0:00

This week I'm talking about shell bags and

0:03

PCA. Welcome

0:05

to the Digital Forensics Survival

0:07

podcast episode 458. Hello

0:16

everyone, I'm Michael, your host. Welcome to the show.

0:19

This week I decided to talk

0:22

about shell bags, something I've

0:24

talked about in the past. So

0:27

we'll be looking at this from an

0:29

update perspective and I'm going to loop

0:32

in an artifact I haven't covered before,

0:34

which is PCA. It's

0:36

somewhat related to shell bags in

0:38

its utility, so the two

0:41

can go hand in hand and really

0:43

complement each other during a

0:45

Windows investigation. So

0:47

as always, what I have coming up

0:50

for you is a breakdown of the

0:52

artifact and then we'll talk about triage

0:54

strategy. Be right back. EDRs,

0:58

XDRs and remote ops don't collect

1:01

all the artifacts you need for

1:03

incident response, but they can

1:05

be leveraged to collect more using cyber

1:07

triage. Visit cybertriage.com/EDR

1:09

to learn more about

1:11

how to collect more

1:13

DFI artifacts using

1:15

your EDR XDR or remote ops

1:18

system. Cyber triage

1:20

automatically surfaces relevant startup items,

1:22

user logins and processes so

1:24

you could spend more time

1:26

investigating and less time wrangling data.

1:29

Once again, visit

1:32

cybertriage.com/EDR to learn more.

1:35

Unlock the gold standard in Mac forensic

1:38

training with Samuri. Their

1:40

courses are the longest running, highest rated

1:43

and are truly vendor neutral, ensuring

1:45

you're equipped with the skills you

1:47

need to perform forensics free of

1:50

sales pitches. Designed by

1:52

Steve Whalen, the mastermind behind Paladin

1:54

Recon and Toledo, Samuri's

1:56

training has empowered thousands of

1:58

examiners globally. Plus, they

2:01

also offer the Certified Forensic

2:03

Mac Examiner, the only vendor-neutral

2:05

certification in the industry. Deep

2:08

dive into Mac forensics with the experts.

2:10

Learn more at samuri.com. Facing

2:14

an overflow of evidence drives? Image

2:17

26 drives at a time with Atola

2:19

Task Force 2. This

2:21

high-performance hardware imager reassembles unknown

2:24

rate arrays, supports damaged drives,

2:26

and can be integrated into

2:28

your workflow via API. Learn

2:31

more at atola.com. Once again,

2:33

that's atola.com. All

2:38

right, so this week is basically

2:40

about evidence of execution on Windows

2:42

systems, and we're looking at two

2:44

artifacts in particular, Windows shell bags

2:47

and the program compatibility

2:49

assistant or PCA,

2:51

and I'm going to get into both

2:53

of them. I'll start with shell bags.

2:56

So shell bags are a set of registry

2:58

keys, and they're designed to

3:01

track folder viewing preferences of a

3:03

specific user account. So

3:05

things like window size, position, view

3:07

mode, and this is

3:09

as it relates to how the window

3:12

presents in Windows Explorer. This

3:15

was originally intended to enhance user

3:18

experience, but like many

3:20

forensic artifacts, those

3:22

that are doing investigations have seen it as

3:25

a way to capture evidence of

3:27

execution because they record

3:30

folder access, not only

3:32

for local files, but also

3:34

for removable devices and network

3:36

shares. The

3:39

latest iteration of shell bags in

3:41

Windows 11 will persist

3:43

or the evidence will persist even after

3:46

folders are deleted or the

3:48

media is removed. So

3:50

it's an ideal artifact for

3:54

what can be called file use and

3:56

knowledge investigations when you're looking to see

3:59

where and... So

6:01

that's one thing that you'll have to

6:03

resolve. So for each account on the

6:05

system, you'll have to resolve the

6:08

SID in order to make that correlation. On a

6:11

typical user endpoint these days, you have

6:13

one account. You may

6:15

have two accounts, like an admin account and

6:17

a standard account, something like that. But typically

6:19

it's all attributed to one user. So

6:22

you'll have... Each

6:26

bag will be designated a number, then you'll have a

6:28

path. And then you'll have the

6:30

bag MRU key, and this is the information

6:32

that you're looking for. So

6:37

the bag MRU key

6:39

contains the MRU list

6:42

EX. And this is

6:44

going to show the most recently accessed folders.

6:47

So zero is going to be the last

6:49

one. This is usually on top. And

6:53

then you'll see exactly where they are. So

6:56

you may see something that says

6:58

like desktop, or actually like C

7:00

users, John Doe, desktop, and then

7:02

sample folder, or wherever they

7:04

navigate it to. So

7:07

in this way you get some idea of...

7:10

Or you could quickly understand

7:12

some of the frequently accessed locations,

7:15

at least by Windows Explorer that

7:17

the user has accessed, or at

7:19

least the latest ones. At

7:22

last check, the

7:25

key is going to hold 5,000

7:27

folder view settings before it begins

7:29

to roll and overwrite itself. So

7:34

I guess for the typical experience, this

7:36

is enough to probably get the history

7:38

from the beginning of the system when

7:41

it was first powered on until years

7:43

later. For I

7:45

guess your typical user. Mileage

7:49

may vary, I suppose, but that's still a

7:51

very high number. So in

7:54

terms of the expectation for the

7:56

evidence, you can go pretty far

7:58

back. say something

8:01

that happened on a system six

8:03

months previously, there's still a good chance that

8:05

you may have an entry for

8:08

it way down somewhere

8:12

in the MRU list. Now,

8:15

shell bags do not directly

8:17

record time. So you

8:19

create modified or accessed timestamps for

8:22

files and folders. However,

8:24

they indirectly track some timing

8:26

information through other metadata associated

8:29

with user interactions with the folders.

8:32

So let's break that down a little bit. Let's

8:35

start with modified and accessed times.

8:37

This is some of your indirect

8:39

evidence. Shell bags

8:41

primarily focus on folder view

8:43

settings and interaction with folders,

8:46

such as the layout and their view

8:49

preferences. The timestamps associated

8:51

with a folder interaction is

8:54

captured by the bag MRU keys.

8:57

The MRU list EX tracks

8:59

the most recently accessed folder.

9:02

So the order again, it's going to

9:04

start from zero, zero, one, two, and

9:06

descending order. And so that's

9:08

going to give you insight

9:10

into folder access in relation to

9:12

each other. But again, no explicit

9:15

timestamps there. So

9:17

what do you do? Well,

9:19

you can infer time information

9:22

by analyzing the registry keys

9:24

last right time. The

9:27

last right time for the bag

9:29

MRU and the bag registry

9:31

keys indicate when the folder settings

9:33

were last updated, which could

9:35

correspond to when the user last

9:37

modified or accessed the folder. These

9:41

timestamps are stored in the metadata of

9:43

the registry. And so

9:45

you can retrieve this information and

9:47

get that context. So

9:50

for example, when a folder is open or

9:52

viewed, the corresponding

9:54

bag MRU and bag entries are

9:56

updated, which changes the last right

9:58

time to those registered. registry keys.

10:02

Now of course, nothing is preventing

10:05

you from grabbing the

10:08

MAC times from the folder itself.

10:10

So it's create time, modification time,

10:12

and last access time, and rolling

10:15

that into the analysis for greater

10:17

context. So at a minimum,

10:19

shell bags are going to show you that

10:21

a user account accessed a

10:25

folder in

10:27

Windows Explorer. And then if

10:29

you work at it, you could probably start

10:32

getting some idea of the timing behind that.

10:36

And then of course, you have the order that you can play

10:38

with as well. But I guess

10:41

the core value of the artifact is it shows

10:43

you the account open

10:45

that folder within Windows Explorer,

10:47

which typically means a lot.

10:51

All right, so now let's

10:53

switch over to PCA artifacts,

10:55

or Program Compatibility Assistant in

10:57

Windows 11. With

11:01

PCA artifacts, these

11:03

artifacts track compatibility settings for

11:06

applications that may not function

11:08

optimally on newer version of

11:10

Windows. So an old application

11:12

running on Windows 11, for example. They

11:15

can provide you as an

11:17

analyst insight into which programs

11:20

are executed. So when they

11:22

were run and under what

11:24

circumstances the system adjusted compatibility.

11:27

So this artifact is very

11:29

useful in identifying user interactions

11:31

with legacy applications, especially

11:34

with compatibility issues. I'll get more

11:36

into that. So

11:39

the correlation with shell bags is

11:41

that both PCA and shell bags

11:44

help in reconstructing user activity. The

11:47

PCA artifacts show which legacy or

11:49

incompatible applications the user may have

11:51

interacted with, while the shell bags

11:54

show the behavior or

11:56

the navigation behavior more accurately within

11:59

the file system. Now,

12:02

the PCA artifacts are typically located

12:04

in the registry. And

12:07

this is HKEY current user,

12:09

software Microsoft, Windows NT, current

12:11

version, app compat flags, compatibility

12:14

assistant, and then

12:16

you have persisted. PCA

12:19

evidence is provided in the form

12:21

of key value pairs, which

12:24

indicate details about specific applications

12:27

that encountered compatibility issues.

12:30

So for instance, going

12:34

to that registry location, let's

12:39

say an old version of

12:41

a software application called oldapp.exe

12:44

was executed. And because it

12:46

was an old app with some compatibility issues,

12:48

it triggered the PCA. So

12:51

the evidence in the registry under that

12:53

key may look like

12:55

the actual file path to the

12:58

executable. So let's just say it

13:01

was under program files in

13:03

a folder called old software, and that's where

13:05

it was executed from. In

13:08

the registry key, you'll see

13:10

C program files, old software,

13:13

oldapp.exe. There

13:16

will also be a hex string with

13:19

that as well. This is

13:21

encoded data about the compatibility event.

13:24

So this could include timestamps,

13:26

compatibility settings, and other

13:28

relevant information. Now,

13:31

I want to address something that does come

13:33

up with PCA

13:35

artifacts, which is that it's

13:38

just for compatibility issues, which

13:41

is partially true. So while

13:43

PCA is typically triggered

13:46

when an application exhibits

13:48

compatibility problems, so like

13:50

I said, running a new version

13:52

of Windows and then running an old

13:54

app, there are some other circumstances that

13:56

may trigger it, which is something to

13:58

keep in mind at as an analyst,

14:00

how it comes into play. So

14:03

applications not marked as

14:05

compatible. So the

14:07

PCA flag applications that

14:10

aren't specifically designed for the current version

14:12

of Windows. So

14:14

this is your legacy applications. Then

14:17

there's also applications performing risky

14:19

operations. This will

14:21

trigger PCA by behaviors such

14:23

as requesting elevated privileges, admin

14:25

rights, or trying to modify

14:28

system files in a way that may

14:30

cause instability. Then

14:32

there's common application failures. PCA

14:35

can detect frequent application crashes

14:37

or failures, which

14:39

could suggest compatibility setting issues,

14:43

which could result in the artifact being

14:45

created. Known

14:48

compatibility problems is another one.

14:51

PCA can recognize applications or

14:54

executables that are in Microsoft's

14:56

compatibility database, even if

14:58

they are not necessarily considered legacy.

15:01

And this would include software known to

15:03

have issues with certain system configurations. And

15:07

then there's user selected compatibility settings.

15:09

So this is if

15:11

a user manually sets compatibility settings,

15:13

such as you'll run in compatibility

15:15

mode for Windows 7 for

15:18

any application, PCA may

15:20

record these interactions in a registry.

15:24

So what this all means

15:26

is that PCA artifacts

15:28

exist for a broad range

15:30

of applications beyond just legacy

15:32

software. They encompass any executable

15:34

that triggers compatibility concerns, requires

15:37

elevated privileges, causes crashes or

15:39

interacts with Windows in a

15:41

way that could potentially lead

15:43

to system instability. So

15:46

PCA artifacts should not solely

15:48

be attributed to legacy applications,

15:50

but any software that

15:52

may not run optimally or pose

15:55

risks to system stability. And

15:58

one of the things that I wanted

16:00

to... take away from this breakdown is

16:02

malware. Like a lot of malware or

16:05

buggy code could

16:08

trigger PCA artifacts, which typically

16:10

are the types of artifacts

16:12

that come up during forensic

16:15

investigations. So

16:17

there you have it. These are

16:19

two core Windows artifacts that come

16:21

up in a lot of modern

16:24

day Windows investigations,

16:26

especially user endpoint investigations where you're

16:29

looking to say, look

16:31

at a specific account and

16:33

either profile it or look at it

16:35

to timeline or

16:37

get some insight into activity within

16:40

a certain timeframe. What

16:42

files or folders were accessed

16:44

and what was executed. With

16:48

these two artifacts is simply knowing

16:51

where to go into registry to pull the

16:53

information with a tool is all you need.

16:56

And a lot of your forensic suites will do

16:58

this for you. Again, you just have to know

17:00

where to look. So if

17:03

you haven't checked out the PCA artifact,

17:06

it's worthwhile. Again, anything that's capturing evidence

17:08

of execution is huge in a number

17:10

of different ways. So I

17:13

hope you found this information useful. As

17:15

always, don't forget to check

17:17

out the SDF training series. It's online

17:19

on demand computer forensic training and it's

17:21

aimed at teaching you a valuable skill

17:23

in about an hour or two. All

17:26

of the classes are at the

17:28

website, which is securityttx.com/ SDF.

17:30

They're also on Udemy, that's

17:33

u-d-e-m-y.com. Just

17:35

type in SDF in the search window and my

17:37

classes come up. And with that, I'll

17:40

wrap up this episode. Thanks

17:42

for listening.