Saturday, January 28, 2012

Including Shellbag Data in Timelines

Windows shellbags hold a wealth of potential evidentiary value in forensic investigations.  There are already a few articles that detail the forensic impact of shellbags, including Chad Tilbury’s writeup on Windows 7 shellbags and a great article by Willi Ballenthin.  Metadata that is stored internally to the shellbags is of particular interest when it comes to forensic investigations.

Since shellbags are not parsed under the current version of log2timeline (0.62), my first thought was to write a module for log2timeline to incorporate shellbag data, however, my Perl abilities are not yet up to the task (although I'm working on them!).  So I instead decided to find a way to use existing tools to accomplish what I set out to do - incorporate shellbag data in my timeline.

With the latest release of SIFT, Willi Ballenthin’s shellbags.py script is included in the mix.  Shellbags.py, documented on Willi’s site, parses the shellbag data from a registry hive and outputs the result in bodyfile format.  This bodyfile can then be passed through mactime to obtain a timeline of events relating to a user’s shellbags.  Then, this timeline of shellbag data can be merged with a timeline from log2timeline.  To illustrate, I've included an example of combining MFT and shellbag timelines below.  Note that this assumes that the MFT and NTUSER.DAT have already been extracted from an image.    

There are a couple of slightly different approaches that you can take when you know that you'll be adding in shellbag data to a timeline.  The first is to create a bodyfile using log2timeline, add in the shellbag data, and then run mactime against the entire thing.  The second option is to run mactime against the two outputs before a bodyfile is ever created, and then merge those two timelines together.  Both options are shown below.

Option 1
  1. log2timeline -o mactime -f mft -z GMT my.mft > tln_body
  2. shellbags.py ntuser.dat >> tln_body
  3. mactime -d -b tln_body > timeline.csv
Option 2
  1. log2timeline -o mactime -f mft -z GMT my.mft | mactime -d -b - > timeline.csv
  2. shellbags.py ntuser.dat | mactime -d -b - | sed '1d' - >> timeline.csv
Note that in the second option above, I piped the mactime output to "sed '1d' -" because I wanted to eliminate the header row from my shellbag timeline before appending it to the existing timeline.  This way, I don't have a header row in the middle of my timeline.  It likely wouldn't make a difference during analysis, but I don't like knowing that it's there. It's also important to point out that you'll need to use the mactime output module of log2timeline if you plan on merging it with your shellbag timeline.  Running mactime against the current default output format of log2timeline will strip all of the values because the input of mactime will be different than the format that it expects.

While a module to parse shellbag data will undoubtedly be added to log2timeline in the future, we at least have the option of manually adding shellbag data to an existing timeline now.  It may not always be necessary to include shellbags in a timeline during an investigation, however, in some cases it could add the context that is needed to connect the dots of removable devices or activity involving deleted folders.  

3 comments:

  1. Just an FYI, but RegRipper comes with two plugins that might be of use...bagtest.pl and bagtest2.pl. I need to add the parsing of the timestamps to the plugins, but they may be useful as starting points for you.

    ReplyDelete
  2. Thanks for the note. I remember reading about bagtest.pl and bagtest.pl in WRF, but I haven't tried them out yet. I'll take a look at them and see where that leads me - thanks for the tip!

    ReplyDelete
  3. I released the shellbags.pl RR plugin last week...

    ReplyDelete