Using shellbag information to reconstruct user activities

Yuandong Zhu, Pavel Gladyshev, Joshua James, DFRWS 2009

: (junghmi@korea.ac.kr)

Digital Forensic Research Center


1. Registry Forensics 2. Shellbag Information 3. Experimental Analysis of Shellbag updating
4. Causality between User actions & Shellbag updating

5. Shellbag Analysis Method 6. Case Study 7. Conclusion

Digital Forensic Research Center
2/28

Registry Forensics

Digital Forensic Research Center

3/28

1. Registry Forensics
Registry Forensics
Registry
, , , ,

Registry

Restore Point Registry Snapshot !
Registry

Papers (2009)
Identifying newly updated data values of MRU Keys between registry snapshots
Fifth annual IFIP WG 11.9 international conference on digital forensics

A comparative methodology for the reconstruction of digital events using Windows Restore Points
Digital Investigation

Using shellbag information to reconstruct user activities

DFRWS 2009

Authors
Yuandong Zhu, Pavel Gladyshev, Joshua James Center for Cybercrime Investigation, University College Dublin, Ireland
Digital Forensic Research Center
4/28

Shellbag Information

Digital Forensic Research Center

5/28

2. Shellbag Information
Shellbag
, (window) ,

Digital Forensic Research Center

6/28

2. Shellbag Information
Shellbag
2000, XP, 2003
HKCU\Software\Microsoft\Windows\Shell HKCU\Software\Microsoft\Windows\ShellNoRoam

Vista, 7
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell

Shellbag & Streams

Shellbag Streams (default)

Digital Forensic Research Center

7/28

2. Shellbag Information
(Desktop)

[Programs] Test

Window Size Window Position Sort Order

Modification

Creation

LastAccess 5000

Digital Forensic Research Center

8/28

2. Shellbag Information
CLSID List (Windows Class Identifiers)

Digital Forensic Research Center

9/28

2. Shellbag Information
Shellbag Cleaner ?

Digital Forensic Research Center

10/28

2. Shellbag Information

Digital Forensic Research Center

11/28

2. Shellbag Information

Folders MRU Key Folders MRU Item Folders Display Key

Digital Forensic Research Center

12/28

Experimental Analysis of Shellbag updating

Digital Forensic Research Center

13/28

3. Experimental Analysis of Shellbag updating

Experiment 1 ~ 6
Shellbag ? Yes Desktop Folder ? Yes User Actions Open Results
- Find target folders MRU item by enumerating all items - Update the BagMRU keys MRUListEx value - Find target folders Display key - Find target folders MRU item by enumerating all items - Update the BagMRU keys MRUListEx value - Write the folders display settings to Display key - Find target folders MRU item by enumerating all items - Update target folders and all parent folders MRUListEx value - Find target folders Display key -Find target folders MRU item by enumerating all items - Update target folders and all parent folders MRUListEx value - Write the folders display settings to Display key - Find target folders MRU item by enumerating all items - User actions do not create any new Shellbag information - Update targets parent folders MRUListEx value - Find target folders MRU item by enumerating all items - Create target folders MRU key and item - Update target folders and all parent folders MRUListEx value - Write the folders display settings to Display key
14/28

Yes

Yes

Close

Yes

No

Open

Yes

No

Close

No

Both

Open

No

Both

Close

Digital Forensic Research Center

3. Experimental Analysis of Shellbag updating

Experiment 7 (Deleting a folder)
Shellbag ? Yes Desktop Folder ? Both User Actions Delete Results
- Update target folders and all parent folders MRUListEx value - There is no registry deleting operation

Experiment 8 (Created a folder with the same name)

Shellbag ? Yes Desktop Folder ? Both User Actions Open
- Shellbag - 1

Results

Experiment 9 (Closing a folder when the registry contain the MAX(5000) of Display keys)
Shellbag ? No Desktop Folder ? Both User Actions Close Results
- Update target folders and all parent folders MRUListEx value - NodeSlot value = 1 (Bags\1\Shell)
15/28

Digital Forensic Research Center

Analysis of Causality between User actions & Shellbag updating

Digital Forensic Research Center

16/28

4. Analysis of Causality between User actions & Shellbag updating

1

Digital Forensic Research Center

17/28

4. Analysis of Causality between User actions & Shellbag updating

2
MRU items position updating

Digital Forensic Research Center

18/28

4. Analysis of Causality between User actions & Shellbag updating

3
key values subkeys timestamp

4
(existing) Shellbag MRU item () , MRU key, MRU item, Display key

Digital Forensic Research Center

19/28

Shellbag Analysis Method

Digital Forensic Research Center

20/28

5. Shellbag Analysis Method

Rule 1
A folders MRU items position A folder type 1, 2

Rule 2
A folders Display key was created or updated A folder type 2

Rule 3
A folders MRU key, MRU item, Display key X Type 2 was never occurred on A folder !

Rule 4
A folders MRU items position As parent folders items position

Digital Forensic Research Center

21/28

5. Shellbag Analysis Method

Rule 5
A folders MRU items position X As parent folders items position X

Rule 6
snapshot A folders MRU keys timestamp MRU items position X The first items position

Rule 7
snapshot A folders MRU keys timestamp MRU items position (, fitst item )

Rule 8
snapshot A folders MRU keys values , timestamp MRU items position
Digital Forensic Research Center
22/28

5. Shellbag Analysis Method

Rule 9
A folders MRU items binary data Creation time A folders Creation time in Filesystem
folders MRU item folders MRU item

Digital Forensic Research Center

23/28

Case Study

Digital Forensic Research Center

24/28

6. Case Study

Digital Forensic Research Center

25/28

Conclusion

Digital Forensic Research Center

26/28

7. Conclusion
Shellbag Information 9 Rule TraceHunter (http://tracehunter.com/)

Windows XP
Digital Forensic Research Center
27/28

Q&A

Digital Forensic Research Center http://forensic.korea.ac.kr

Digital Forensic Research Center

28/28