Windows 10 feature updates have far reaching impacts on a digital forensic investigation. Released twice a year in Windows 10, these updates essentially install a new version of the Windows operating system when they’re applied. From clearing event logs to removing common USB storage registry subkeys and more, feature updates touch many artifacts often relied upon in digital investigations.
ShellBags are a popular artifact in Windows forensics often used to identify the existence of directories on local, network, and removable storage devices. ShellBags are stored as a highly nested and hierarchal set of subkeys in the UsrClass.dat registry hive of Windows 10 systems (although they’ve been around since much earlier versions of Windows). The structure and layout of shellbags has been covered in numerous locations (such as here and here), so I won’t be detailing that. Instead, the focus of this post is to highlight the impact of Windows 10 feature updates as it relates to the interpretation of shellbags in a forensic investigation.
One of the data points that can be leveraged during shellbag analysis is the LastWrite time of various subkeys within the BagMRU hierarchy in an attempt to identify the first and last interacted times of a directory referenced by shellbags. The methodology used to identify these times, which leverages the MRUListEx values in conjunction with subkey LastWrite times, was detailed by Dan Pullega back in 2013 and later described in an episode of David Cowen’s forensic lunch. It was also incorporated into some shellbag forensic tools. While the interaction times of a directory referenced in shellbags can be extremely valuable, they come with some caveats for later versions of Windows 10.
During the process of installing a Windows 10 feature update, testing has shown that the LastWrite time of all subkeys in the BagMRU hierarchy are updated. This looks to be the case with versions dating back to at least 1709 and up through the latest feature update (1903 at the time of this writing). Since the LastWrite time of these subkeys is used to illustrate an interaction time with a directory, this eliminates the examiner’s ability to use the active UsrClass.dat hive to reliably determine interaction times that occurred prior to the most recent feature update. As an example, the below screenshot illustrates the view of a couple of shellbag entries just prior to the 1803 feature update being applied to a system.
|View of ShellBags Prior to Feature Update
The next screenshot below is from the same shellbag entries on the system after the 1803 feature update was applied on May 9, 2018. As you can see, the first and last interacted timestamps have been updated to May 9, 2018. The interaction times here are simply pulled from the LastWrite time registry subkeys. The LastWrite time of the subkeys was changed during the feature update.
|View of ShellBags After a Feature Update
This change wouldn’t necessarily stand out if you were focusing on a single location within the system shellbags. However, when the first/last interacted times (or the LastWrite times of UsrClass.dat subkeys) are viewed in aggregate, it becomes clear that they have been updated en masse.
|Interaction Times After a Feature Update
One thing to note in this example is that the directory file system timestamps (such as the Created On timestamp included in the screenshots above) that are included in the shellbag extension blocks remain unchanged across feature updates. However, the first and last interaction methodology that relies upon the LastWrite time of registry subkeys is limited by Windows 10 feature updates. If a directory referenced in the shellbags is interacted with after a feature update, the associated LastWrite time should be as reliable as it has been for identifying an interaction time. Directories that have not been interacted with since the most recent feature update will not have a reliable interaction time available in the active UsrClass.dat since any interaction time previously available for the directory was updated during the feature update.
This issue is reminiscent of the problems caused when various USB-related subkey LastWrite times were updated en masse. As with the USB-related subkeys though, understanding the limitations of the data points that are being relied upon – registry subkey LastWrite times in this example – will allow an examiner to more effectively and accurately leverage the artifact.