Thursday, March 6, 2014

Finding Shell Metadata

Finding Shell Metadata

In my last post I talked about Shell32 in Windows and gave some background on how it works. In this post I want to talk about how we can leverage Shell in MetaDiver. With the latest MetaDiver you can choose to discover additional Metadata.I have also provided a basic example using Windows PowerShell.

If you need a refresher on Shell I have a short writeup here.

How MetaDiver finds Shell Metadata

In the latest MetaDiver all the items you expect to see are predefined while the items we don't care about are left out. This has a few benefits. It allows you to only see relevant fields and it also allows us to control the formatting and naming of the fields.

You may want to find Shell items that aren't listed. There are some Shell property items like free space and space used that we aren't grabbing. Also, if you have a shell plugin installed and want to find additional fields. The Shell plugin could be a 3rd party PDF or something you wrote. Differences in codecs for file formats like Videos, Audio and Images can alter FolderItem lists as well. We have tried to identify all of the relevant ones for you, however you may want to turn on discovery of new items and see if you find items. Lucky for you this is really easy to do in MetaDiver as you can see below.

To have MetaDiver find unknown items just check the box next to "Shell: Find and add unknown columns".



What is MetaDiver actually doing to find Shell items?
Once enabled it MetaDiver to go through every file in the path you selected and run Shell32 per file to look for undefined items. It goes through each file and enumerates every Shell FolderItem, matches against what is predefined in MetaDiver and if it is new it adds it.

The wheels in your head are now telling you this could be slow, and you're right. It's going to be much slower. That is why it is now optional.  If you are processing 2000 files and lets say each file has on average 50 but we are checking for 400 then 2000 x 400 is a fair amount of work at 800,000. I don't know of another tool that will use Shell in this way to dig out Metadata.

Using PowerShell to find Metadata

You can use PowerShell to enumerate property items with Shell32 as well with some limitations. I have had to write a lot of error handling in to MetaDiver to work smoothly with Shell,Com and ActiveX, so good luck with PowerShel or Perl.

Here is an example using Shell in PowerShell to enumerate Office MetaData.



What is happening in the PowerShell script:

Creating the instance of Shell:
 $obj = New-Object -ComObject Shell.Application

Enumerating the Shell folder item (key). This gives the field name such as (Create, Size, FileName, etc..):
$objFolder.getDetailsOf($obj,$i)

Then getting the FolderItem value for the FileName:
$objFolder.getDetailsOf($strFileName,$i)

Hypothetically lets say we know the index value for the FolderItem. Let choose Create Date and that it is 4. Then we could just do
$objFolder.GetDetailsOf($strFileName,4)

Windows PowerShell also supports Remoting. This creates interactive sessions or connections to multiple remote machines at once. I have yet to try this in PowerShell but I'm intrigued at the possibilities for gathering vast metadata over an enterprise, especially for E-Discovery and Incident Response.

Wrap-Up

As you can see Shell is very interesting and there is a lot more that can be done beyond Shell FolderItem. Shell is used everywhere in Windows!

I hope you find this post useful and informative!

No comments:

Post a Comment