values came as well as its LastWrite time, the Value name of the key from which the entry came, the 8.3 File Name, MAC times and the full Unicode Name of the file. Notice how the LastWrite time of the registry is after the MAC times of the LNK files. This is because the key is updated after any changes to preferences are made or after any files/folders/etc are accessed. Therefore in normal user activities the LastWrite time should fall after the MAC times of the SHELLITEM entry:
$ ./vol.py -f Bob.vmem shellbags
Volatile Systems Volatility Framework 2.3_alpha
Scanning for registries....
Gathering shellbag items and building path tree...
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key: Software\Microsoft\Windows\Shell\Bags\1\Desktop
Last updated: 2010-02-26 03:46:27
Value File Name Modified Date Create Date Access Date File Attr Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
ItemPos1171x730(1) ACROBA~1.EXE 2010-02-26 03:45:38 2010-02-26 03:45:18 2010-02-26 03:45:38 ARC acrobat60.exe
ItemPos1171x730(1) ADOBER~1.LNK 2010-02-26 03:46:24 2010-02-26 03:46:24 2010-02-26 03:46:24 ARC Adobe Reader 6.0.lnk
***************************************************************************
[snip]
A full list of file attributes can be seen below. They were abbreviated because there can be more than one attribute set on a file and the output can become very cluttered if the attribute names are too long.
FILE_ATTRS = {
0x00000001:"RO", #Is read-Only
0x00000002:"HID", #Is hidden
0x00000004:"SYS", #Is a system file or directory
0x00000008:"VOL", #Is a volume label
0x00000010:"DIR", #Is a directory
0x00000020:"ARC", #Should be archived
0x00000040:"DEV", #Is a device
0x00000080:"NORM", #Is normal None of the other flags should be set
0x00000100:"TEMP", #Is temporary
0x00000200:"SPARSE", #Is a sparse file
0x00000400:"RP", #Is a reparse point or symbolic link
0x00000800:"COM", #Is compressed
0x00001000:"OFFLINE", #Is offline The data of the file is stored on an offline storage.
0x00002000:"NI", #Do not index content The content of the file or directory should not be indexed by the indexing service.
0x00004000:"ENC", #Is encrypted
0x00010000:"VIR", #Is virtual
}
Example Raw Data: SHELLITEM Entries
There are other Shellbag types that must be parsed, however. These can be found in any of the previously mentioned keys. An example can be seen below. The registry value names are highlighted in red and the first part of the SHELLITEM entries (Size and Type) are highlighted in blue. We can see that the Types are all FILE_ENTRY (0x31) and more specifically, folders.
$ ./vol.py -f stuxnet.vmem printkey -K "Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0"
Volatile Systems Volatility Framework 2.3_alpha
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key name: 0 (S)
Last updated: 2011-06-03 04:24:36
Subkeys:
(S) 0
(S) 1
(S) 2
(S) 3
(S) 4
(S) 5
Values:
REG_DWORD NodeSlot : (S) 1
REG_BINARY MRUListEx : (S)
0x00000000 01 00 00 00 00 00 00 00 04 00 00 00 05 00 00 00 ................
0x00000010 03 00 00 00 02 00 00 00 ff ff ff ff ............
REG_BINARY 0 : (S)
0x00000000 4a 00 31 00 00 00 00 00 19 3d 81 b8 11 00 50 52 J.1......=....PR
0x00000010 4f 47 52 41 7e 31 00 00 32 00 03 00 04 00 ef be OGRA~1..2.......
0x00000020 16 3d 18 6c 19 3d 8b b8 14 00 00 00 50 00 72 00 .=.l.=......P.r.
0x00000030 6f 00 67 00 72 00 61 00 6d 00 20 00 46 00 69 00 o.g.r.a.m...F.i.
0x00000040 6c 00 65 00 73 00 00 00 18 00 00 00 l.e.s.......
REG_BINARY 1 : (S)
0x00000000 5c 00 31 00 00 00 00 00 16 3d c2 8c 10 00 44 4f \.1......=....DO
0x00000010 43 55 4d 45 7e 31 00 00 44 00 03 00 04 00 ef be CUME~1..D.......
0x00000020 16 3d 0d 6c 1a 3d 9a 08 14 00 00 00 44 00 6f 00 .=.l.=......D.o.
0x00000030 63 00 75 00 6d 00 65 00 6e 00 74 00 73 00 20 00 c.u.m.e.n.t.s...
0x00000040 61 00 6e 00 64 00 20 00 53 00 65 00 74 00 74 00 a.n.d...S.e.t.t.
0x00000050 69 00 6e 00 67 00 73 00 00 00 18 00 00 00 i.n.g.s.......
REG_BINARY 2 : (S)
0x00000000 3c 00 31 00 00 00 00 00 1b 3d 10 74 10 00 53 79 <.1......=.t..Sy
0x00000010 6d 62 6f 6c 73 00 26 00 03 00 04 00 ef be 1b 3d mbols.&........=
0x00000020 c1 73 1b 3d 10 74 14 00 00 00 53 00 79 00 6d 00 .s.=.t....S.y.m.
0x00000030 62 00 6f 00 6c 00 73 00 00 00 16 00 00 00 b.o.l.s.......
REG_BINARY 3 : (S)
0x00000000 40 00 31 00 00 00 00 00 1a 3d 16 0a 10 00 50 79 @.1......=....Py
0x00000010 74 68 6f 6e 32 35 00 00 28 00 03 00 04 00 ef be thon25..(.......
0x00000020 19 3d 8c b8 1b 3d 30 75 14 00 00 00 50 00 79 00 .=...=0u....P.y.
0x00000030 74 00 68 00 6f 00 6e 00 32 00 35 00 00 00 18 00 t.h.o.n.2.5.....
0x00000040 00 00 ..
REG_BINARY 4 : (S)
0x00000000 3c 00 31 00 00 00 00 00 1a 3d cc 00 10 00 57 49 <.1......=....WI
0x00000010 4e 44 4f 57 53 00 26 00 03 00 04 00 ef be 16 3d NDOWS.&........=
0x00000020 b1 6b 48 3d 74 1b 14 00 00 00 57 00 49 00 4e 00 .kH=t.....W.I.N.
0x00000030 44 00 4f 00 57 00 53 00 00 00 16 00 00 00 D.O.W.S.......
REG_BINARY 5 : (S)
0x00000000 40 00 31 00 00 00 00 00 48 3d 28 1c 10 00 50 79 @.1.....H=(...Py
0x00000010 74 68 6f 6e 32 36 00 00 28 00 03 00 04 00 ef be thon26..(.......
0x00000020 48 3d ac 1b 48 3d 28 1c 14 00 00 00 50 00 79 00 H=..H=(.....P.y.
0x00000030 74 00 68 00 6f 00 6e 00 32 00 36 00 00 00 18 00 t.h.o.n.2.6.....
0x00000040 00 00 ..
In addition to the SHELLITEM entries, another value of interest is the MRUListEx value. This shows the order in which these folders were used. This value is also parsed out by the plugin and shown in the output.
Below is part of the parse_key() function discussed earlier, which parses these SHELLITEM entries:
18 elif len(data) > 0x10:
19 bufferas = addrspace.BufferAddressSpace(self._config, data = data)
20 item = obj.Object("SHELLITEM", offset = 0, vm = bufferas)
21 thetype = SHELL_ITEM_TYPES.get(int(item.Type), None)
22 if thetype != None:
23 item = obj.Object(thetype, offset = 0, vm = bufferas)
24 if hasattr(item, "DataSize") and item.DataSize <= 0:
25 continue
26 if thetype in self.supported:
27 temp = ""
28 if hasattr(item, "Attributes"):
29 temp = str(item.Attributes.UnicodeFilename)
30 elif hasattr(item, "Name"):
31 temp = str(item.Name)
32 self.paths[reg + ":" + thekey + ":" + str(value)] = temp
33 items[str(value)] = []
34 items[str(value)].append(item)
35 return items
Let's go through this line by line.
- [18] First check the size of the data is large enough.
- [19] Create a SHELLITEM object using the value data.
- [20-22] Figure out what type of SHELLITEM entry it is, it if is invalid, continue.
- [23] Create the appropriate SHELLITEM entry.
- [24-25] If the SHELLITEM entry has a DataSize member, make sure it is large enough to be valid, if not continue.
- [26] Make sure the type is in our supported types (since some SHELLITEM entry are not yet supported as of this writing).
- [27-31] Get the SHELLITEM entry's full name.
- [32] Save the SHELLITEM entry's full name in a dictionary indexed by registry, key and value. This ensures that we do not mix up full paths from other users and registries when we build the absolute path to the file.
- [33-35] Save the SHELLITEM entry in a dictionary indexed by value and return all SHELLITEM entries found for this registry key. One thing to note: it is possible to have several different types of Shellbag entries in one registry key.
Below we can see some output from the shellbags plugin that shows these parsed SHELLITEM entries.
$ ./vol.py -f stuxnet.vmem --profile=WinXPSP2x86 shellbags
Volatile Systems Volatility Framework 2.3_alpha
Scanning for registries....
Gathering shellbag items and building path tree...
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key: Software\Microsoft\Windows\Shell\BagMRU
Last updated: 2010-10-31 16:48:00
Value Mru Entry Type GUID GUID Description Folder IDs
------- ----- -------------- ---------------------------------------- -------------------- ----------
0 0 Folder Entry 208d2c60-3aea-1069-a2d7-08002b30309d My Network Places EXPLORER, MY_DOCUMENTS, MY_COMPUTER, NETWORK
***************************************************************************
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key: Software\Microsoft\Windows\Shell\BagMRU\0
Last updated: 2010-10-31 16:47:28
Value Mru Entry Type Description Name | Full Path
------- ----- ------------------------- -------------------- ----------------
0 0 Network Volume Name Entire Network | Entire Network
***************************************************************************
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key: Software\Microsoft\Windows\Shell\BagMRU\0\0
Last updated: 2010-10-31 16:47:28
Value Mru Entry Type Description Name | Full Path
------- ----- ------------------------- -------------------- ----------------
0 0 Network Volume Name VMware Shared Folders | Entire Network\VMware Shared Folders
***************************************************************************
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key: Software\Microsoft\Windows\Shell\Bags\1\Desktop
Last updated: 2011-06-03 04:27:27
Value File Name Modified Date Create Date Access Date File Attr Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
ItemPos800x600(1) IDAPRO~1.LNK 2010-08-25 23:04:22 2010-08-25 23:04:22 2010-08-25 23:04:22 ARC IDA Pro Standard (32-bit).lnk
ItemPos800x600(1) IDAPRO~1.EXE 2010-03-22 13:47:48 2010-03-22 13:47:48 2010-08-25 23:02:44 ARC idapro_931_42287435c1a6ed5a6d6039345b7c49c2.exe
ItemPos1118x838(1) Cygwin.lnk 2010-10-08 03:59:32 2010-10-08 03:59:32 2010-10-31 13:48:48 ARC Cygwin.lnk
ItemPos1118x838(1) IMMUNI~1.LNK 2010-08-26 01:10:00 2010-08-26 01:10:00 2010-10-31 16:36:12 ARC Immunity Debugger.lnk
ItemPos1118x838(1) MOZILL~1.LNK 2010-08-25 23:14:48 2010-08-25 23:14:48 2010-10-31 13:48:48 ARC Mozilla Firefox.lnk
ItemPos1118x838(1) NOTEPA~1.LNK 2010-08-26 01:11:12 2010-08-26 01:11:12 2010-10-31 13:48:48 ARC Notepad++.lnk
ItemPos1118x838(1) VMWARE~1.LNK 2011-06-03 04:21:28 2010-10-31 16:47:08 2011-06-03 04:21:28 ARC VMware Shared Folders.lnk
ItemPos1118x838(1) SYMBOL~1.0_B 2010-08-27 14:49:08 2010-08-27 14:49:08 2011-06-03 04:21:32 DIR SymbolTypeViewer_v1.0_beta
[snip]
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\6
Last updated: 2010-08-26 01:12:12
Value Mru File Name Modified Date Create Date Access Date File Attr Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ---------
0 0 Downloads - - - DIR Downloads
***************************************************************************
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0
Last updated: 2011-06-03 04:24:36
Value Mru File Name Modified Date Create Date Access Date File Attr Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ---------
1 0 DOCUME~1 2010-08-22 17:38:04 2010-08-22 13:32:26 2010-08-26 01:04:52 DIR C:\Documents and Settings
0 1 PROGRA~1 2010-08-25 23:04:02 2010-08-22 13:32:48 2010-08-25 23:04:22 RO, DIR C:\Program Files
3 4 Python25 2010-08-26 01:16:44 2010-08-25 23:04:24 2010-08-27 14:41:32 DIR C:\Python25
2 5 Symbols 2010-08-27 14:32:32 2010-08-27 14:30:02 2010-08-27 14:32:32 DIR C:\Symbols
5 3 Python26 2010-10-08 03:33:16 2010-10-08 03:29:24 2010-10-08 03:33:16 DIR C:\Python26
4 2 WINDOWS 2010-08-26 00:06:24 2010-08-22 13:29:34 2010-10-08 03:27:40 DIR C:\WINDOWS
***************************************************************************
[snip]
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0\0
Last updated: 2010-10-31 16:36:18
Value Mru File Name Modified Date Create Date Access Date File Attr Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ---------
1 7 IMPREC~1.7C 2008-03-11 01:43:32 2010-08-26 01:10:14 2010-08-26 01:17:14 DIR C:\Program Files\ImpREC 1.7c
0 1 IDA 2010-08-25 23:04:18 2010-08-25 23:04:02 2010-08-25 23:04:22 DIR C:\Program Files\IDA
3 5 ICESWO~1 2010-08-26 01:09:44 2010-08-26 01:09:42 2010-08-26 01:17:34 DIR C:\Program Files\IceSword122en
2 6 LPE-DL~1.41_ 2010-08-26 01:10:44 2010-08-26 01:10:44 2010-08-26 01:17:14 DIR C:\Program Files\LPE-DLXb_1.41_UPD
5 3 PROCES~1.3-B 2010-08-26 01:12:40 2010-08-26 01:12:40 2010-08-26 01:17:56 DIR C:\Program Files\processhacker-2.3-bin
4 4 odbg200 2010-08-26 01:06:18 2010-08-26 01:06:18 2010-08-26 01:17:44 DIR C:\Program Files\odbg200
7 0 IMMUNI~1 2010-08-26 01:10:00 2010-08-26 01:10:00 2010-10-31 16:36:16 DIR C:\Program Files\Immunity Inc
6 2 REGSHO~1.2_S 2010-08-26 01:13:10 2010-08-26 01:13:10 2010-08-26 01:18:10 DIR C:\Program Files\regshot_1.8.2_src_bin
***************************************************************************
[snip]
We can see different types of Shellbag entries that are parsed by the plugin. Notice that for some SHELLITEM entries we can see when it was last used, since the MRUListEx value is placed in the output. We also have other attributes shown, such as MAC times for some items and absolute paths. The registry and key paths are given in the output to allow the investigator to further investigate or verify on his/her own as needed. Notice in the output, that sometimes the MAC times are not populated correctly, this may be due to corrupt or paged data in memory.
Looking at the output from the stuxnet.vmem sample we can tell from the various software listed that this is an analysis machine. We have several debuggers and malware analysis software installed. There are also different versions of Python installed. Also we can tell that this is a virtual machine, since we see that there are link files to VMWware Shared Folders which also appears as a network share.
SetRegTime
Some experiments with SetRegTime were carried out on a virtual machine to see if the LastWrite timestamps of a registry key would change on a running machine. A Shellbag key of interest was chosen and the SetRegTime application was run against the chosen registry key. The machine ran for another two minutes and then was suspended. The shellbags plugin was run. Below we can see that the SetRegTime application successfully changed the LastWrite timestamp (shown in red):
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\Bags\63\Shell
Last updated: 3024-05-21 00:00:00
Value File Name Modified Date Create Date Access Date File Attr Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
ItemPos1567x784(1) BLAHBL~1.TXT 2012-08-17 14:15:14 2012-08-17 14:15:02 2012-09-25 11:49:32 ARC blah blah.txt
ItemPos1567x784(1) NEWTEX~1.TXT 2012-08-17 14:14:56 2012-08-17 14:14:50 2012-09-25 11:49:38 ARC New Text Document.txt
ItemPos1567x784(1) POISON~1.PY 2012-06-18 19:52:32 2012-08-17 14:15:18 2012-09-25 11:49:42 ARC poison_ivy.py
***************************************************************************
The timestamp chosen for this experiment was, of course, ludicrous so that it would stand out enough as having been changed. One thing to note is that the timestamps of the Shellbag entries should date slightly before the LastWrite timestamp of the registry key from which they came. There may be some exceptions however, where the Shellbag entry's access timestamps are not updated in the registry. For SHELLITEM entries it seems that embedded entry timestamps are not updated upon later accesses, however ITEMPOS entries do appear to update.
Regardless, the embedded timestamps should still date prior to the LastWrite timestamp. We can see an example of SHELLITEM entry timestamps not changing in the output of the stuxnet.vmem sample above for the Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0 registry key (above). An example of timestamp changes for ITEMPOS entries can be seen below:
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\Shell\Bags\1\Desktop
Last updated: 2012-09-25 12:40:28
Value File Name Modified Date Create Date Access Date File Attr Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
ItemPos1567x784(1) ENCASE~1.LNK 2012-09-21 18:13:50 2012-09-21 18:13:50 2012-09-21 18:13:50 ARC EnCase v6.18.lnk
ItemPos1567x784(1) TRUECR~1.LNK 2012-08-17 14:09:46 2012-08-17 14:09:46 2012-09-25 11:48:54 ARC TrueCrypt.lnk
ItemPos1567x784(1) VMWARE~1.LNK 2012-09-25 11:53:26 2012-09-21 18:02:18 2012-09-25 11:53:26 ARC VMware Shared Folders.lnk
ItemPos1567x784(1) backup 2012-06-07 19:00:32 2012-06-07 18:56:22 2012-09-25 11:48:12 DIR backup
***************************************************************************
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\Shell\Bags\1\Desktop
Last updated: 2012-09-25 12:52:20
Value File Name Modified Date Create Date Access Date File Attr Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
ItemPos1567x784(1) ENCASE~1.LNK 2012-09-21 18:13:50 2012-09-21 18:13:50 2012-09-25 12:41:12 ARC EnCase v6.18.lnk
ItemPos1567x784(1) TRUECR~1.LNK 2012-08-17 14:09:46 2012-08-17 14:09:46 2012-09-25 11:48:54 ARC TrueCrypt.lnk
ItemPos1567x784(1) VMWARE~1.LNK 2012-09-25 11:53:26 2012-09-21 18:02:18 2012-09-25 11:53:26 ARC VMware Shared Folders.lnk
ItemPos1567x784(1) backup 2012-06-07 19:00:32 2012-06-07 18:56:22 2012-09-25 12:51:18 DIR backup
***************************************************************************
If Shellbag entries are later added to a key whose LastWrite timestamp was stomped, the timestamp will be updated after the new Shellbag entry is added. If the Shellbag key hosts heavily used entries, like a system volume (C:\ for example), it would be difficult to ensure that the stomped LastWrite timestamp would endure regular system use. Also changes to the MruListEx or any other settings (some not covered in this post) under a Shellbag key will update the LastWrite timestamp.
Also, since we know that Shellbag entry timestamps have a somewhat predictable relationship with the LastWrite time, we may be able to use these different timestamps in order to find stomped timestamps. For example, if the LastWrite timestamp occurs prior to the Shellbag entry timestamps. In order to more correctly timestomp registry values, a tool would also have to change the timestamps of the Shellbag entries themselves or delete them. Missing common Shellbag entries would of course be suspicious and changed Shellbag entry MAC times could be checked against the file system itself or backup registry files.
Another thing to note is that changes to a Shellbag key's children can have an indirect effect on the Shellbag key itself, since accessing a child may update the MruListEx entry causing the Shellbag key's LastWrite timestamp to change as well.
SetRegTime Examples
First we start off with a timestomped key:
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1
Last updated: 3024-05-21 00:00:00
Value Mru File Name Modified Date Create Date Access Date File Attr Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ----
1 0 WINDOWS 2010-08-09 22:22:28 2010-06-04 09:10:08 2010-08-17 17:04:38 DIR C:\WINDOWS
0 1 DOCUME~1 2010-06-04 13:37:26 2010-06-04 09:14:18 2010-08-17 17:04:36 DIR C:\Documents and Settings
3 2 Temp 2010-08-05 12:46:02 2010-08-05 12:46:02 2012-09-25 12:51:18 DIR C:\Temp
2 3 PROGRA~1 2010-10-25 20:22:02 2010-06-04 09:14:52 2010-10-25 20:22:02 RO, DIR C:\Program Files
***************************************************************************
Then we browse to C:\Temp open a folder and create and open another folder.
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1
Last updated: 2012-09-25 15:30:15
Value Mru File Name Modified Date Create Date Access Date File Attr Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ----
1 1 WINDOWS 2010-08-09 22:22:28 2010-06-04 09:10:08 2010-08-17 17:04:38 DIR C:\WINDOWS
0 2 DOCUME~1 2010-06-04 13:37:26 2010-06-04 09:14:18 2010-08-17 17:04:36 DIR C:\Documents and Settings
3 0 Temp 2010-08-05 12:46:02 2010-08-05 12:46:02 2012-09-25 12:51:18 DIR C:\Temp
2 3 PROGRA~1 2010-10-25 20:22:02 2010-06-04 09:14:52 2010-10-25 20:22:02 RO, DIR C:\Program Files
***************************************************************************
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\3
Last updated: 2012-09-25 15:30:38
Value Mru File Name Modified Date Create Date Access Date File Attr Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ----
1 0 blah 2012-09-25 15:30:26 2012-09-25 15:30:26 2012-09-25 15:30:26 DIR C:\Temp\blah
0 1 {9F5FB~1 2010-09-26 20:35:22 2010-08-05 12:46:02 2010-11-16 19:16:44 DIR C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
***************************************************************************
We can see that the LastWrite timestamp of Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1 changed because the Temp directory was the last directory used and the MruListEx was updated. Also notice how close in proximity the highlighted timestamps are. First the C:\Temp folder is opened at 2012-09-25 15:30:15. Second the folder C:\Temp\blah is created and accessed at 2012-09-25 15:30:26. Third the key that contains the Shellbag entry for C:\Temp\blah is updated to show that this is the last folder opened (MruListEx) at 2012-09-25 15:30:38.
Another experiment was conducted to see if the child folder would have an affect on the parent folder's key if it was browsed directly. For this experiment, the C:\WINDOWS folder was browsed first to make it first on the MruListEx list. Then the run command was used to open C:\Temp\blah directly. The final result shows that navigating directly to a child folder updates the parent folder's MruListEx value and thus LastWrite time of its registry key. The child folder's LastWrite timestamp on the registry key was not modified, however, since there was no change in the MruListEx value and its MAC timestamps are not updated.
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1
Last updated: 2012-09-25 15:48:03
Value Mru File Name Modified Date Create Date Access Date File Attr Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ----
1 1 WINDOWS 2010-08-09 22:22:28 2010-06-04 09:10:08 2010-08-17 17:04:38 DIR C:\WINDOWS
0 3 DOCUME~1 2010-06-04 13:37:26 2010-06-04 09:14:18 2010-08-17 17:04:36 DIR C:\Documents and Settings
3 0 Temp 2010-08-05 12:46:02 2010-08-05 12:46:02 2012-09-25 12:51:18 DIR C:\Temp
2 2 PROGRA~1 2010-10-25 20:22:02 2010-06-04 09:14:52 2010-10-25 20:22:02 RO, DIR C:\Program Files
***************************************************************************
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\3
Last updated: 2012-09-25 15:30:38
Value Mru File Name Modified Date Create Date Access Date File Attr Path
------- ----- -------------- -------------------- -------------------- -------------------- ------------------------- ----
1 0 blah 2012-09-25 15:30:26 2012-09-25 15:30:26 2012-09-25 15:30:26 DIR C:\Temp\blah
0 1 {9F5FB~1 2010-09-26 20:35:22 2010-08-05 12:46:02 2010-11-16 19:16:44 DIR C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
***************************************************************************
TrueCrypt Volumes
TrueCrypt volumes also appear in Shellbag entries. Aside from the actual volume name (drive letter where the volume was mounted) the volumes themselves and their contents are often found in ITEMPOS entries, for example below are entries for a TrueCrypt volume (highlighted in red and a few of its files/folders which were opened:
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0
Last updated: 2012-09-25 13:22:43
Value Mru Entry Type Path
------- ----- -------------- ----
1 0 Volume Name C:\
3 1 Volume Name Z:\
4 2 Volume Name T:\
***************************************************************************
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\Bags\52\Shell
Last updated: 2012-09-25 12:51:28
Value File Name Modified Date Create Date Access Date File Attr Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
[snip]
ItemPos1567x784(1) UserData 2012-06-22 19:28:50 2012-06-22 19:28:50 2012-09-25 12:51:18 SYS, DIR UserData
ItemPos1567x784(1) RECENT~1.XBE 2010-10-18 14:00:50 2010-10-18 14:00:50 2010-10-18 14:00:50 ARC .recently-used.xbel
ItemPos1567x784(1) MYTRUE~1 2012-08-17 14:13:48 2012-08-17 14:12:18 2012-09-25 11:48:46 ARC MyTrueCryptVolume
ItemPos1567x784(1) NTUSER.DAT 2012-09-25 11:50:08 2010-06-04 13:37:26 2012-09-25 12:18:44 ARC, HID NTUSER.DAT
ItemPos1567x784(1) NTUSER~1.LOG 2012-09-25 12:51:24 2010-06-04 13:37:26 2012-09-25 12:51:06 ARC, HID NTUSER.DAT.LOG
***************************************************************************
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\Bags\63\Shell
Last updated: 3024-05-21 00:00:00
Value File Name Modified Date Create Date Access Date File Attr Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
ItemPos1567x784(1) BLAHBL~1.TXT 2012-08-17 14:15:14 2012-08-17 14:15:02 2012-09-25 11:49:32 ARC blah blah.txt
ItemPos1567x784(1) NEWTEX~1.TXT 2012-08-17 14:14:56 2012-08-17 14:14:50 2012-09-25 11:49:38 ARC New Text Document.txt
ItemPos1567x784(1) POISON~1.PY 2012-06-18 19:52:32 2012-08-17 14:15:18 2012-09-25 11:49:42 ARC poison_ivy.py
***************************************************************************
Since ITEMPOS entries can be updated in the registry, the TrueCrypt volume name may disappear from entries if it is deleted or moved. Experiments showed that when the TrueCrypt volume was deleted and the machine restarted, the TrueCrypt volume disappeared from the ITEMPOS entry above, but the filenames for its accessed contents remained intact:
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\BagMRU\0
Last updated: 2012-09-25 15:49:04
Value Mru Entry Type Path
------- ----- -------------- ----
1 2 Volume Name C:\
3 3 Volume Name Z:\
4 0 Volume Name T:\
***************************************************************************
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\Bags\52\Shell
Last updated: 2012-09-25 14:31:53
Value File Name Modified Date Create Date Access Date File Attr Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
[snip]
ItemPos1567x784(1) UserData 2012-06-22 19:28:50 2012-06-22 19:28:50 2012-09-25 14:31:52 SYS, DIR UserData
ItemPos1567x784(1) RECENT~1.XBE 2010-10-18 14:00:50 2010-10-18 14:00:50 2010-10-18 14:00:50 ARC .recently-used.xbel
ItemPos1567x784(1) NTUSER.DAT 2012-09-25 13:33:28 2010-06-04 13:37:26 2012-09-25 14:31:18 ARC, HID NTUSER.DAT
ItemPos1567x784(1) NTUSER~1.LOG 2012-09-25 14:31:54 2010-06-04 13:37:26 2012-09-25 14:31:30 ARC, HID NTUSER.DAT.LOG
***************************************************************************
***************************************************************************
Registry: \Device\HarddiskVolume1\Documents and Settings\user\NTUSER.DAT
Key: Software\Microsoft\Windows\ShellNoRoam\Bags\63\Shell
Last updated: 2012-09-25 15:49:32
Value File Name Modified Date Create Date Access Date File Attr Unicode Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- ------------
ItemPos1567x784(1) BLAHBL~1.TXT 2012-09-25 15:49:16 2012-08-17 14:15:02 2012-09-25 15:49:16 ARC blah blah.txt
ItemPos1567x784(1) NEWTEX~1.TXT 2012-08-17 14:14:56 2012-08-17 14:14:50 2012-09-25 12:52:06 ARC New Text Document.txt
ItemPos1567x784(1) POISON~1.PY 2012-06-18 19:52:32 2012-08-17 14:15:18 2012-09-25 12:52:10 ARC poison_ivy.py
***************************************************************************
Conclusion
Shellbags are used widely in forensic investigations and until now Shellbag information was only easily extracted from registries on disk. This plugin will now empower investigators to conduct these types of investigations on memory samples and we've shown how it may be possible to heuristically determine time-stomped registry keys based on known/expected changes to the Shellbags keys during normal activity.
Notes
There are still some types that are not yet supported, however most data is represented at this time. This plugin was created due to a discussion on the vol-users listserv. Also the associations between Shell\Bags keys and Shell\BagMRU is left on the TODO list. The plugin might take a little while to run if there are several Shellbag keys; this is because the plugin has to iterate through all keys in order to build the path tree for the full path names.
Obtaining the Plugin
Since the shellbags plugin is scheduled for the Volatility 2.3 release, it is not in the main trunk yet, nor will it be in the 2.2 release. You can, however, obtain it from the 2.3-devel branch. Instructions are here: http://code.google.com/p/volatility/wiki/VolatilityBranches.
References
- Windows Shell Item format specification (pdf) by Joachim Metz
- Using shellbag information to reconstruct user activities (pdf) by Yuandong Zhu, Pavel Gladyshev and Joshua James
No comments:
Post a Comment