In this post I will cover artifacts related to directory traversal. In the last post I went over the differences between USB transport protocols for when a USB is first attached to a system. In this post I will continue divulging the findings of my research by going over the directory traversal artifacts for MTP devices and compare them to the better understood MSC devices.
In forensics, when one mentions directory traversal, the artifact that comes to mind is Shell Items. In Windows, shell items keep track of the folders, files and more that a user accesses through Windows Explorer. In this post I will cover bagMRU entries for MSC devices, but only as a way to set up the discussion for MTP bagMRU entries. If you would like to learn more about shell items, feel free to check out the following links:
Currently, there is little information available for shell bagMRU entries related to MTP devices, so I hope to cover much information here.
1.0 Test 2: Traversing Folders in Windows Explorer
The purpose of this test was to compare folder traversal artifacts for MSC and MTP devices so that differences between the two protocols can be identified and analyzed. Also, keep in mind that the information provided in the analysis of the bagMRU entries may not be complete or entirely accurate as the Shell Item Format is an undocumented Windows structure and research is ongoing in the forensics community. I have provided, to the best of my ability, the most accurate information stemming from the research of others as well as my own personal research.
1.1 Scenario 1: Traversing Folders on an MSC Device in Windows 7
Shell items for MSC devices have been documented and studied in the forensic community, so the reason for including this section is mainly for comparison purposes with MTP devices.
To identify and analyze artifacts, the testing environment consisted of a clean install of Windows 7 with Service Pack 1 running as a virtual machine in VMWare. First, a device was inserted and initial reports were pulled from the system. Then, using Windows Explorer, the mount point associated with the device and several sub-folders were opened. Finally, change comparison reports were captured, and pertinent files were copied and cataloged.
While I will include only one example in this section, this test was run on a variety of MSC devices to ensure that the information to be presented is an accurate representation of what was found in testing.
1.1.2 Example: Traversing Folders on a Flash Drive
A SanDisk Cruzer thumb drive was attached to a VM running Windows 7. Then, Windows Explorer was opened where it could be observed that the device was mounted under “Devices with Removable Storage” and was given drive letter (E:). To populate entries in the registry under the bagMRU key, first E:\ was opened, then the folder “test-folder1”, then “test-subfolder 2”.
As a result, the following entries were created in the UsrClass.DAT hive:
- E:\ – \Local Settings\Software\Microsoft\Windows\Shell\BagMRU\7\0:
- “test-folder1” – \Local Settings\Software\Microsoft\Windows\Shell\BagMRU\7\0\0:
- “test-subfolder 2” – \Local Settings\Software\Microsoft\Windows\Shell\BagMRU\7\0\0\0:
For an analysis of the registry entries created, see image 220.127.116.11 below.
1.2 Scenario 2: Traversing Folders on an MTP Device in Windows 7
In Windows 7, when comparing the information found for MSC devices to MTP devices, the overall structure of the Shell bagMRU keys and subkeys were vastly different.
From testing, it was apparent that bagMRU entries for MTP devices is much more complex than MSC devices. In this section, we will look at the bagMRU entries that are populated as a result of traversing directories on a Galaxy S3 phone as our example. For the limited number of MTP devices tested, the bagMRU entries that were generated remained fairly consistent in structure with a few minor differences.
To identify and analyze artifacts, the testing environment consisted of a clean install of Windows 7 with Service Pack 1 running as a virtual machine in VMWare. First, a device was inserted and initial reports were pulled from the system. Then, using Windows Explorer, the mount point associated with the device and several subfolders were opened. Finally, change comparison reports were captured, and pertinent files were copied and cataloged.
You can download the registry files for the MTP devices tested below:
1.2.1 Example: Traversing Folders on a Samsung Galaxy S3 Phone
A Samsung Galaxy S3 phone was attached to a VM running Windows 7 using MTP. Then, Windows Explorer was opened where it could be observed that the device was mounted under “Portable Devices” and was given the name “SCH-I535”. To populate entries in the registry under the bagMRU key, first “SCH-I535” was opened. After opening the root device, two storage areas were available: “Card” and “Phone”. The storage area “Card” was opened first, then the folder “Android”, then the sub-folder “data” was opened. Next, the storage area “Phone” was opened, then the folder “Alarms” was opened.
After navigating through the directories, the following entries in the registry were created:
- “SCH-I535” – UsrClass.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\7\0:
- “Card” – UsrClass.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\7\0\0:
- “Phone” – UsrClass.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\7\0\1:
- “Android” – UsrClass.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\7\0\0\0:
- “data” – UsrClass.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\7\0\0\0\0:
It should be noted that even though the folder “Alarms” was opened, it did not create a BagMRU entry. Currently, I am unsure why this is the case and further research will be required.
1.2.2 MTP Shell bagMRU Entries: A Closer Look
The data contained within the key \Local Settings\Software\Microsoft\Windows\Shell\BagMRU\7 for value name “0” identifies the DeviceInstance ID (device path) and the FriendlyName (device name) of the device that was mounted. As shown below, the entry has a considerably different structure than was seen for MSC devices. See image 18.104.22.168 below for a detailed analysis.
For MTP devices, there may be more than one storage area. For example, tablets and smart phone sometimes have two storage areas: internal storage and external storage (a microSD card). If that is the case, each storage area will be mounted within Windows Explorer under the root of the device. By opening the root mount point for the device in Windows Explorer, the storage areas for the device are displayed as separate “drives”. If the device has only one storage area, then only one “drive” will be listed. In the example below, the Samsung Galaxy S3 phone (mounted as SCH-I535) has two storage areas: one labeled “Card” and one labeled “Phone”.
While the format for the Storage ID (begins with “SID”) for a device’s storage area, as shown below, is not known and requires further research, a common feature is that the first comma separated value appears to classify primary and secondary storage areas. Where 10001 represents the devices main storage (or internal) and 20002 represents a secondary storage area on the device.
For the analysis, I have included only the entry related to “Card”. See image 22.214.171.124 below for more details.
For MTP devices, the folders contained within each storage area also have a very different bagMRU entry structure compared to bagMRU entries for MSC device folders. See the image 126.96.36.199 below for a detailed look at the bagMRU entry created for the folder “Android” found in the storage area “Card”.
As seen previously, MTP bagMRU entries are considerably different from their MSC counterparts. Due to the prolific nature of shell items across the Windows operating system, it is important for an examiner to understand the structure of these entries in the event that they were to come across them during an analysis of a system. Currently, not all tools account for MTP devices in the reporting output. Therefore, an examiner may have to manually verify whether these entries exist and the nature of those entries if deemed pertinent to an investigation.
You can download the bagMRU entry analysis in the form of an excel spreadsheet here:
In the next post of this series, I will cover artifacts generated as a result of opening files from MTP devices, as well as revisiting MSC artifacts related to opening files.