Registry Data for Forensics, Incident Response, Pentest and Pivot – Part 1

While on my travels to the US for securityBsides SF, RSA2010 and SANS2010 I have been thinking about writing a blog entry on how the data stored in Windows Registry’s can be used in the context of forensic investigations, incident response, penetration testing and as an extension of pen-testing, the art of pivoting mercilessly (as Ed Skious would say)

I hope to cover a number of registry keys in a series of posts. Each blog post will explain the use of the registry key in Windows and then hopefully I can then describe how the key be of use in each of the contexts outlined above. Finally I will try list any reference URLs and tools associated with these registry keys.

If anyone can come up with a better acronym than FIRPP I will happily change it, but I plan on calling it this going forward.




Description of Key/s
Window uses the ShellBags to store information the display settings and Most Recently Used (MRU) information about individual folders that have been open or closed at least once in Windows Explorer. When recording information about remote folders the information will be stored under the “Shell” key while local folders will be record in the “ShellNoRoam”. The structure of both remote and local keys are identical.

Below the Shell/ShellNoRoam keys we have two subkeys labelled BagMRU and Bags. The BagMRU subkey as the name suggests, records the Most Recently Used folders opened or closed in Windows Explorer. It is this subkey where you can are able to identify the Bag’s to folder names. The main BagMRU key corresponds to the Desktop folder, and each numeric subkey represents a sub-folder (subdirectory) that was accessed below the Desktop folder.

In each numeric subkey you will find a “NodeSlot” key which links directly to a Bags key with its record folder display settings, and a MRUListEX which is used to record the MRU details of items in this key, with the left most 4 bytes representing the most recent item opened/closed.

FIRPP Details:-
Forensics: The analysis of a computers Shellbags can help forensic investigations determine historic usage of Windows Explorers and past folder usage (even ones that have been previous deleted). While this is not definate proof of wrong doing, it may help confirm the likelihood of suspected actions being undertaken, or provide helpful indicators that investigators can use to focus further analysis on the system. For example, a person may be suspected of copying company Intellectual Property onto a USB stick. By analysing the Shellbags you may find a folder on a low drive letter (e.g. E,F,G drive letter) with a BagMRU folder item called “Copy of CreditCards”. While it is not proof, it does support the suspicious that initialised the investigation. There are Registry LastWrite information on the keys in BagMRU time information that can be be utilise to support a more comprehensive incident timeline. There also is MAC time information recorded in each of the numeric Bag key values of the BagMRUs.

Incident Response: The use of ShellBag information may not be a key part of incident response given its limited store information. One scenario that I can think of is to analyse the Shell key (i.e. the key that stores remote Bags) to determine recently accessed network shares. This information may be of use in cases where malware is known to propergate by trying to spread infections across UNC shares. Therefore, you can use the ShellBag information to identify network shares that have recently been accessed by users but may not be part of a normally mapped drive.

Pentest: In a penetration test and/or a capture the flag scenario the analysis of Shellbags may provide you clues as to additional places to look for sensitive or required information. This could be especially useful in the remote Shellbags for identifying remote folders that are accessed from non-mapped network drives. This could potentially reduce the time required to identify sensitive documents.

Pivot: The idea of pivoting, is to use the already compromised machine (i.e. the machine you are analysing the registry) as a jumping point to launch additional penetration attacks on other systems. In the case of ShellBags, you can use the “Shell” key to identify additional network systems that may be used as targets for pivoting to.

MiTeC Registry Analyser (no longer available – last free version may be found via Google)
Paraben’s P2 Commander


Sans Forensics – Shellbags Registry Forensics
Using Shellbag information to reconstruct user activities

Shellbag Format AnalysisMiTec Registry Analyser

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: