Using Shellbag Information to Reconstruct User Activities

Digital Forensic Research Center

발표자 : 박 정흠

([email protected])고려대학교 디지털포렌식연구센터

Using shellbag information to reconstruct user activities

Yuandong Zhu, Pavel Gladyshev, Joshua James, DFRWS 2009

Digital Forensic Research Center 2/28

발표순서

1. Registry Forensics

2. Shellbag Information

3. Experimental Analysis of Shellbag updating

4. Causality between User actions & Shellbag updating

5. Shellbag Analysis Method

6. Case Study

7. Conclusion


Registry Forensics


1. Registry Forensics

기존의 Registry ForensicsRegistry에서 포렌식적으로 의미있는 데이터 추출

• 계정정보, 최근작업파일, 자동실행목록, 프로그램실행로그, 저장장치연결목록 등

삭제된 Registry 데이터 복구

최근 이슈

Restore Point Registry Snapshot 분석 !• 두 개 이상의 Registry 데이터 연관 분석

Papers (2009)• Identifying newly updated data values of MRU Keys between registry snapshots

– Fifth annual IFIP WG 11.9 international conference on digital forensics

• A comparative methodology for the reconstruction of digital events using Windows Restore Points– Digital Investigation

• Using shellbag information to reconstruct user activities– DFRWS 2009

• Authors– Yuandong Zhu, Pavel Gladyshev, Joshua James

Center for Cybercrime Investigation, University College Dublin, Ireland


Shellbag Information



Shellbag바탕화면, 윈도우(window) 크기, 위치 등의 캐쉬



Shellbag2000, XP, 2003

• HKCU\Software\Microsoft\Windows\Shell

• HKCU\Software\Microsoft\Windows\ShellNoRoam

Vista, 7• HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell

Shellbag & StreamsShellbag 각 폴더의 정보 저장

Streams 기본(default) 정보 저장



바탕화면(Desktop)

내 컴퓨터

Modification

LastAccess

Creation

내컴퓨터[Programs]

Test

최대 5000개

Window SizeWindow Position

Sort Order



CLSID List (Windows Class Identifiers)

내 컴퓨터



Shellbag Cleaner ?





용어 정리

Folder’s MRU Key

Folder’s MRU Item

Folder’s Display Key


Experimental Analysis of Shellbag updating


Experiment 1 ~ 6

3. Experimental Analysis of Shellbag updating

Shellbag존재 ?

DesktopFolder ?

User Actions Results

Yes Yes Open- Find target folder’s MRU item by enumerating all items- Update the BagMRU key’s “MRUListEx” value- Find target folder’s Display key

Yes Yes Close- Find target folder’s MRU item by enumerating all items- Update the BagMRU key’s “MRUListEx” value- Write the folder’s display settings to Display key

Yes No Open- Find target folder’s MRU item by enumerating all items- Update target folder’s and all parent folders’ “MRUListEx” value- Find target folder’s Display key

Yes No Close-Find target folder’s MRU item by enumerating all items- Update target folder’s and all parent folders’ “MRUListEx” value- Write the folder’s display settings to Display key

No Both Open- Find target folder’s MRU item by enumerating all items- User actions do not create any new Shellbag information- Update target’s parent folders’ “MRUListEx” value

No Both Close- Find target folder’s MRU item by enumerating all items- Create target folder’s MRU key and item- Update target folder’s and all parent folders’ “MRUListEx” value- Write the folder’s display settings to Display key


3. Experimental Analysis of Shellbag updating Experiment 7 (Deleting a folder)

Experiment 8 (Created a folder with the same name)

Experiment 9 (Closing a folder when the registry contain the MAX(5000) of Display keys)

Shellbag존재 ?

DesktopFolder ?


Yes Both Delete - Update target folder’s and all parent folders’ “MRUListEx” value- There is no registry deleting operation

Shellbag존재 ?

DesktopFolder ?


Yes Both Open - 기존의 Shellbag 그대로 사용- 실험 1과 같음

Shellbag존재 ?

DesktopFolder ?


No Both Close - Update target folder’s and all parent folders’ “MRUListEx” value- NodeSlot value = ‘1’ (Bags\1\Shell)


Analysis of Causality between User actions & Shellbag updating


4. Analysis of Causality between User actions & Shellbag updating

정리 1



정리 2MRU item’s position updating



정리 3key 내부의 values 또는 subkeys가 변하는 경우에만 timestamp 변경

정리 4기존에 존재하던(existing) Shellbag MRU item 인지 판단하는 방법

‘폴더 이름 (경로)’

폴더를 삭제한 후, 그 위치에 다시 생성하면 기존에 남아있던 MRU key, MRU item, Display key 사용


Shellbag Analysis Method



Rule 1A folder’s MRU item’s position 변경

A folder에 대해 type 1, 2가 수행됨

Rule 2A folder’s Display key was created or updated

A folder에 대해 type 2가 수행됨

Rule 3A folder’s MRU key, MRU item, Display key 존재 X

Type 2 was never occurred on A folder !

Rule 4A folder’s MRU item’s position이 변경되기 이전에

A’s parent folders’ items’ position이 반드시 변경되었어야 함



Rule 5A folder’s MRU item’s position 변경 X

A’s parent folders’ items’ position 변경 X

Rule 6두 연속적인 snapshot에서 A folder’s MRU key’s timestamp가 같음

MRU item’s position 변경 X또는 The first item’s position 변경

Rule 7두 연속적인 snapshot에서 A folder’s MRU key’s timestamp가 같음

MRU item’s position 변화 없음 (단, fitst item 제외)

Rule 8두 연속적인 snapshot에서 A folder’s MRU key’s values는 모두 같지만, timestamp가 다름

몇몇 MRU item’s position이 변경되었을 것임



Rule 9A folder’s MRU item’s binary data 내의 Creation time과

A folder’s Creation time in Filesystem

• 같은 경우

현재 존재하는 folder’s MRU item 임

• 다른 경우

현재 존재하는 folder’s MRU item 아님


Case Study


6. Case Study


Conclusion


7. Conclusion

Shellbag Information과 관련된 9개의 Rule 제안

이를 이용해서 사용자의 활동 내역을 파악할 수 있음

TraceHunter (http://tracehunter.com/)

Windows XP 이외의 운영체제에 대한 연구 필요


Q & A

감사합니다

Digital Forensic Research Centerhttp://forensic.korea.ac.kr

Documents

Using Shellbag Information to Reconstruct User Activities