Folder Access Analysis via Shellbags

Introduction

Shellbags are valuable forensic artifacts in Windows systems, providing a detailed log of folder interactions. They are particularly useful in USB forensics, revealing critical details about folders accessed or present on USB devices. This data is essential in cases of data theft, espionage, or insider threats, as it can help reconstruct user actions and intentions.

Understanding Shellbags

Shellbags are registry entries created when a user interacts with folders in Windows File Explorer. They capture details such as:

  • Folder Names: Names of accessed folders.

  • Folder Hierarchy: The structure of folder navigation.

  • Timestamps:

    • First Accessed.

    • Last Accessed.

  • Folder View Preferences: Settings like icon size and sorting order.

These artifacts persist even if the folders are deleted or moved, offering forensic evidence of past user interactions.

Registry Locations for Shellbags

Shellbags are stored in the following registry paths:

1. NTUSER.DAT (User-Specific Registry Hive)

  • NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU

  • NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

2. USRCLASS.DAT (User-Specific Registry Hive)

  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags

  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

Each user's NTUSER.DAT and USRCLASS.DAT files contain unique Shellbags specific to their account, making it possible to attribute activity to individual users.

Analyzing Shellbags with ShellbagExplorer

ShellbagExplorer, developed by Eric Zimmerman, is a robust tool for analyzing Shellbag artifacts.

Steps for Analysis

  1. Download and Launch ShellbagExplorer

    • Download Link: ShellbagExplorer

    • Run the tool as Administrator.

  2. Load Registry Hives

    • Active Registry: Analyze real-time Shellbag data from the live system.

    • Offline Hives: Analyze exported registry files like NTUSER.DAT or USRCLASS.DAT.

Investigating USB Activity

Scenario:

A USB device was previously assigned to drive letter E:.

Using ShellbagExplorer:

  1. Expand the Drive:

    • Navigate to E:\ within the tool.

  2. Identify Folders:

    • Discovered folder: Secret_Project_LD.

  3. View Folder Details:

    • Item Name: Secret_Project_LD.

    • Shell Type: Directory.

    • Timestamps:

      • Created: Timestamp of folder creation.

      • Last Accessed: Timestamp of the last user interaction.

  4. User Attribution:

    • By analyzing the NTUSER.DAT hive, we confirmed the user letsdefend accessed the folder.

ZIP File Exploration

Shellbags also track folders inside ZIP files if accessed via File Explorer:

  • Conditions: This applies only if the ZIP file is not password-protected.

Example:

After reinserting the USB, a ZIP file named Important_Archive.zip was explored on E:.

ShellbagExplorer Findings:

  • ZIP File Name: Important_Archive.zip.

  • Contained Folders: Tracked in the Shellbag logs, proving user interaction with the ZIP file’s contents.

Forensic Value of Shellbags

  1. Folder Hierarchies:

    • Reveal user actions, folder organization, and navigational patterns on USB devices.

  2. Timestamps:

    • Enable investigators to create forensic timelines by correlating folder access times with other system events.

  3. ZIP Analysis:

    • Provide insight into accessed folders within archive files, even if the archive has since been deleted.

Conclusion

Shellbags are a powerful tool in forensic investigations, particularly for analyzing folder access on USB devices. They help investigators:

  • Reconstruct user actions.

  • Establish timelines.

  • Correlate evidence with other artifacts.

In the next lesson, we’ll explore File Access Analysis via Jumplists, which offers more granular insights into specific file interactions.

PreviousUSB Event LogsNextFile Access Analysis via Jumplists

Last updated