/shellbags

Cross-platform, open-source shellbag parser

Primary LanguagePythonApache License 2.0Apache-2.0

shellbags.py
===============

Introduction
------------
shellbags.py is a cross-platform, open-source shellbag parser.
The webpage
http://www.williballenthin.com/forensics/shellbags/index.html
describes the algorithm in detail.
Note that shellbags.py was originally developed as a sample
for python-registry, so this repository is a fork that contains
the python-registry history through version v0.2.4.1.
The initial shellbags.py tag v0.5.

Dependencies
------------
shellbags.py requires Python2.7, argparse, and python-registry.

Usage
-----
shellbags.py accepts the path to a raw Windows Registry hive.
This hive should be acquired forensically.
To ensure interoperability, output is formatted according to the Bodyfile specification by default.

Parameters:
usage: shellbags.py [-h] [-v] [-p] [-o {csv,bodyfile}] file [file ...]

Parse Shellbag entries from a Windows Registry.

positional arguments:
  file        Windows Registry hive file(s)

optional arguments:
  -h, --help  show this help message and exit
  -v          Print debugging information while parsing
  -p          If debugging messages are enabled, augment the formatting with
              ANSI color codes
  -o {csv,bodyfile}  Output format: csv or bodyfile; default is bodyfile

Example: 
$ python shellbags.py ~/projects/registry-files/willi/xp/NTUSER.DAT.copy0
0|\My Documents (Shellbag)|0|0|0|0|0|978325200|978325200|18000|978325200
0|\My Documents\Downloads (Shellbag)|0|0|0|0|0|1282762334|1282762334|18000|1281987456
0|\My Documents\My Dropbox (Shellbag)|0|0|0|0|0|1281989096|1282762296|18000|1281989050
0|\My Documents\My Music (Shellbag)|0|0|0|0|0|1281995426|1282239780|18000|1281987154
0|\My Documents\My Pictures (Shellbag)|0|0|0|0|0|1281995426|1282239780|18000|1281987152
0|\My Documents\My Dropbox (Shellbag)|0|0|0|0|0|978325200|978325200|18000|978325200
0|\My Documents\My Dropbox\Tools (Shellbag)|0|0|0|0|0|1281989092|1281989092|18000|1281989088
0|\My Documents\My Dropbox\Tools\Windows (Shellbag)|0|0|0|0|0|1281989140|1281989140|18000|1281989092
0|\My Documents\My Dropbox\Tools\Windows\7zip (Shellbag)|0|0|0|0|0|1281993604|1284668784|18000|1281989140
0|\My Documents\My Dropbox\Tools\Windows\Adobe (Shellbag)|0|0|0|0|0|1281994956|1284668784|18000|1281989140
0|\My Documents\My Dropbox\Tools\Windows\Bitpim (Shellbag)|0|0|0|0|0|1281994656|1284668784|18000|1281989140

Wanted
------
*) Bug reports.
*) Feedback.

License
-------
shellbags.py is released under the Apache 2.0 license.

Sources
-------
1) "Using shellbag information to reconstruct user activities" by 
   Yuandong Zhu, Pavel Gladyshev, and Joshua James which may be
   accessed http://www.dfrws.org/2009/proceedings/p69-zhu.pdf
2) "MiTeC Registry Analyzer" by Allan S Hay, which may be accessed at
   http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf
3) "sbag" by TZWorks, which may be accessed at 
   http://www.tzworks.net/prototype_page.php?proto_id=14
4) "Shell BAG Format Analysis" by Yogesh Khatri, which may be accessed
   at https://42llc.net/?p=385
5) "Windows Shell Item format specification" by Joachim Metz, which
   may be accessed at http://download.polytechnic.edu.na/pub4/download.sourceforge.net/pub/sourceforge/l/project/li/liblnk/Documentation/Windows%20Shell%20Item%20format/Windows%20Shell%20Item%20format.pdf