Unveiling User Activity: A Deep Dive into Shellbag Forensics with shellbags.py

In the realm of digital forensics and incident response, understanding user activity is paramount. Windows operating systems, in particular, leave behind a wealth of information about how users interact with the file system. One valuable source of such data is Shellbags, and shellbags.py is a powerful tool for parsing and analyzing them. This article explores what Shellbags are, how shellbags.py works, and why it's crucial for investigators.

What are Shellbags?

Shellbags are a feature in Windows that records the view settings (size, position, icon arrangement, etc.) for folders a user has accessed via Windows Explorer. This information is stored within the Windows Registry, specifically in the NTUSER.DAT hive for each user profile. Shellbags can reveal a user's navigation history, providing insights into:

• Folder Access: Which folders a user has opened.
• Timestamps: When a folder was first accessed, last accessed, and modified.
• Folder Preferences: How the user preferred to view a specific folder (e.g., details view, tiles view).

Analyzing Shellbags can help reconstruct user activities, identify potential data breaches, and uncover accessed files of interest.

Introducing shellbags.py: Your Open-Source Shellbag Parser

shellbags.py is a cross-platform, open-source tool designed to efficiently parse Shellbag entries from a Windows Registry hive. Developed by Willi Ballenthin and available on GitHub, it provides a straightforward and accessible way to extract valuable forensic data.

Key Features:

• Cross-Platform: Works on various operating systems, not just Windows.
• Open-Source: The code is freely available, allowing for community contributions and modifications.
• Bodyfile Output: Supports outputting data in the Bodyfile format, a standard format used in many forensic analysis tools.
• CSV Output: Offers the option to export the extracted information into comma-separated values for easy analysis with spreadsheet software.
• Python-Based: Built using Python, making it relatively easy to understand and extend.

Getting Started with shellbags.py

To use shellbags.py, you'll need the following:

• Python 2.7: shellbags.py is written for Python version 2.7.

• Required Libraries: argparse, six and python-registry. You can install these using pip:

  pip install argparse six python-registry
  

• A Windows Registry Hive: This should be a forensically acquired copy of the NTUSER.DAT file from a user's profile.

Basic Usage:

1. Clone the Repository: Download the shellbags.py script from the GitHub repository.

2. Run the Script: Execute the script from the command line, providing the path to the Registry hive as an argument.

   python shellbags.py /path/to/NTUSER.DAT
   

   This will output the parsed Shellbag data in Bodyfile format to the console.

3. Analyzing the Output: The output provides information like path (folder accessed), timestamps (when first accessed, last accessed, etc.), and other metadata which can be used to piece together a user's actions.

Example Output (Bodyfile Format):

0|\My Documents (Shellbag)|0|0|0|0|0|978325200|978325200|18000|978325200
0|\My Documents\Downloads (Shellbag)|0|0|0|0|0|1282762334|1282762334|18000|1281987456

Command-Line Options:

• -h, --help: Displays the help message with usage instructions.
• -v: Enables verbose debugging output which may be useful for troubleshooting.
• -p: Augments debugging messages with ANSI color codes for improved readability.
• -o {csv,bodyfile}: Specifies the output format. Use -o csv to output the data in CSV format.

Why shellbags.py is Important for Forensics

shellbags.py empowers digital forensic investigators and incident responders in several key ways:

• Timeline Reconstruction: Timestamps associated with Shellbag entries provide a valuable timeline of user activity within the file system.
• Evidence of Access: Shellbags can confirm whether a user accessed specific folders, even if files within those folders have been deleted or modified.
• Malware Analysis: Shellbags can potentially reveal the folders that malware has accessed or created, aiding in malware analysis and remediation.
• User Profiling: Analysis of Shellbags contributes to understanding and profiling user behavior, which can be crucial in insider threat investigations.

Further Exploration and Resources

• Willi Ballenthin's Blog: The original algorithm behind shellbags.py is documented on Willi Ballenthin's website: http://www.williballenthin.com/forensics/shellbags/index.html
• DFRWS Paper: "Using shellbag information to reconstruct user activities" by Yuandong Zhu, Pavel Gladyshev, and Joshua James: http://www.dfrws.org/2009/proceedings/p69-zhu.pdf
• 42 LLC Blog: "Shell BAG Format Analysis" by Yogesh Khatri provides valuable insights into the Shellbag structure: https://42llc.net/?p=385
• GitHub Sponsors: Support open-source developers like Willi Ballenthin through GitHub Sponsors.

Conclusion

shellbags.py is an invaluable tool for anyone involved in digital forensics, incident response, or security analysis. Its cross-platform compatibility, open-source nature, and ability to parse Shellbags effectively make it a must-have in any investigator's toolkit. By leveraging the insights provided by Shellbag analysis, investigators can gain a deeper understanding of user activity and uncover critical evidence.