Shellbags

Shellbags in Windows Forensics: An In-Depth Overview

Shellbags are a powerful forensic artifact that capture user interactions with the file system via Windows Explorer. They record metadata about folders, enabling investigators to reconstruct user activity even after files or folders have been deleted.

Key Registry Locations of Shellbags

Shellbag data is stored in two key registry hives:

1. NTUSER.DAT (User-Specific Settings)

  • Key Paths:

    • Software\Microsoft\Windows\Shell\BagMRU

    • Software\Microsoft\Windows\Shell\Bags

2. USRCLASS.DAT (User-Specific Application Settings)

  • Key Paths:

    • Local Settings\Software\Microsoft\Windows\Shell\BagMRU

    • Local Settings\Software\Microsoft\Windows\Shell\Bags

These locations store binary data that require decoding to reveal meaningful information.

Why Shellbags Matter in Forensic Investigations

Shellbags provide investigators with a wealth of information regarding user file system interactions:

1. Track Deleted Folder Access

  • Even if a folder is deleted, its metadata remains in the shellbags.

  • Investigators can determine the folder's structure, contents, and the last time it was accessed.

2. Reconstruct User Activity

  • Reveal folder paths accessed by the user, including subfolders.

  • Useful for understanding user behavior and timeline reconstruction.

3. Network and USB Device Forensics

  • Record access to network shares and USB devices.

  • Identify removable media or shared drives interacted with by the user.

4. ZIP File Investigation

  • Displays the folder hierarchy inside ZIP files if the user browsed its contents without encryption.

5. Evidence Support

  • Valuable in cases involving:

    • Data breaches

    • Insider threats

    • Unauthorized data access

Tool for Analysis: ShellbagExplorer

ShellbagExplorer, developed by Eric Zimmerman, is a specialized tool designed to parse and analyze shellbag data, providing forensic investigators with human-readable insights.

Key Features:

  • Live and Offline Registry Analysis:

    • Load active registry data for live investigations.

    • Analyze offline registry files from disk images or external devices.

  • Detailed Folder Hierarchy:

    • Displays all accessed folder paths and their associated metadata, including deleted ones.

  • Timestamp and Metadata Tracking:

    • Tracks creation, modification, and access times of folders.

Using ShellbagExplorer

1. Load Active or Offline Registry

  • Live System:

    • Go to File > Load Active Registry.

  • Offline Analysis:

    • Load registry files (e.g., NTUSER.DAT or USRCLASS.DAT) from a mounted disk image or external source.

2. View Parsed Data

  • ShellbagExplorer decodes binary data to display:

    • Folder Names

    • Access Paths

    • Timestamps

    • Metadata

Practical Example

Case Scenario: An employee is suspected of leaking sensitive data. After transferring files, they delete the containing folder to avoid detection.

Investigation Steps:

  1. Analyze Shellbags: Load the employee's NTUSER.DAT or USRCLASS.DAT using ShellbagExplorer.

  2. Evidence Found:

    • The deleted folder path is visible.

    • Metadata shows the folder’s creation and last access times.

    • The folder contained sensitive project files, corroborating the data leak suspicion.

Outcome:

The evidence supports the case, confirming the user’s unauthorized access and deletion attempts.

Conclusion

Shellbags are a critical artifact in forensic investigations, providing a detailed view of user interactions with file systems. They remain invaluable for uncovering evidence of deleted files, network shares, and removable media usage. Tools like ShellbagExplorer streamline the analysis process, enabling forensic investigators to uncover hidden traces efficiently.

PreviousSystem, Users and Network InformationNextShimcache

Last updated