Loading ...
Sorry, an error occurred while loading the content.

7620Re: [win4n6] Re: DOSDate time stamps in shell items

Expand Messages
  • Sebastien Bourdon-Richard
    Oct 31, 2012
    • 0 Attachment

      Harlan,

      First, sorry for the reply delay! 

      Just saw your new blog post and it remind me that I did not replied to your other mail ;)


      > Does this methodology create or modify a Shellbag artifact? I don't see where an Explorer window was modified or closed.

      This methodology create a ItemPos1024x768 for the new created file, inside an existing bag. Creating a new file is a shell modification so I don't need to resize the window. On the last line of my methodology, I close the explorer window. 


      > Rob Lee had mentioned something about this artifact a while back...I was not able to find something similar on Win7, nor was I able to replicate the artifact.

      Shellbags are enabled when Remember each folder's view settings is selected under the Advanced settings menu on the View tab of Folder Options.

      This function doesn't exist anymore on Windows 7. Go in your Windows 7 help file and search for "Folders: frequently asked questions". Then select: "Why doesn't Windows remember a folder window's size and location on the desktop?". You will find why you are not able to find something similar on Win7:

      "In Windows Vista, a folder window opens at the same size and location on the desktop that it did the last time you closed it, based on the location where the folder is stored. For example, if you resize the Music folder window and then close it, it'll be the same size the next time you open it.

      Windows 7 remembers one size and location setting for all your folders and libraries. So each time you open Windows Explorer, it'll open at the same size and location on the desktop that it did the last time you closed it, regardless of which folder or library you open."


      > Back to my original question...how valuable are the M and A times for these artifacts? For example, your tests were on WinXP, and updating of last access times are disabled by default on Vista+. 

      It always depend of the case but I can see a value for M and A. I think the time found inside the SHITEM_FILEENTRY structure represent a snapshot in time of the MAC time. I agree with you that M and A time can cause noise on a big timeline. Usually  when I use timeline analysis, I focused only on a small period (i.e: couple of minutes to maximum one or two day). Because my timeline analysis focused on a small period, noise is not a problem for me. Also, I consider the value of M and A times as the same as the MAC found in the MFT: AV scans, user activity can modify them. 


      > Also, the file you created can be accessed and/or modified by actions/events that have nothing to do with Shellbags (ie, AV scans, use of the redirection operator, etc.); as such, at any given point in time, how useful/valuable/credible are those times?

      Yes the time value in ItemPos have nothing to do with Shellbags. Created time found in shellbag ItemPos key have also nothing to do with shellbags. These value reflect the state of the MFT when the shellbag are created in memory [1] (at this step, the shellbag is not written in the registry yet in the Shell\Bags key ).  


      > Next, we see that MRU Time values correspond approximately to when the D:\shellbag\test folder was opened and then resized/repositioned via the Explorer shell, and not to when the Explorer window was actually closed. [2]

      Our tests are similar but not exactly the same:
      • I use XP SP3 in my tests and focused on the ItemPos value 
      • In my tests, the LastWrite time is the last time windows explorer was closed. My tests focused on the ItemPos key (which is located in ShellNoRoam\Bags). The data from your tests comes from ShellNoRoam\BagMRU. 

      An hypothesis would be that the LastWrite time of the BagMRU folder is when explorer is opened an the LastWrite time of the Bags folder is when explorer is closed. Need more tests on this.

      I have found new things for the SHELLITEM structure and I will post them in a separate email.

      English is not my first language, so i hope everything makes sense :-)

      Regards, 

      Sebastien

      [1]: ICategoryProvider::GetDefaultCategory is called only when a folder is first opened. After that, the user's grouping choice is cached in the property bag storing the state of the view. 



      On Sun, Oct 21, 2012 at 7:31 AM, keydet89 <keydet89@...> wrote:
       


      > the LastWrite for C:\Document and settings\User\Desktop\Test will be the
      > time explorer has been closed and not the last time user has accessed the
      > Test folder.

      Good to know, thanks!

      > *Methodology:*
      >
      > - Create one text file at 00:00:00 (right click, new, text file)
      > - Wait 00:01:30
      > - Double click on the file, put text in it, save it, then close it
      > - Wait 00:01:00
      > - Close explorer
      >
      > *Results:*

      >
      > LastWrite will be 00:02:30

      Does this methodology create or modify a Shellbag artifact? I don't see where an Explorer window was modified or closed.


      > New ItemPos1024x768 key has been created for the new text file. Dates are:
      >
      > - Created: 00:00:00
      > - Modified: 00:01:30
      > - Access: 00:01:30

      Rob Lee had mentioned something about this artifact a while back...I was not able to find something similar on Win7, nor was I able to replicate the artifact.

      Thanks for your efforts thus far. Back to my original question...how valuable are the M and A times for these artifacts? For example, your tests were on WinXP, and updating of last access times are disabled by default on Vista+. Also, the file you created can be accessed and/or modified by actions/events that have nothing to do with Shellbags (ie, AV scans, use of the redirection operator, etc.); as such, at any given point in time, how useful/valuable/credible are those times?




    • Show all 4 messages in this topic