Project Awesome project awesome

Shellbags

Investigate NT_USER.dat files.

Package 160 stars GitHub

shellbags.py

Introduction

shellbags.py is a cross-platform, open-source shellbag parser. The webpage http://www.williballenthin.com/forensics/shellbags/index.html describes the algorithm in detail. Note that shellbags.py was originally developed as a sample for python-registry, so this repository is a fork that contains the python-registry history through version v0.2.4.1. The initial shellbags.py tag v0.5.

Dependencies

shellbags.py requires Python2.7, argparse, six and python-registry.

Usage

shellbags.py accepts the path to a raw Windows Registry hive. This hive should be acquired forensically. To ensure interoperability, output is formatted according to the Bodyfile specification by default.

Parameters: usage: shellbags.py [-h] [-v] [-p] [-o {csv,bodyfile}] file [file ...]

Parse Shellbag entries from a Windows Registry.

positional arguments: file Windows Registry hive file(s)

optional arguments: -h, --help show this help message and exit -v Print debugging information while parsing -p If debugging messages are enabled, augment the formatting with ANSI color codes -o {csv,bodyfile} Output format: csv or bodyfile; default is bodyfile

Example: $ python shellbags.py ~/projects/registry-files/willi/xp/NTUSER.DAT.copy0 0|\My Documents (Shellbag)|0|0|0|0|0|978325200|978325200|18000|978325200 0|\My Documents\Downloads (Shellbag)|0|0|0|0|0|1282762334|1282762334|18000|1281987456 0|\My Documents\My Dropbox (Shellbag)|0|0|0|0|0|1281989096|1282762296|18000|1281989050 0|\My Documents\My Music (Shellbag)|0|0|0|0|0|1281995426|1282239780|18000|1281987154 0|\My Documents\My Pictures (Shellbag)|0|0|0|0|0|1281995426|1282239780|18000|1281987152 0|\My Documents\My Dropbox (Shellbag)|0|0|0|0|0|978325200|978325200|18000|978325200 0|\My Documents\My Dropbox\Tools (Shellbag)|0|0|0|0|0|1281989092|1281989092|18000|1281989088 0|\My Documents\My Dropbox\Tools\Windows (Shellbag)|0|0|0|0|0|1281989140|1281989140|18000|1281989092 0|\My Documents\My Dropbox\Tools\Windows\7zip (Shellbag)|0|0|0|0|0|1281993604|1284668784|18000|1281989140 0|\My Documents\My Dropbox\Tools\Windows\Adobe (Shellbag)|0|0|0|0|0|1281994956|1284668784|18000|1281989140 0|\My Documents\My Dropbox\Tools\Windows\Bitpim (Shellbag)|0|0|0|0|0|1281994656|1284668784|18000|1281989140

Wanted

*) Bug reports. *) Feedback.

License

shellbags.py is released under the Apache 2.0 license.

Sources

  1. "Using shellbag information to reconstruct user activities" by Yuandong Zhu, Pavel Gladyshev, and Joshua James which may be accessed http://www.dfrws.org/2009/proceedings/p69-zhu.pdf
  2. "MiTeC Registry Analyzer" by Allan S Hay, which may be accessed at http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf
  3. "sbag" by TZWorks, which may be accessed at http://www.tzworks.net/prototype_page.php?proto_id=14
  4. "Shell BAG Format Analysis" by Yogesh Khatri, which may be accessed at https://42llc.net/?p=385
  5. "Windows Shell Item format specification" by Joachim Metz, which may be accessed at http://download.polytechnic.edu.na/pub4/download.sourceforge.net/pub/sourceforge/l/project/li/liblnk/Documentation/Windows%20Shell%20Item%20format/Windows%20Shell%20Item%20format.pdf
Back to CTF