Last Day to Save $400 on 4-6 Day Courses at SANS Cyber Defense Initiative 2017!

Tysons Corner Fall 2017

McLean, VA | Sat, Oct 14 - Sat, Oct 21, 2017

Plumbing the Depths: ShellBags

  • Eric Zimmerman
  • Thursday, October 19th, 7:15pm - 8:15pm

This presentation will explore the most common ShellBag types (directories, GUIDs, control panel items, etc) and the kinds of data contained therein including timestamps, usernames, changing program associations, file system info, user searches, accessing network resources (UNC paths and FTP), and so on. The discussion will also cover extension blocks and the kinds of data they contain. The discussion will start at the hex level, work toward higher levels of abstraction, and culminate with examples of using ShellBags Explorer (SBE) to streamline the review of ShellBags data. This will include showing how SBE can be used to accelerate the investigation of unlimited amounts of ShellBag data including working with individual registry hives as well as deduplicating multiple hives for a user. The presentation will also demonstrate how Dan Pullega's research has been incorporated and expanded upon including first and last explored dates. The information contained in ShellBags and exposed via SBE is relevant to FEs, IR teams, and law enforcement as it quickly and easily provides context around a user's action in addition to their interaction with a computer and its associated resources.


Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
Monday, October 16
Session Speaker Time Type
General Session - Welcome to SANS Keith Palmgren Monday, October 16th, 8:00am - 8:30am Special Events
Everything You Ever Learned About Passwords Is Wrong Keith Palmgren Monday, October 16th, 7:15pm - 9:15pm Keynote
Tuesday, October 17
Session Speaker Time Type
Anti-Ransomware: How to Turn the Tables G. Mark Hardy Tuesday, October 17th, 8:15pm - 9:15pm SANS@Night
Wednesday, October 18
Session Speaker Time Type
Hunting Logic Attacks Hassan El Hadary Wednesday, October 18th, 7:15pm - 8:15pm SANS@Night
Thursday, October 19
Session Speaker Time Type
Plumbing the Depths: ShellBags Eric Zimmerman Thursday, October 19th, 7:15pm - 8:15pm SANS@Night
Windows Management Instrumentation For Good and Evil Jaime Geiger Thursday, October 19th, 8:15pm - 9:15pm SANS@Night