Notifications
Clear all

ShellBags Confusion

9 Posts
6 Users
0 Likes
1,416 Views
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Hi, I'm working on a case where I have two seperate images of the same user laptop HD taken at different times. User has left the company (actually on garden leave at the mo). I DON'T have the laptop, it's been wiped and re-issued (don't ask). XP SP3

Issue - user is suspected of putting sensitive files onto external media, and had CCleaner installed so there's lots of the normal good forensic stuff missing (hardly any Recent Docs, Setupapi, IE history et al).

I don't know much about ShellBags but am trying to understand the following entry on the user's NTUser.DAT, as viewed by AD Registry Viewer in "ntuser.dat\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2"

Full Path = "My Computer\E\COMPETITIVE INFORMATION"
Key Last Write = 15/04/2011 082638 UTC
Value Create = 16/03/2011 214524 UTC
Value Modify = 16/03/2011 214526 UTC
Value Access = 16/03/2011

BTW we're in UK, so March UTC dates are same as Local Time, April you need to add 1 hr for Local Time

Significance of dates - 16th March is the day before he handed in his notice, and apparently the day he installed CCleaner.
15th April was his last day at work, we know that he used an external HD (not thumb/flash) to access some personal photos around that time on 15th.

I've been trying to re-create possible actions in terms of creating folders on C and thumb drive (E on my system), opening them, copying documents, opening documents - and using FTKI to export ntuser.dat after every operation. But there is absolutely NO sign of E anything in ShellBags. Tried logging on as a different user so the ntuser.dat file wasn't even in use. No joy.

Now, here's the thing. I disconnected the thumb drive, and connected a portable USB (again as E). Then copied a folder from C to E, opened a document up, closed it, exported NTUser.dat - and BINGO - there's the E I was hoping for in
"ntuser.dat.copy5\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\3"

So - based on the extremely limited testing above, it appears that ShellBags does NOT record folders created/accessed on thumb/flash drives. Is this correct?

If so, major boost to my case as we know that the user had two external HDs and one of them was drive E

OK we still can't prove if the "E\COMPETITIVE INFORMATION" contained any files (or if it did, that they were work-related). But we're building a case.

Thanks in anticipation

 
Posted : 26/04/2011 6:06 pm
(@hujarl)
Posts: 17
Active Member
 

Have you taken a look at the restore point data just prior to the CCleaner install? While it doesn't answer your Shellbags question directly, the backup ntuser.dat info prior to the cleaner install might show much more valuable information.

I see that in similar cases pretty consistently…

 
Posted : 26/04/2011 9:07 pm
(@xennith)
Posts: 177
Estimable Member
 

Shellbags are a pain in the a**e to work out in your head, each key represents a folder, organised in a heirarchical view. If your suspect didnt create or view any subfolders on the thumbdrive to copy the files over, then the shellbags info would be severely restricted.

AFAIK the data isnt restricted to just local fixed drives, but is the data stored by drive letter, guid or volume id?

Its very hard to give much guidance without seeing the data myself, except to return to the root of the shellbags tree and see if you can identify the various drives - also see if you can find/write a suitable parsing tool.

 
Posted : 26/04/2011 9:23 pm
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

re Restore Points - guess what CCleaner does? Yup, deletes Restore Points. And later in life wipes free space. I have some Restore POints but only from 20th March to 30th March and again from 14th to 15th April

Xennith, not quite sure what you mean by "is the data stored by drive letter, guid or volume id". I had my hands on one external drive (La Cie 1TB) on 15th April and was able to tie it down to Drive E using Rob Lee's guidelines for USB Enclosures.

HTH

 
Posted : 27/04/2011 1:14 am
(@xennith)
Posts: 177
Estimable Member
 

Full Path = "My Computer\E\COMPETITIVE INFORMATION"
Key Last Write = 15/04/2011 082638 UTC
Value Create = 16/03/2011 214524 UTC
Value Modify = 16/03/2011 214526 UTC
Value Access = 16/03/2011

This simply means that this user account first saw this folder open in explorer on the 16/03/11 at 214524, and that the window was moved on the 16/03/2011 at 214526 (im assuming the first timestamp is the E\ drive key).

I was asking if the keys were stored by volume letter, guid or volume sig to eliminate any confusion about which device was which and if you could then say exactly what folders existed on a given device. But it looks like theres a lot of overlap, its possible for a computer to see a number of difference E drives, and from shellbags alone its hard to say which belongs where. Also, what if that drive were at some later point mounted as the F\ drive…

 
Posted : 27/04/2011 2:08 am
(@hujarl)
Posts: 17
Active Member
 

Cults14,

Understood what CCleaner can do, though rarely has it been used effectively in my experience. To your own point, some Restore Points do exist after the install date of the 16th.

Assuming you have already analysed the restore points from the date mentioned for recent file activity, I'd suggest using a tool like Windows Registry Analyzer (WRA, now owned by Paraben iirc) to cull the shellbags info. The layout puts the various key info in a decent format to compare the various screen sizing info. That has turned up some interesting external media information.

I'd bet that RegRipper has some plugins that do similar rips too.

 
Posted : 27/04/2011 2:25 am
(@armresl)
Posts: 1011
Noble Member
 

When did Paraben take over WRA?

I haven't heard about that.

Cults14,

Understood what CCleaner can do, though rarely has it been used effectively in my experience. To your own point, some Restore Points do exist after the install date of the 16th.

Assuming you have already analysed the restore points from the date mentioned for recent file activity, I'd suggest using a tool like Windows Registry Analyzer (WRA, now owned by Paraben iirc) to cull the shellbags info. The layout puts the various key info in a decent format to compare the various screen sizing info. That has turned up some interesting external media information.

I'd bet that RegRipper has some plugins that do similar rips too.

 
Posted : 27/04/2011 4:07 am
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

Registry Analyzer was sold as a separate product by Paraben for some time. Now it is available only as part of P2 Commander.

You can still find the 1.5 version from MiTec out on the internet although Paraben did their best to remove it.

 
Posted : 27/04/2011 4:56 am
zikmik
(@zikmik)
Posts: 28
Eminent Member
 

I'll point you to this software

ShellBagsView v1.08
Copyright © 2008 - 2011 Nir Sofer
http//www.nirsoft.net/utils/shell_bags_view.html

hope it will help you!

 
Posted : 27/04/2011 4:09 pm
Share: