Unlocking User Activity: A Deep Dive into Shellbag Analysis

In the realm of digital forensics, understanding user activity is paramount. One powerful technique for piecing together a user's actions on a system is Shellbag analysis. This method provides a wealth of information about accessed folders, offering valuable insights into user behavior and potential evidence of file manipulation.

What are Shellbags?

Shellbags are a set of registry keys that store details about a user's folder views, including their size, position, and icon preferences. Essentially, every time a user explores a new folder, a Shellbag entry is created, tracking the directory traversal within the system. This includes folders accessed on local drives, network shares, and even removable devices.

The significance of Shellbags lies in their ability to:

• Provide timestamps associated with folder access.
• Offer contextual information about user activity.
• Show access to directories and resources that might no longer exist on the system.

This makes Shellbag analysis a critical tool for investigators seeking to reconstruct user actions, identify potential data breaches, or uncover evidence of malicious activity.

Where are Shellbags Located?

Shellbags reside within the user's registry hive. The specific location varies depending on the Windows operating system:

• Windows XP: NTuser.dat under HKCU (HKEY_CURRENT_USER)
• Windows 7 and later: UserClass.dat under HKCU (HKEY_CURRENT_USER) (or HKCR for Win7+)

Within these hives, the Shellbags are organized under the BagMRU key, mirroring the folder structure within Windows Explorer. The numbered folders within BagMRU represent the parent/child relationships between accessed folders.

Key Artifacts Revealed by Shellbag Analysis

Analyzing Shellbags can reveal crucial information for digital investigations:

• Folder access: Insights into accessed items like desktop folders, control panel elements, specific drives, directories, and even compressed archives.
• Evidence of file manipulation: Indications of folder deletion, overwriting, or renaming activities.
• Directory navigation patterns: Mapping out how a user navigated through the file system, potentially revealing their areas of interest.
• Remote access evidence: Potential evidence of remote connections via RDP or VNC. This can indicate unauthorized access or data exfiltration.
• Network resource access: Insights into connection established with network resourses.

Tools for Shellbag Analysis

While the registry entries themselves are stored in a hexadecimal format, specialized tools are essential for parsing and interpreting the data effectively.

• RegEdit/RegRipper: While these tools can locate Shellbags within the registry, they lack the advanced parsing capabilities needed for comprehensive analysis.
• Shellbags Explorer (Eric Zimmerman): A powerful tool designed specifically for Shellbag analysis. It offers both a graphical user interface (GUI) and a command-line interface (CLI) for exploring Shellbag data allowing analysts to visually reconstruct a user's directory structure. You can download the Shellbags Explorer here.

Shellbags Explorer excels at:

• Providing a visual representation of the user's directory structure.
• Allowing recursive analysis to identify and filter relevant data.
• Displaying timestamps related to folder creation, access, and modification, facilitating timeline creation.

Conclusion

Shellbag analysis is a valuable tool in the digital investigator's arsenal. By understanding what Shellbags are, where they are located, and how to analyze them with specialized tools, investigators can gain valuable insights into user activity, identify potential security breaches, and reconstruct events to uncover critical evidence. This proactive approach enhances the understanding of user behavior and contributes to a more comprehensive and effective digital forensics investigation.