Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

ShellBags Registry Forensics

I just found the coolest tool, and had to tell everyone about it.

Apparently the Windows registry keeps track of the display size of a folder window across different sessions. This information is stored in the registry, and is not cleaned up when the associated folders are deleted.

Is anybody drooling yet?

Even better, it keeps these values for folders that reside on external storage! Ever want to know what the folder structure on a suspect's USB stick that you didn't get looked like? Read on!

The data is stored as binary blobs under the following registry keys:


  • HKCU\Software\Microsoft\Windows\Shell\BagMRU
  • HKCU\Software\Microsoft\Windows\Shell\Bags
  • HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU
  • HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags
Back in December of 2004, a guy named Michal Mutl of MiTeC, in collaboration with Allen S. Hay of the Northumbria Police, produced a program to interpret these values. The program was enhanced over the following year to do a number of other things such as:

  • Decrypt ROT13 User Assist Keys
  • Parse the Streams MRU
  • Output the Access time of files or folders plus
    the attributes of the files or folders contained within.
  • Mount the SAM file
  • Display Installed Progam Attributes.
  • Handle exported Registry entries from the System Volume Information folder (Restore Points).
The program, Windows Registry Analyzer (WRA), was provided free of charge (per it's included license agreement) from MiTeC's web site until they were acquired by Paraben. After much dedicated searching (Google is your friend!) I found the last publicly released version (1.5.2) in the Internet archive at bibalex. I'd be unfair to Paraben if I didn't mention that they're now selling a descendent of this program, Registry Analyzer v1.0, for a nominal charge of $129.

Here's where I found the reference to the first of the mirrored copies that I ultimately discovered.

And here's a reference to where I read about this first (sorry to those who don't have Guidance forum access).

And another such reference

I was just about to give up on being able to easily provide complete details on how WRA works its magic decoding-fu. Once upon a time, this information was available here, but that's gone since Paraben acquired MiTeC. Just as I was about to upload this article, however, I thought to try feeding the above URL into the bibalex archive where I'd found the zip file. Isn't the Internet grand?

I'd repeat the salient bits here, but they run to several pages, and Allen Hay did a good job illustrating the explanation anyway, so check it out there.

I'd already submitted this article for review, but I pulled it back for revision when found some more cool bits that deserve mention. The tool and paper referenced above actually document some other registry keys as well:

  • HKCU\Software\Microsoft\Windows\Currentversion\Explorer\StreamMRU
  • HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Streams
These keys contain information similar to that found in ShellBags. Both ShellBags and StreamMRU also include a snapshot of file/folder MACtime data.

An even cooler facet of this is that Windows Restore Points archive copies of NTUSER.DAT which can be opened with this tool. So you can potentially browse through a significant amount of historical file/folder data. As there are a limited number of these entries (According to this page, by default there are 28 StreamMRUs and according to this page, there are 200 local folder bags entries and 200 network folder bags entries) these entries will cycle through, and different restore points may contain different data. There would appear to be some overlap in the functioning of these two registry mechanisms, but it's not clear to me how this is resolved.

Additionally, the Registry Analyzer tool decodes several other registry keys/values, including ProgramsCache (can't find a reference, sorry) and Userassist.

I also downloaded the demo of the current version from Paraben, and a cursory examination shows no significant differences from the free version.

If you liked this article, want to add something to it, or simply want to call me on the carpet for some inaccuracy, please feel free to leave a comment.

John McCash, GCFA Silver #2816, is currently a Forensic Investigator employed by a fortune 500 telecommunications equipment provider.

5 Comments

Posted November 01, 2008 at 9:12 AM | Permalink | Reply

keydet89

Interesting blog entry, but without to the actual tool, what is one to do?

Posted November 01, 2008 at 9:26 PM | Permalink | Reply

cpldbc

It's ironic. I have been trying to link an external drive to a laptop for quite some time now. I finally located the proof I needed through the ShellNoRoam key, showing that the folder had been altered on the external drive, through the laptop.

I just finished looking up all of the same BagMRU info on Wednesday, and then read your synopsis on Friday. Felt like deja vu on Halloween.

Nice work.

-dc

Posted November 03, 2008 at 12:27 PM | Permalink | Reply

johnmccash

keydet89 - There are links in the text which point to the downloadable tool and several references. specifically:

Tool: http://web.archive.bibalex.org/web/20050212140945/http:/www.mitec.cz/Downloads/WRA.zip

Registry key formats: http://web.archive.bibalex.org/web/20050529130051/www.mitec.cz/Downloads/WRA+Guidance.pdf

Other references:

http://ubcd4win.com/forum/index.php?act=Print&client=printer&f=16&t=6655

https://support.guidancesoftware.com/forum/showthread.php?t=22901

http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=243

http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=310

http://support.microsoft.com/kb/235994

http://support.microsoft.com/kb/813711/en-us

http://blog.didierstevens.com/programs/userassist/

I hope this helps you.
John

Posted November 14, 2008 at 1:48 PM | Permalink | Reply

johnmccash

One more thing I neglected to mention. Neither the free nor the commercial version of the Registry Analyzer will run under 64bit Windows, even in 32bit mode. I complained to Paraben about this, and they replied that 64bit support will be added in a future release. No date is yet available for that, of course.

Posted February 10, 2010 at 9:33 PM | Permalink | Reply

Fifth.Sentinel

I was looking into Shell Bags yesterday. I came across this reference also that has a decent overview of Shell Bags.

http://42llc.net/index.php?option=com_myblog&task=tag&category=Shell+Bags&Itemid=39


Fifth.Sentinel

Post a Comment






Captcha

* Indicates a required field.