Hello, and welcome back to Windows Registry forensics Course 7, the userclass.dat hive, Section 1, ShellBags. In this section we're going to cover the userclass.dat file, and we're going to cover the ShellBags. Throughout this course we'll be covering the entire userclass.dat file. The location of this file within your file system would be C, users, username, AppData, local, Microsoft, and then Windows. This is where we would find the userclass.dat file located within the system. We saw this when we looked at red edit way back in Course 1. We're going to cover the MuiCache and this is going to be installed applications, and because the userclass.dat file is unique to that particular user, those particular items, programs that are installed will be unique to that user also. We're going to look at ShellBags. ShellBags are folder settings and then it also shows folder access and I will explain in depth why this is important. We're also going to look at Microsoft Photo app recent files. These are files that were accessed using the Microsoft Photo app and it's going to be very interesting that we can tie these things all the way back to individual users, we can tie these things back to removable media if they were on removable media or where on the file system they were located. If we haven't already done so I think we did do this but we need to download ShellBag Explorer by Eric Zimmerman because we're going to be using that tool during this part of the class. Section 1 is going to be ShellBags. Now, what ShellBags do is they track Windows folder settings. What they're there for is they track what we do at our folder settings. Like if we brought up the Windows Explorer and we wanted to view our folders as icons or we wanted to view our folders as the details view, or the list view, or even if we resize the Window, these settings get stored somewhere and where they're being stored is in the ShellBags. ShellBags also tracks zip files. They also track access to folders. This proves that a user, a specific user accessed a specific directory, a specific folder, even if this folder is deleted or the zip file is deleted, it's still going to show up in ShellBags because it does not get removed from there. It will even show us folders that were accessed on removable media which can be very important when we're looking at certain cases. The name of the subkey we're going to look at, we're going to look at the file structure of ShellBags, we're going to look at the Bag MRU key and what we're going to look at for there is we're going to look at the MRU list that has an MRU list. It also has something called a NodeSlot and that's going to make a lot more sense when we actually look at it and it may have subkeys. They don't all have subkeys but they may have child objects, child folders and we're going to take a look at that. We're also going to look at the Bags key and the Bags key tracks back to the Bag MRU key and we're going to see how these two keys interact to form the file structure we're looking at. Again, we have the file path up there where we're going to find it, local settings software, Microsoft Windows, Shell, and then Bags. The value name we're going to look at there is shell that will tell us not only the settings but it's going to define the GUID that represents the folder. We'll see that when we look at it and everything in here is going to have a last right timestamp under these Bags subkeys. Even the child bags, the child folders will have last right timestamps and that would be the last time that the user interacted with that folder which can also be very important to your investigation. We're going to do a walk-through. We're going to take a look at the ShellBag file structure, we're going to take a look at the MRU lists, and we're going to use Eric Zimmerman's ShellBag Explorer. The items we're going to need is we're going to need our Registry Explorer, we're going to need ShellBags Explorer, and we're going to need Ivan's userclass.dat file, usrclass.dat file. The first tool we're going to use is we're going to use Registry Explorer. Go ahead and open up Registry Explorer and load in Ivan's userclass.dat hive. If you haven't already done it, it's file, load hive, navigate out to where that file is on the system and click ''Open''. Now, we're going to go ahead and use our bookmarks here. We're going to go to Bookmarks, common, and we're going to go to Bag MRU and this is the ShellBag root key. Now, we can see down here where it is in the file system. It's under local settings, software, Microsoft, Windows, Shell, and then Bag MRU. The first thing we do we're looking at the root key here, Bag MRU, we can see that we do have an MRU list and we've looked at MRU list before, there are four byte values starting at the bottom and you would read it from the bottom up. I'm going to demonstrate how we look at this and what the file structure is here. If we were to take a look at Bag zero, if we look at Bag zero, we can see we have our MRU list. We can see the Bag zero has 13 keys underneath here, you see something called a NodeSlot and this says NodeSlot 4. What this NodeSlot is referring back to is the Bag's subkey and we're going to look at that in a minute. But let's look at our child keys. We have zero has the subkey of zero, this has a NodeSlot of one, and it has two subkeys, zero and one We have again our MRU list. The bag at the bottom would be the first one, which would be 1 and then 0. Now, when we look at bag 0, we're going to see that it has a NodeSlot of 84, and this is referring back to the bag sub key. We're going to take a look in a second. We also see that each one of these sub-keys has a last write date and time. If we look at folder 1, we see that it has a NodeSlot of 85. We've got 85, 84, and 1, and 4. These NodeSlots are where we would need to go look. We're going to look at NodeSlot 4, NodeSlot 1, and then 84 and 85. Go ahead and close up BagMRU so we have some space. Right underneath it you see we have bags, and you see we have sub-keys in bags. We were going to look at number 1. We take a look at 1. You see you have a Cam Dialogue here, but that's not the key we're interested in. We're interested in shell, because shell is going to give us the folder type, and the folder type we're looking at is pictures. We see GUIDs here, and these represent the folder type but it is pictures. You can look these GUIDs up. There are online resources that you can go ahead and look up the GUIDS, but this GUID comes back to pictures. We see we have last right, date and time. The other NodeSlot we're going to look at was four. Let's locate NodeSlot 4. We can see we have NodeSlot 4 and we have a shell, but we don't have any information there, but we do have this GUID. I could tell you this GUID just means regular folder. Again, you can research that and look it up if you'd like, but that is just A standard folder. We also have our dates and times. Now, the next Nodeslots we would need to look at would be 84 and 85. This is pictures. What you're seeing in here are the folder settings. You're seeing the icon size, the view mode, the flags, how it's grouped. These are the folder settings that you as a user would set to view your folders and files. If we look at 85, 85 is also pictures which is what I would expect. Again, you have your settings in here that are the folder settings. You would need to put all this information together to come up with a file path for that very first bag. Manually going through this and resolving shell bags would be a time-consuming task. That's where we're going to use an automated tool. We're going to use ShellBag Explorer. Go ahead and launch Shellbag Explore. What you would do is go File, load offline hive, navigate out to UsrClass.dat. Wherever you saved, Ivan UsrClass.dat, and go ahead and click "Open". Once you do that, what you're going to see, is it's going to tell you how many items it found, how many items it processed. It's going to give you drive letters. How many drive letters, zip files, network locations. It's going to give you an overall information about what it just did, and it does it really fast. You can look that over and once you're done, click "Okay". Now, let's take a look at what we just looked at. We just looked at something that was in pictures. We're going to go ahead and go to "My computer," "Pictures", and we see we have two sub folders, and we click on "Pictures". We see we have a bagMRU, slot 0. We have Slot 1, we have our NodeSlot 85 that we looked at, is saved Pictures, and NodeSlot 84 is our camera roll. But it's much easier to go ahead and look at it this way than it is to look at it the way we did before manually. But what I want to make you aware of here is this showing you folders. It will not show files within the folders, but it will show folders and sub-folders. If we want to take a look at desktop, these are the folders that are on the Ivan computer desktop, and they are on there. What's really great is it also shows us removable media. Remember, we had that E drive that we were able to locate and resolve back to the Ivan user. Now, we can see some of the Folders that were on that removable media. We have FTK_IMAGER a lay, Hive is exported Registry, and some other folders here. What we also see, is not only that but we have a created date, modified date, access date, first interacted with and last interacted with. We even have the file system of that drive. Yes, it was x File that we were looking at. That was the one that had the good partition table. That is a four terabyte external hard drive. It is GPT because it's over two terabytes, but it is formatted X FAT, not FAT 32. We can take a look at F. F is a FAT file system. There's a directory called second try on there, and we can see the file types for it. We can look at a G-Drive, and you can see the folders that were on this removable G-drive that was attached to Ivan's computer file system was also x FAT. You can see downloads and we can expand downloads. We can see that there's a folder there called New folder. We could expand new folder and we can see that there's a folder called packers on there, and password tools. We can expand that and we can see the zip file in another directory that's inside this packers folder. We can see when this directory was last accessed. We can see the type of file system this is, it's the NTFS file system. Down here you're going to have your bag, MRU, and you're node positions, you're going to have an absolute file path. It's going to tell you where it is. It's on the desktop. My computer downloads, New folder, etc. You can see create it on last access. We can even see the master file table entry number and the sequence number, and it has elapsed right time. The last right time is the key right time. This is referring back to the key, and when I say the key, I mean downloads. You can drill down and you can see, Ivan's exploited registry has subfolders, Amcache. If we look at Amcache, it is a directory. It was modified to state and time. Again, we can see our bag MRU slots, our positions, our node slot would be 49. If we went back into the file system and looked at node slot 49, we would be able to see this. We have created the last access, the name, the absolute path. This absolute path is showing the E-drive, which is where it comes from. The other thing I want you to take notice here, this is another F-drive and another G-drive. This F-drive is not the same F-drive that I plug in to Ivan. Ivan is a VM that's been used by more than one person. It shows files that were previously mounted as drive-F, prior to me mounting this folder as drive-F, and it had other folders on it. A folder called password crackers, Ophcrack, Ophcrack has a subfolder which is an X64, we see a zip file. It was probably downloaded as a zip. We can see the absolute path of that file. We can here see dates and times of when it was last accessed. FAT file system. You can see other folders that were accessed on the system and you can see their file paths. This is on the desktop. I don't think there is Dropbox information, but we can see that Dropbox was accessed back in 2019, and last interacted with in 2020. There's only two directories in there. We can see items on the control panel when they were interacted with. User accounts, last interacted with fairly recently. You can see your path. It can drill down further. Deleted account, confirm deletion. We have deleted user account on Ivan, and you could spend a lot of time going through here and looking at everything. There is a tone of information in here, and a lot of it may be important to your case, the Shared Documents folder. We see a Dropbox in the Google Drive. We have an absolute file path, we have a first interacted with. We have a created an elastic access date. We have the master file table entry number and its sequence number. There is quite a bit of information in ShellBags, and this tool displays it quite nicely. It is a free tool. But I want you to understand the structure of ShellBags that we do have to look at the bag MRU key and then the bag key that there are slots and the nodes that we looked at, the node slots. This proves that the user interacted with the directory. If it shows up here, they accessed it. We can say for sure that these folders were accessed, which is very important because if you come across somebody, a suspect who says, "Hey, I was never on my computer or I never interacted with that folder or I didn't know that folder was there." If you're doing a case that maybe they have pitchers they shouldn't have or documents they shouldn't have in a specific directory that's no longer on the computer when you get it to examine it, but you find references to it in shell bags, it shows that the user interacted with that directory, this can be crucial information to your case. In our next section, we're going to continue with the UsrClass.dat or userclass.dat, is usually referred to hive, and we're going to take a look at NYU-cache, and we're going to take a look at the Windows photo app.
