Category: Blog

ShellBags Artifacts

Posted on by randrada

Windows Forensics: Shellbags - System Browsing Artifacts

Lab Requirements

    •  

In this demo, we will explore different ways how to analyze and investigate shellbags artifacts.

We will be creating a directory named “Malicious” to perform this task.

 

In this demo, we will tackle the first approach on how to extract registry hives on a Windows system.

We will be using a tool called “Windows Live Response” with the “Triage” option to gather all volatile data.

After successful execution, a directory named “Endpoint Artifacts” will be created which contains the registry hives that can be used later to extract shellbags entries.

— 

Inside LiveResponseData > CopiedFiles > Registry directory we expect to see these Registry Hives:

      • <User>_NTUSER.dat
      • <User>_USRCLASS.dat

Next, using MiTec Windows Registry Recovery tool we can inspect the extracted hives for shellbags entries.

Shellbags Registry Location can be found at:

    • NTUSER.dat\SOFTWARE\Microsoft\Windows\Shell\Bags
    • NTUSER.dat\SOFTWARE\Microsoft\Windows\Shell\BagMRU
    • UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
    • UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  •  
  • By using MiTec Windows Registry Recovery tool, we now able to check shellbags entries and in this case we can see our “malicious” directory in Analyst_USRCLASS.dat registry hive.
  •  
  • Learn and Download MiTec Registry Recovery:

In this approach, we will extract shellbags entries from the registry of the live system.

To do this, we will be using SBECmd.exe from EZ tool.

Command: SBECmd.exe -l –csv <target_dir>

What the command does is it process the registry of the live system to look for shellbag entries then dumping the output inside the declared target directory in csv format.

Learn and Download SBECmd here: https://www.eyehatemalwares.com/incident-response/eztools/sbecmd/

After successful execution, we use Timeline Explorer from EZ tools to view the extracted artifacts.

In this case, we can see our “Malicious” directory with its details such as:

Let’s try some GUI-based analysis.

First, locate the extracted registry hives(e.g. Analyst_USRCLASS.dat)

Next, open the registry hive inside ShellbagExplorer

If successful, we can then all see the Shellbag entries from the selected hive.

Note: When this tool detect that the selected hive is dirty, it won’t process the hive. To force the tool to process press SHIFT then select the target hive.

Learn and Download the tool here: https://www.eyehatemalwares.com/incident-response/eztools/shellbag-explorer/

Firt, open regedit.exe and browse these registry keys:

Shellbags Registry Location can be found at:

    • NTUSER.dat\SOFTWARE\Microsoft\Windows\Shell\Bags
    • NTUSER.dat\SOFTWARE\Microsoft\Windows\Shell\BagMRU
    • UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
    • UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

Browser History

Posted on by randrada

Extracting Browser History artifacts using Memory Forensics: Volatility

Tools used in this demo.

      • Firefox
      • Volatility
      • Notepad++
      • CMD
      • Powershell
      • strings sysinternals
    •  

Browser artifacts may contain valuable information that can help the analyst correlate evidence and timeline the incident during the investigation, this artifact can also reveal information such as URL, Attachments and etc.

In this demo, we will tackle about different ways to extract browser artifacts using memory forensic tool Volatility.

To be able to understand this demo, we will use a Firefox browser to browse “https://eyehatemalwares.com” as a sample URL of choice.

Next, we run Volatility pstree plugin to identify Parent/Child relationship.

Command: volatility.exe -f browserhistory.mem –profile=Win7SP1x64 pstree 

In this case, we identify firefox.exe:532 as a parent process of all firefox.exe processes. 

Now, we can use Volatility Yarascan plugin to search for all URL instances found inside the browser process.

In this case, we use this regex pattern: “/(https?:\/\/)?([\w\.-]+)([\/\w \.-]*)/”

Command: volatility.exe -f browserhistory.vmem –profile=Win7SP1x64 yarascan -Y /(https?:\/\/)?([\w\.-]+)([\/\w \.-]*)/” -p 532 > firefox_yaraURLscan.txt

Now, let us check “firefox_yaraURLscan.txt“. 

In this case, we use notepad++ for text editor tool to view the result. 

By performing few searches, we can see our target URL “https://eyehatemalwares.com

Now, let’s jump to the next section.

The next option is by using Volatility Memdump plugin. To do this, first we need to identify our target browser’s process ID.

Now, we run Volatility pstree plugin to identify Parent/Child relationship.

Command: volatility.exe -f browsinghistory.mem –profile=Win7SP1x64 pstree

In this case, we see firefox.exe:532 as a parent process of all firefox.exe processes.

Next, we run Volatility memdump plugin to dump the firefox process.

Command: volatility.exe -f browsinghistory.mem –profile=Win7SP1x64 memdump -p 532 -D .

In this case, we successfully dump firefox.exe:532 to our current working directory.

Now, let us extract all strings from this exported process.

To do this, we can use a tool strings.exe from sysinternals tools suite.

Command: strings.exe -a 532.dmp > demo_urlextract.txt

In this case, using notepad++ we can see all the strings extracted from our firefox.exe process.

In the next section, we will do filtering.

In this section, we will do the filtering side using powershell Select-String function.

To do this, open powershell.exe.

Next, run the following Select-String function.

Powershell: Select-String -Path .\demo_urlextract.txt -Pattern https?:\/\/(www\.)?[-a-zA-Z09@:%._\+~#=]{1,256}\.[a-zA-Z09()]{1,6}\b([-a-zA-Z09()@:%_\+.~#?&//=]*)” | findstr -i eyehatemalwares

Regex Pattern Used: “https?:\/\/(www\.)?[-a-zA-Z09@:%._\+~#=]{1,256}\.[a-zA-Z09()]{1,6}\b([-a-zA-Z09()@:%_\+.~#?&//=]*)”

In this case, we see that our target URL “https://eyehatemalwares.com”