williballenthin/shellbags

Stars
148
Rank 249,983 (Top 5 %)
Language
Python
License
Apache License 2.0
Created almost 13 years ago
Updated almost 2 years ago

williballenthin/shellbags

williballenthin

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Cross-platform, open-source shellbag parser

shellbags.py
===============

Introduction
------------
shellbags.py is a cross-platform, open-source shellbag parser.
The webpage
http://www.williballenthin.com/forensics/shellbags/index.html
describes the algorithm in detail.
Note that shellbags.py was originally developed as a sample
for python-registry, so this repository is a fork that contains
the python-registry history through version v0.2.4.1.
The initial shellbags.py tag v0.5.

Dependencies
------------
shellbags.py requires Python2.7, argparse, six and python-registry.

Usage
-----
shellbags.py accepts the path to a raw Windows Registry hive.
This hive should be acquired forensically.
To ensure interoperability, output is formatted according to the Bodyfile specification by default.

Parameters:
usage: shellbags.py [-h] [-v] [-p] [-o {csv,bodyfile}] file [file ...]

Parse Shellbag entries from a Windows Registry.

positional arguments:
  file        Windows Registry hive file(s)

optional arguments:
  -h, --help  show this help message and exit
  -v          Print debugging information while parsing
  -p          If debugging messages are enabled, augment the formatting with
              ANSI color codes
  -o {csv,bodyfile}  Output format: csv or bodyfile; default is bodyfile

Example: 
$ python shellbags.py ~/projects/registry-files/willi/xp/NTUSER.DAT.copy0
0|\My Documents (Shellbag)|0|0|0|0|0|978325200|978325200|18000|978325200
0|\My Documents\Downloads (Shellbag)|0|0|0|0|0|1282762334|1282762334|18000|1281987456
0|\My Documents\My Dropbox (Shellbag)|0|0|0|0|0|1281989096|1282762296|18000|1281989050
0|\My Documents\My Music (Shellbag)|0|0|0|0|0|1281995426|1282239780|18000|1281987154
0|\My Documents\My Pictures (Shellbag)|0|0|0|0|0|1281995426|1282239780|18000|1281987152
0|\My Documents\My Dropbox (Shellbag)|0|0|0|0|0|978325200|978325200|18000|978325200
0|\My Documents\My Dropbox\Tools (Shellbag)|0|0|0|0|0|1281989092|1281989092|18000|1281989088
0|\My Documents\My Dropbox\Tools\Windows (Shellbag)|0|0|0|0|0|1281989140|1281989140|18000|1281989092
0|\My Documents\My Dropbox\Tools\Windows\7zip (Shellbag)|0|0|0|0|0|1281993604|1284668784|18000|1281989140
0|\My Documents\My Dropbox\Tools\Windows\Adobe (Shellbag)|0|0|0|0|0|1281994956|1284668784|18000|1281989140
0|\My Documents\My Dropbox\Tools\Windows\Bitpim (Shellbag)|0|0|0|0|0|1281994656|1284668784|18000|1281989140

Wanted
------
*) Bug reports.
*) Feedback.

License
-------
shellbags.py is released under the Apache 2.0 license.

Sources
-------
1) "Using shellbag information to reconstruct user activities" by 
   Yuandong Zhu, Pavel Gladyshev, and Joshua James which may be
   accessed http://www.dfrws.org/2009/proceedings/p69-zhu.pdf
2) "MiTeC Registry Analyzer" by Allan S Hay, which may be accessed at
   http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf
3) "sbag" by TZWorks, which may be accessed at 
   http://www.tzworks.net/prototype_page.php?proto_id=14
4) "Shell BAG Format Analysis" by Yogesh Khatri, which may be accessed
   at https://42llc.net/?p=385
5) "Windows Shell Item format specification" by Joachim Metz, which
   may be accessed at http://download.polytechnic.edu.na/pub4/download.sourceforge.net/pub/sourceforge/l/project/li/liblnk/Documentation/Windows%20Shell%20Item%20format/Windows%20Shell%20Item%20format.pdf

python-evtx

Pure Python parser for Windows Event Log files (.evtx)

python-idb

Pure Python parser and analyzer for IDA Pro database files (.idb).

python-registry

Pure Python parser for Windows Registry hives.

INDXParse

Tool suite for inspecting NTFS artifacts.

EVTXtract

EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.

process-forest

Reconstruct process trees from event logs

idawilli

IDA Pro resources, scripts, and configurations

python-sdb

Pure Python parser for Application Compatibility Shim Databases (.sdb files)

lancelot

intel x86(-64) code analysis library that reconstructs control flow

python-ntfs

Open source Python library for NTFS analysis

ida-netnode

Humane API for storing and accessing persistent data in IDA Pro databases

govt

Virustotal API for Go

python-dotnet-binaryformat

Pure Python parser for data encoded by .NET's BinaryFormatter

python-evt

Pure Python parser for classic Windows Event Log files (.evt)

go-reversing

Resources for reverse engineering Go binaries

python-vb

analysis of visual basic code

LfLe

Recover event log entries from an image by heurisitically looking for record structures.

viv-utils

Utilities for working with vivisect

ida-settings

Fetch and set configuration values from IDAPython scripts

wevt_template

extract and parse WEVT_TEMPLATEs from PE files

Autopsy-WindowsRegistryContentViewer

no longer maintained

reversing-clj

messing around writing reversing tools in clojure

Autopsy-WindowsRegistryIngestModule

no longer maintained

siglib

function identification signatures

python-pyqt5-hexview

PyQt5 hex viewer widget.

ucutils

Convenience routines for working with the Unicorn emulator in Python

python-pyqt5-vstructui

PyQt5 vstruct hex viewer widget.

Rejistry

Pure Java parser for Windows Registry hive files.

vivisect-vstruct

standalone copy of vstruct from vivisect

dotfiles

Local configuration files for various Linux tools

williballenthin.com

Source for my personal website

zydis-wasm

example project with zydis targetting wasm

cfg-ui

experiments in user interfaces around control flow graphs

highlighter-minor-mode

An Emacs minor mode for log analysis.