Home Articles Shellbags Forensics: Directory Viewing Preferences

Shellbags Forensics: Directory Viewing Preferences

0
0
1,631

Had some free time last week, so decided to participate in David Cowen’s Sunday Funday challenge. My submission didn’t win, but I decided to post it anyway.

1. What within the shellbags entry would tell you how the user had set their directory viewing preferences (sort order, thumbnail view, standard view)

You can find these settings under:

UsrClass.dat: Local Settings\Software\Microsoft\Windows\Shell\Bags\<Node_slot>\ComDlg\{GUID}

OR

UsrClass.dat: Local Settings\Software\Microsoft\Windows\Shell\Bags\<Node_slot>\ComDlgLegacy\{GUID}

OR

UsrClass.dat: Local Settings\Software\Microsoft\Windows\Shell\Bags\<Node_slot>\Shell\{GUID}.

AS WELL AS

Software\Microsoft\Windows\Shell\Bags\<Node_slot>\Shell\{GUID} OR Desktop Here is an example from my laptop:

UsrClass.dat: Local Settings\Software\Microsoft\Windows\Shell\Bags\519\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}

These settings are for Python27 folder located in the root of my C: drive, here is the output from the Shellbags Explorer:

Name: Python27
Absolute path: Desktop\My Computer\C:\Python27
Key-Value name path: BagMRU\0\2-13
Registry last write time: 2019-01-27 19:34:22.916

Target timestamps
Created on: 2018-03-10 15:04:44.000
Modified on: 2018-03-10 15:04:52.000
Last accessed on: 2018-03-10 15:04:52.000

Miscellaneous
Shell type: Directory
Node slot: 519
MRU position: 12
# of child bags: 1

Let’s focus on the most interesting values:

IconSize – it’s pretty self-explanatory, it’s the size of the icon the user will see, in my case it’s 16 pixels.

Next, LogicalViewMode, it’s more interesting, in my case it’s 1, and it means Details view. Here are other possible values:

2 – Tiles view

3 – Icons view

4 – List view

5 – Content view

One more, Mode. In my case it’s 4, and its Details mode, so I will see object names and some other information about them. Let’s look at other modes:

1 – medium size items

2 – small icons

3 – list view

4 – details view

5 – thumbnail icons

6 – large icons

7 – icons in filmstrip format (only for XP)

8 – content mode

Another value – Vid, here are possible Vids:

View Mode vid
Icons 1 {0057D0E0-3573-11CF-AE69-08002B2E1262}
List 3 {0E1FA5E0-3573-11CF-AE69-08002B2E1262}
Details 4 {137E7700-3573-11CF-AE69-08002B2E1262}
Thumbnail 5 {8BEBB290-52D0-11D0-B7F4-00C04FD706EC}
Tiles 6 {65F125E5-7BE1-4810-BA9D-D271C8432CE3}
Filmstrip 7 {8EEFA624-D1E9-445B-94B7-74FBCE2EA11A}

That’s right, in our case we have {137E7700-3573-11CF-AE69-08002B2E1262}, and it corresponds to Details view and mode 4 – details.

Next value, Sort. According to Adam Ferrante’s research, and my additional research, here are some possible user settings (based on the last 8 bytes of the value):

Column Identifiers (first 4 bytes):

Date Modified 0e 00 00 00
Date Accessed 10 00 00 00
Date Created 0f 00 00 00
Type 0b 00 00 00
Size 0c 00 00 00
Name 0a 00 00 00
Title 02 00 00 00
Tags 05 00 00 00

Order Identifiers (last 4 bytes):

Ascending 01 00 00 00
Descending ff ff ff ff

In our case it’s ascending sorting under the Name column.

GroupByKey:PID. Again, according to Adam’s research, and my additional research, “Group by” setting can have one of the following values:

Category GroupByKey:PID value
Name 10
Date modified 14
Type 4*
Size 12
Date created 15
Authors 4*
Tags 5
Title 2
Date accessed 16
No “Group by” applied 0

*It is still unknown why these two values were the same.

In our case no “Group by” is applied.

2. What is the default view if they don’t change anything?

Ok, default values. Let’s create a folder called “Shellbags_test” and see:

Name: Shellbags_test
Absolute path: Desktop\My Computer\C:\Shellbags_test
Key-Value name path: BagMRU\0\2-18
Registry last write time: 2019-01-27 19:34:22.916

Target timestamps
Created on: 2019-01-27 19:33:14.000
Modified on: 2019-01-27 19:33:14.000
Last accessed on: 2019-01-27 19:33:14.000

Miscellaneous
Shell type: Directory
Node slot: 1 239
MRU position: 1
# of child bags: 0

First interacted with: 2019-01-27 19:33:25.619

Ok, let’s go to node slot 1 239:

UsrClass.dat: Local Settings\Software\Microsoft\Windows\Shell\Bags\1239\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}

We can see the same icon size, view and mode, Vid, ascending sorting under the Name column, and no “Group by”. So, it seems the default values will be details view and mode with 16 pixels’ thumbnails, ascending sorting under the Name column, and no “Group by”.

Let’s look at another interesting key:

NTUSER.DAT: Software\Microsoft\Windows\Shell\Bags\1\Desktop

This shows settings for the Desktop, and it has different defaults:

Mode (1) – medium icons

LogicalViewMode (3) – icons view

IconSize (48) – 48×48

Sort (00 00 00 00 00 00 00 00) – no sorting

GroupByKey:PID (0) – not available.

It’s important to note, that IconLayouts value will be almost always different, because it depends on the files and shortcuts on the Desktop. You can find a useful post on this here: http://misty.moe/2018/08/21/reverse-engineering-of-newly-introduced-iconlayouts-registry-value/

3. If a user attempts to access the system volume information directory and a shellbag entry gets created (it should deny them access) what directory viewing settings are left behind

I attempted to access system volume information directory, and looked at its shellbag entry in the ShellBags Explorer:

Name: System Volume Information
Absolute path: Desktop\My Computer\C:\System Volume Information
Key-Value name path: BagMRU\0\2-16
Registry last write time: 2019-01-27 19:34:22.916

Target timestamps
Created on: 2016-04-02 01:56:06.000
Modified on: 2019-01-27 16:25:14.000
Last accessed on: 2019-01-27 16:25:14.000

Miscellaneous
Shell type: Directory
Node slot: 1 228
MRU position: 4
# of child bags: 0

First interacted with: 2019-01-27 18:06:36.888

Ok, node slot 1 228:

There are no directory viewing settings left behind, probably, because there was no actual access to the folder, so no settings were applied.

Load More Related Articles
Load More In Articles

Leave a Reply

Your email address will not be published. Required fields are marked *