shellbags-0.5.5-1.fc25.noarch.rpm


Advertisement

Description

shellbags - Cross-platform shellbag parser

Distribution: Fedora 25
Repository: CERT Forensics Tools x86_64
Package name: shellbags
Package version: 0.5.5
Package release: 1.fc25
Package architecture: noarch
Package type: rpm
Installed size: 110.27 KB
Download size: 34.57 KB
Official Mirror: forensics.cert.org
Microsoft Windows uses a set of Registry keys known as "shellbags" to maintain the size, view, icon, and position of a folder when using Explorer. These keys are useful to a forensic investigator. Shellbags persist information for directories even after the directory is removed, which means that they can be used to enumerate past mounted volumes, deleted files, and user actions. Yuandong Zhu, Pavel Gladyshev, and Joshua James provided a nice overview of the investigative value of shellbags in "Using shellbag information to reconstruct user activities" [pdf]; however, they do not describe how to programmatically access the data. Allan S Hay went into greater detail in his December, 2004 document "MiTeC Registry Analyser" [pdf], although he also leaves out a thorough analysis of the format. TZWorks provides an effective closed-source shellbag parser sbag, but does not explain its algorithm. Yogesh Khatri first described the basic structure of Windows Shell Items in his blog post for 42 LLC entitled Shell BAG Format Analysis. Joachim Metz went on to described the binary format of the Windows Shell Item structures with great detail in Windows Shell Item format specification [pdf]. This page documents an approach to parsing shellbags in detail, as well as introduces an open-source, cross-platform shellbag parser.

Alternatives

Provides

  • python2.7dist(shellbags) = 0.5.5
  • python2dist(shellbags) = 0.5.5
  • shellbags = 0.5.5-1.fc25

    Download

    Install Howto

    1. Download cert-forensics-tools-release-25 rpm:
      https://forensics.cert.org/cert-forensics-tools-release-25.rpm
    2. Install cert-forensics-tools-release-25 rpm:
      # rpm -Uvh cert-forensics-tools-release*rpm
    3. Install shellbags rpm package:
      # dnf --enablerepo=forensics install shellbags

    Files

    • /usr/bin/shellbags
    • /usr/lib/python2.7/site-packages/shellbags-0.5.5-py2.7.egg-info
    • /usr/lib/python2.7/site-packages/shellbags/BinaryParser.py
    • /usr/lib/python2.7/site-packages/shellbags/BinaryParser.pyc
    • /usr/lib/python2.7/site-packages/shellbags/BinaryParser.pyo
    • /usr/lib/python2.7/site-packages/shellbags/ShellItems.py
    • /usr/lib/python2.7/site-packages/shellbags/ShellItems.pyc
    • /usr/lib/python2.7/site-packages/shellbags/ShellItems.pyo
    • /usr/lib/python2.7/site-packages/shellbags/__init__.py
    • /usr/lib/python2.7/site-packages/shellbags/__init__.pyc
    • /usr/lib/python2.7/site-packages/shellbags/__init__.pyo
    • /usr/share/doc/shellbags/LICENSE.TXT
    • /usr/share/doc/shellbags/README.txt

    Changelog

    2013-12-20 - Willi Ballenthin <willi.ballenthin@gmail.com> 0.5.5-1 * Release 0.5.5-1 Verson 0.5.5

    2012-01-04 - Willi Ballenthin <willi.ballenthin@gmail.com> 0.5.1-2 * Release 0.5.1-2 Initial release

    Advertisement
    Advertisement