WEBVTT

0:00:03.020000 --> 0:00:07.220000
 In this video, I will explain Shellbag
 Explorer and how it can help us

0:00:07.220000 --> 0:00:09.060000
 analyze Shell Bags.

0:00:09.060000 --> 0:00:13.100000
 Shell Bags are extremely useful evidence
 that's found on Windows machines.

0:00:13.100000 --> 0:00:17.320000
 Microsoft uses it for tracking and
 to improve the user experience.

0:00:17.320000 --> 0:00:22.700000
 Shell Bags are a type of registry key,
 but they also store user preferences.

0:00:22.700000 --> 0:00:26.920000
 For example, as a digital forensics
 investigator, with Shell Bags, you

0:00:26.920000 --> 0:00:29.900000
 can prove whether a user accessed
 a specific folder or not.

0:00:29.900000 --> 0:00:34.160000
 You can even check to see if a specific
 folder was created, or if it was

0:00:34.160000 --> 0:00:35.960000
 available or not.

0:00:35.960000 --> 0:00:39.440000
 Also, you can find out whether external
 drives and directories have been

0:00:39.440000 --> 0:00:41.640000
 accessed on external drives.

0:00:41.640000 --> 0:00:45.140000
 These are only a few examples, but
 there is a lot of information that

0:00:45.140000 --> 0:00:49.420000
 you can acquire from Shell Bags that
 will help you with an investigation.

0:00:49.420000 --> 0:00:52.040000
 The way a Shellbag will be created
 depends on the activities the user

0:00:52.040000 --> 0:00:56.300000
 performs, for example, like opening
 a directory, renaming a directory,

0:00:56.300000 --> 0:00:59.840000
 moving a directory, or going
 to the control panel.

0:00:59.840000 --> 0:01:02.340000
 Let's add a note before
 we get started.

0:01:02.340000 --> 0:01:21.820000
 Shell Bags are found in NTUser.Dad as
 well as in USRClass.Dad So, Shell

0:01:21.820000 --> 0:01:25.240000
 Bags can be found in these two registry
 files, which are found under the

0:01:25.240000 --> 0:01:32.920000
 user profile. Let's go ahead and
 extract them from the beginning.

0:01:32.920000 --> 0:01:43.380000
 Let's add our forensic image.

0:01:43.380000 --> 0:01:48.280000
 Now, let's expand this, go to root, and
 then users, as it's in the user's

0:01:48.280000 --> 0:01:51.940000
 profile. It should be
 in this directory.

0:01:51.940000 --> 0:01:55.900000
 We need to select the user we want to
 investigate, which is administrator.

0:01:55.900000 --> 0:02:01.560000
 Now, let's go to application
 data and then local.

0:02:01.560000 --> 0:02:05.640000
 So, let's look at the main NTUser.Dad
 first, which is a bit further down

0:02:05.640000 --> 0:02:07.420000
 in this main directory.

0:02:07.420000 --> 0:02:18.000000
 And here it is. Let's go ahead
 and right click and export it.

0:02:18.000000 --> 0:02:24.400000
 So this one has been extracted.

0:02:24.400000 --> 0:02:27.300000
 Now, let's go to local,
 and then Microsoft.

0:02:27.300000 --> 0:02:29.860000
 Next, let's click Windows.

0:02:29.860000 --> 0:02:32.000000
 And here we have the USR class.

0:02:32.000000 --> 0:02:36.140000
 Let's also extract this one.

0:02:36.140000 --> 0:02:38.400000
 These two files hold Shell Bags.

0:02:38.400000 --> 0:02:43.600000
 Now, let's open the Shell
 Bags Explorer tool.

0:02:43.600000 --> 0:02:49.300000
 I'm receiving this pop-up because there's
 no email address associated

0:02:49.300000 --> 0:03:01.080000
 with this tool. This is helpful when
 you discover GUIDs and Shell IDs

0:03:01.080000 --> 0:03:04.800000
 for new evidence or new
 files and applications.

0:03:04.800000 --> 0:03:08.580000
 Additionally, this will help Eric
 in his analysis of the tool.

0:03:08.580000 --> 0:03:11.620000
 So, having an email here is good.

0:03:11.620000 --> 0:03:14.300000
 I'll go ahead and finish
 entering mine.

0:03:14.300000 --> 0:03:20.420000
 Before we proceed, we can also add in
 a default time zone as well, which

0:03:20.420000 --> 0:03:21.600000
 I recommend you do.

0:03:21.600000 --> 0:03:29.420000
 I'll go ahead and apply
 one as an example.

0:03:29.420000 --> 0:03:32.160000
 I'll use UTC minus 7.

0:03:32.160000 --> 0:03:34.660000
 We'll prove this in a later video.


0:03:34.660000 --> 0:03:36.780000
 I'll go ahead and click Save Now.

0:03:36.780000 --> 0:03:41.820000
 Here we have the option to load the
 active registry, which will load the

0:03:41.820000 --> 0:03:44.120000
 registry for the current
 active user.

0:03:44.120000 --> 0:03:45.900000
 We don't want to do that option.

0:03:45.900000 --> 0:03:49.900000
 Rather, we will select
 Load Offline Hive.

0:03:49.900000 --> 0:03:57.040000
 Let's select NTUser.Dad.

0:03:57.040000 --> 0:04:00.640000
 Here it shows us that the user visited
 computers and devices, as well

0:04:00.640000 --> 0:04:06.000000
 as these paths. So, it seems we can even
 figure out what remote locations

0:04:06.000000 --> 0:04:09.300000
 the user has been visiting by
 analyzing the Shell Bags.

0:04:09.300000 --> 0:04:13.980000
 And, we can see here, when this was
 created, which is the date it was

0:04:13.980000 --> 0:04:19.560000
 accessed. If we go here and click Labs,
 we can see that it was first interacted

0:04:19.560000 --> 0:04:23.600000
 with at this date and time, and it was
 last interacted with at this date

0:04:23.600000 --> 0:04:28.440000
 and time. We can also see that they are
 the same, and was interacted with

0:04:28.440000 --> 0:04:34.040000
 only one time. A bit further down, we
 see the last access date and time.

0:04:34.040000 --> 0:04:40.300000
 Let's now go ahead and
 load the other file.

0:04:40.300000 --> 0:04:49.040000
 When the parsing is complete, we get
 a pop-up that lets us know that 40

0:04:49.040000 --> 0:04:52.620000
 Shell Bags were found, and that
 the GUID control panel is 4.

0:04:52.620000 --> 0:04:54.440000
 Root folder is 4.

0:04:54.440000 --> 0:04:56.220000
 The directory is 26.

0:04:56.220000 --> 0:04:58.160000
 And that the drive letter is 2.

0:04:58.160000 --> 0:05:00.820000
 Let's go ahead and check it out.

0:05:00.820000 --> 0:05:02.960000
 Let's expand my computer.

0:05:02.960000 --> 0:05:08.760000
 Here we can see that there
 are two drives, E and C.

0:05:08.760000 --> 0:05:12.360000
 The E drive was visited for a directory
 called FTK and another called

0:05:12.360000 --> 0:05:18.120000
 DVWA. We'll come back to
 the C drive later on.

0:05:18.120000 --> 0:05:22.380000
 Let's now go to computers
 and devices.

0:05:22.380000 --> 0:05:26.560000
 We saw this one earlier.

0:05:26.560000 --> 0:05:30.220000
 Let's go to another directory, the
 user access, which is the Documents

0:05:30.220000 --> 0:05:32.600000
 under Shared Documents folder.

0:05:32.600000 --> 0:05:37.940000
 Here we have the control panel.

0:05:37.940000 --> 0:05:41.420000
 We can see that the user access the
 system, network connections, network

0:05:41.420000 --> 0:05:43.960000
 and sharing center,
 and user accounts.

0:05:43.960000 --> 0:05:50.220000
 Under user accounts, the user
 may have changed a password.

0:05:50.220000 --> 0:05:54.460000
 And we can check this information
 here under the Details tab.

0:05:54.460000 --> 0:05:58.520000
 Let's now go back to the C drive.

0:05:58.520000 --> 0:06:01.000000
 I want to show you something
 quite interesting.

0:06:01.000000 --> 0:06:04.000000
 When we go to C, we see all
 of these directories.

0:06:04.000000 --> 0:06:12.600000
 If we go to Xamp, we see additional
 directories were accessed.

0:06:12.600000 --> 0:06:16.840000
 If we go to HT docs, we
 see three directories.

0:06:16.840000 --> 0:06:20.380000
 New folder DVWA and Xamp.

0:06:20.380000 --> 0:06:25.440000
 Now I'd like to demonstrate an
 awesome feature in shellbacks.

0:06:25.440000 --> 0:06:28.460000
 A new folder can be created by simply
 right clicking and adding a new

0:06:28.460000 --> 0:06:32.820000
 folder. Typically, after that, the new
 folder is renamed from new folder

0:06:32.820000 --> 0:06:34.340000
 to something else.

0:06:34.340000 --> 0:06:38.600000
 So, how we know which one
 is the newest file?

0:06:38.600000 --> 0:06:42.320000
 We can find that out from various ways,
 but one of the most interesting

0:06:42.320000 --> 0:06:45.920000
 is through the file system
 and MFT entry.

0:06:45.920000 --> 0:06:49.940000
 If we go to new folder and look at
 its contents below, we'll find the

0:06:49.940000 --> 0:06:54.200000
 MFT entry number, which is 12,859.


0:06:54.200000 --> 0:07:01.240000
 Now, if we go to DVWA and look at its
 details, we can see that the MFT

0:07:01.240000 --> 0:07:06.800000
 entry number is also 12,859.

0:07:06.800000 --> 0:07:11.360000
 What this means is that the new
 folder was renamed to DVWA.

0:07:11.360000 --> 0:07:16.820000
 This is very useful, especially when
 you want to analyze and discover

0:07:16.820000 --> 0:07:20.200000
 what the folder was named and
 what it is currently named.

0:07:20.200000 --> 0:07:23.380000
 This can be done by
 checking shellbags.

0:07:23.380000 --> 0:07:28.420000
 As you can see, there is a lot of activity
 that can be analyzed and extracted.

0:07:28.420000 --> 0:07:31.860000
 We have several export options.

0:07:31.860000 --> 0:07:45.360000
 Let's select the TSV option and
 export it as that format.

0:07:45.360000 --> 0:07:48.500000
 And here, we can see
 the export details.

0:07:48.500000 --> 0:07:51.960000
 From here, we can take this information
 and add it to another tool for

0:07:51.960000 --> 0:07:56.860000
 analysis. Or, perhaps you have a specific
 kind of analysis you want to

0:07:56.860000 --> 0:08:00.440000
 do, or you have an Excel sheet application
 or viewer that you want to

0:08:00.440000 --> 0:08:02.880000
 import this into.

0:08:02.880000 --> 0:08:06.040000
 Shellbags are very useful and could
 be helpful to you in investigating

0:08:06.040000 --> 0:08:11.320000
 user activity. For instance, shellbags
 will be created when a user adds

0:08:11.320000 --> 0:08:16.700000
 a removable device, or access a remote
 machine, which we saw earlier.

0:08:16.700000 --> 0:08:20.920000
 Another example is when a user extracts
 or accesses a compressed file

0:08:20.920000 --> 0:08:22.480000
 like a zip file.

0:08:22.480000 --> 0:08:24.860000
 A shellbag will be created
 for that too.

0:08:24.860000 --> 0:08:31.260000
 There are a lot of user activities
 that will create a shellbag.

0:08:31.260000 --> 0:08:35.000000
 And looking back at Shellbags Explorer,
 we can continue to review these

0:08:35.000000 --> 0:08:38.920000
 details to get an idea
 of the user activity.

0:08:38.920000 --> 0:08:42.700000
 We can even sort the information presented
 to us by shell type, icons,

0:08:42.700000 --> 0:08:49.200000
 etc. We can even sort by time, allowing
 us to know when something was

0:08:49.200000 --> 0:08:55.880000
 created. Shellbags Explorer is an extremely
 useful tool that was created

0:08:55.880000 --> 0:08:57.080000
 by our Eximerman.

0:08:57.080000 --> 0:09:02.960000
 He even provided a legend that
 explains what each icon means.

0:09:02.960000 --> 0:09:08.760000
 And this concludes our video lesson
 on using Shellbags Explorer.

0:09:08.760000 --> 0:09:12.140000
 After viewing this video, you should
 have an idea of what to expect when

0:09:12.140000 --> 0:09:15.340000
 dealing with Shellbags and the type
 of information you can extract from

0:09:15.340000 --> 0:09:17.220000
 them. Thanks for joining us.