Introduction
Digital Forensic Investigators need a deep knowledge to understand the sheer number of artifacts that are on systems. Forensic suites provide excellent automation and can produce high quality information about a variety of artifacts. However, the tool is only as good as the examiner that uses it. One Windows artifact that is often produced in forensic suite reports, but can be overlooked are shellbags. This article provides background of what shellbags are, how they can be used in Digital Forensic Investigations, and how they can be manually viewed and parsed.
What are Shellbags?
Windows Shellbags are a set of registry keys and files that record a folders size, position, chosen view option, folder icons, MAC timestamps, and directory paths in Windows File Explorer. This feature is used to store individual users preferences and provide ease of access. Microsoft wanted the operating system to remember how the user customized individual folders, so every subsequent time a user opens File Explorer, its layout and location will remain as it was when the user last accessed the folder. Shellbag information is not only collected for local files, but also for external media and network drives, so every subsequent time a file from external media is opened on a specific computer, the file size and position will persist.
Figure 1 Displays different view options in File Explorer. Changing view options and resizing the screen causes the shellbag information to update for that folder
Since shellbag data is user driven, the information it provides is dynamic and can be changed as often as the user changes them. For example, if a user creates the file “Investigations” and opens the file, shellbag data, such as “Created On”, “Last Accessed”, and “Modified” will be created and stored in the registry. When the “Investigations” files’ view options are modified, the shellbags registry keys and files are updated.
Shellbag Specifics
Shellbag keys have been available in every iteration of Windows since Windows XP. In Windows XP, the Shellbags registry locations change depending on whether the operating system is running a x86 or x64 bit architecture, compared to Windows Vista, Windows 7, Windows 8/8.1, and Windows 10, where the location of the Shellbags remain the same regardless of the architecture.
Shellbag data is stored in the NTUSER.DAT file and the USRCLASS.DAT file. The vast majority of useful shellbag information is stored in the USRCLASS.DAT file. NTUSER.DAT is located in the root of the users home folder at C:\Users\{UserProfile}. The NTUSER.DAT file stores shellbag information for network folders, remote machines, and remote folders. The USRCLASS.DAT file, located at C:\Users\{User Profile}\AppData\Local\Microsoft\Windows, stores shellbag information for the local desktop, local zip files, local folders, Windows special folders, and virtual folders.
In the registry, Shellbags can be found in several different locations. Shellbag information for all users is located is the “Users” Hive Key at HKEY_USERS\{UserSID}\Local Settings\Software\Microsoft\Windows\Shell. Shellbag information is also contained within HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell. This registry key contains two child keys, Shell\Bags\ and Shell\BagMRU\. Both Shell\Bags\ and Shell\BagMRU\ may have multiple child keys, which depend on the number of external drives, network folders, programs that have been opened in a folder. Furthermore, the registry child keys are based on a zero-based numbering scheme, and the keys can expand to however deep the folder was accessed.
Figure 2 Displays the BagMRU and Bags sub-keys of the Shell registry key
Three sub-keys that are contained within the Shell\BagMRU\ and Shell\Bags\ keys are MRUListEx, Node Slot, and NodeSlots. MRUList a 4 byte value that displays the most recent folders that have been accessed. Node Slot sub-key points to the bags key, which stores the customization data such as size of the window, view option, etc. Finally, there is NodeSlots. This sub-key, which is found in the BagMRU subkey, is updated upon new shellbag creation. These three sub-keys are what actually stores the shellbag information, and work in turn with the NTUSER.DAT and USRCLASS.DAT files.
Figure 3 Displays the MRUListEx, NodeSlot, and NodeSlots. It should be noted that not all shellbag entries are required to have all three sub-keys.
Shellbag Forensic Uses
On the surface, Windows Shellbags may not seem like a particularly useful forensic tools. However, after closely examining Shellbags and understanding how their main purpose is indirectly useful to investigators, their existence is particularly helpful. As Digital Forensic artifacts, Shellbags contain a wealth of data about the users interaction with the operating system. Shellbags are only created when a file is initially created and viewed, and then the information is adjusted every subsequent time that File Explorer is adjusted. This recording of created times, modified times and last accessed time persists even if the file has been securely deleted, uninstalled, or placed onto an external device, such as a USB. Shellbags can provide evidence of a users knowledge of a file when coupled with other artifacts, such as link files and prefetch data. Shellbags may also suggest that a user knew about a certain program or file even if there is no shellbag information about that specific file or program in questions, by proving that folder is resides in has been accessed.
Exploring Shellbags
To explore the information contained within Shellbags, we first need to extract the necessary files. On a live system, it is not possible to open or even copy the NTUSER.DAT or USRCLASS.DAT files with a text editor. To extract information from a live system, or to perform a post mortem investigation, we will need to image the files or load them into a Shellbag utility as an offline hive. To image the files we will be using FTK Imager to forensically image these files, however any disk imager will work.
To extract the shellbag data, we must first navigate to the NTUESR.DAT file and USRCLASS.DAT file. As was mentioned before, the NTUSER.DAT is located in the root of the users home folder at C:\Users\{UserProfile}, and the USRCLASS.DAT file is located at C:\Users\{User Profile}\AppData\Local\Microsoft\Windows. Then by using FTK Imager, export these files can be exported and loaded into a shellbag utility.
Figure 4 Displays the contents of the NTUSR.DAT file (left) and USRCLASS.DAT file (right) in FTK Imager.
To view the shallbag data, we will be using Eric Zimmermans Shellbag Explorer. This utility allows investigators to parse the NTUSER.DAT file and USRCLASS.DAT file by loading the image file into the tool. It is also possible to load locked files into this, as well as load the active registry for a live investigation.
Once the shellbag information has been loaded, the tool will automatically extract the data and display the information in a hierarchical fashion. For every separate file explorer and window created, the shellbag information will be displayed, including MAC date and time, location relative to the file system, file system information, and associated parent-child keys, all of which can be used to develop a forensic timeline.
No comments:
Post a Comment