A quick note on Shellbag analysis in Windows 7/8

If you are like me you love shellbags and use them on a regular basis to try to get some insight on what exists on external drives. One of...


If you are like me you love shellbags and use them on a regular basis to try to get some insight on what exists on external drives. One of the problems we run into though is that Shellbags stores full paths but not volume names or serial numbers so we cannot see from the entry what external device a recorded path was contained on from just that entry. We can do timeline analysis of devices plugged in, files accessed, drive letters assigned and the like to narrow down which device was plugged in but you are still sometimes left with multiple devices in play. I am going to go more in depth with this in a later series but I wanted to pass on a few tips.

NTFS v FAT entries

One of the easiest ways to tell the difference between drives requires that your sbag parser shows you the file record number and sequence number of the path it is pointing to. Sbag from TZWorks does this. If your tool is reporting this is becomes very easy to separate out the NTFS vs the FAT disks accessed as FAT does not record sequence numbers (its not part of its file system structure) so the sequence values will be null. 

NTFS v NTFS entries

A common thing we see is the same folder being copied to multiple drives, when this happens you can get seemingly duplicate entries in the shellbags. Look closer! The file record and sequence number will be unique between them allowing you to determine that they where contained on different drives.

Identifying the directory accessed

One of the questions I often get asked by clients is, did the drive they return contain the data they copied on to these external drives. Using the same file record and sequence number (or lack there of) we talked about above we can now match those accesses to each drive. I would not expect two drives to have the same file record and sequence number as well as creation times so you can also use the the creation times of the directories as a second factor in verifying that this is in fact the drive they accessed.

keep visiting 
Name

android facebook free-zone Freebies hacking How-to programming scripts video whatsapp
false
ltr
item
Mr Tricks: A quick note on Shellbag analysis in Windows 7/8
A quick note on Shellbag analysis in Windows 7/8
Mr Tricks
http://mr-tricks.blogspot.com/2015/01/a-quick-note-on-shellbag-analysis-in.html
http://mr-tricks.blogspot.com/
http://mr-tricks.blogspot.com/
http://mr-tricks.blogspot.com/2015/01/a-quick-note-on-shellbag-analysis-in.html
true
248440411475805434
UTF-8
Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy