ShellBags Artifacts – eyehatemalwares

Windows Forensics: Shellbags - System Browsing Artifacts

Lab Requirements

- Windows Systems
- SBECmd or ShellBags Explorer
- Timeline Explorer
- MiTec Windows Registry Recovery
- Windows Live Response
- regedit.exe

In this demo, we will explore different ways how to analyze and investigate shellbags artifacts.

We will be creating a directory named “Malicious” to perform this task.

Demo A: Extracting Registry Hives using WindowsLiveResponse

In this demo, we will tackle the first approach on how to extract registry hives on a Windows system.

We will be using a tool called “Windows Live Response” with the “Triage” option to gather all volatile data.

After successful execution, a directory named “Endpoint Artifacts” will be created which contains the registry hives that can be used later to extract shellbags entries.

—

Inside LiveResponseData > CopiedFiles > Registry directory we expect to see these Registry Hives:

- - <User>_NTUSER.dat
  - <User>_USRCLASS.dat

Next, using MiTec Windows Registry Recovery tool we can inspect the extracted hives for shellbags entries.

Shellbags Registry Location can be found at:

- NTUSER.dat\SOFTWARE\Microsoft\Windows\Shell\Bags
- NTUSER.dat\SOFTWARE\Microsoft\Windows\Shell\BagMRU
- UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
- UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
By using MiTec Windows Registry Recovery tool, we now able to check shellbags entries and in this case we can see our “malicious” directory in Analyst_USRCLASS.dat registry hive.
Learn and Download WinLiveResponse: https://www.eyehatemalwares.com/incident-response/windows-live-response/
Learn and Download MiTec Registry Recovery:

Demo B: Process Live Registry using SBECmd

In this approach, we will extract shellbags entries from the registry of the live system.

To do this, we will be using SBECmd.exe from EZ tool.

Command: SBECmd.exe -l –csv <target_dir>

What the command does is it process the registry of the live system to look for shellbag entries then dumping the output inside the declared target directory in csv format.

Learn and Download SBECmd here: https://www.eyehatemalwares.com/incident-response/eztools/sbecmd/

After successful execution, we use Timeline Explorer from EZ tools to view the extracted artifacts.

In this case, we can see our “Malicious” directory with its details such as:

- - MFTEntry
  - MRU Position
  - Timestamps
Download Timeline Explorer here: https://www.eyehatemalwares.com/incident-response/eztools/timeline-explorer/

Demo C: Extracting ShellBag Entries using Shellbag Explorer

Let’s try some GUI-based analysis.

First, locate the extracted registry hives(e.g. Analyst_USRCLASS.dat)

Next, open the registry hive inside ShellbagExplorer

If successful, we can then all see the Shellbag entries from the selected hive.

Note: When this tool detect that the selected hive is dirty, it won’t process the hive. To force the tool to process press SHIFT then select the target hive.

Learn and Download the tool here: https://www.eyehatemalwares.com/incident-response/eztools/shellbag-explorer/

Demo D: Extracting ShellBag Entries using Registry Editor

Firt, open regedit.exe and browse these registry keys:

Shellbags Registry Location can be found at:

- NTUSER.dat\SOFTWARE\Microsoft\Windows\Shell\Bags
- NTUSER.dat\SOFTWARE\Microsoft\Windows\Shell\BagMRU
- UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
- UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU