Uncover User Activity with the Windows ShellBag Parser (sbag)

In the realm of digital forensics, understanding user activity on a Windows system is crucial. The Windows ShellBag Parser (sbag), developed by TZWorks, is a powerful tool designed to extract valuable directory and file artifacts from the Windows registry, helping investigators piece together a comprehensive picture of user behavior.

This article delves into the capabilities of sbag, explaining how it works, its applications, and how it can be used effectively in forensic investigations.

What is ShellBag and Why is it Important?

The ShellBag is a set of subkeys within a user's registry hive (primarily ntuser.dat and usrclass.dat) that the Windows operating system uses to track user window viewing preferences. It stores various Windows Explorer settings, such as window dimensions and arrangement, allowing users to reopen folders later with the same settings. Each user has individual preferences, making ShellBag data a user-specific artifact.

From a computer forensics perspective, parsing ShellBag data can reveal significant information, including:

• Accessed Files and Folders: Identifying which files and folders a user has interacted with.
• Storage Device Usage: Determining whether files were accessed from internal, external, or network storage devices.
• User Preferences: Understanding how a user organized and viewed files.
• Timestamp Information: Analyzing when files and folders were accessed or modified.

By combining ShellBag analysis with other forensic artifacts, investigators can build a stronger timeline of user actions and potentially uncover deleted files or malicious activity.

The registry subkeys that sbag evaluates include:

• NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
• NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
• NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU
• NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags
• UsrClass.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
• UsrClass.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
• UsrClass.DAT\Local Settings\Software\Microsoft\Windows\ShellNoRoam\BagMRU
• UsrClass.DAT\Local Settings\Software\Microsoft\Windows\ShellNoRoam\Bags

On Windows Vista and Windows 7, the UsrClass.dat hive is located in the C:\Users\<user>\AppData\Local\Microsoft\Windows directory.

Using sbag: A Practical Guide

sbag is a console application available for Windows, Linux, and Mac OS-X. The Windows version offers the capability to parse hives directly from a live system.

Running sbag:

1. Access the Command Prompt: On a Windows system, open the command prompt with administrator privileges.
2. Execute sbag: Type the executable name (sbag) without any parameters to display the menu options.

Key Parameters:

• User Hive: The only required parameter is the path to the user hive you want to analyze (e.g., ntuser.dat).
• Output Options:
  • -csv: Specifies Comma Separated Value (CSV) output for easy import into spreadsheet applications - like Microsoft excel or google sheets. *Adding username or hostname to the output with recent versions after .23.
• Data Extraction:
  • -inc_slack: Extracts data from cell slack space to reveal a cell where additional data is stored.

Example Syntax (Offline Parsing):

Assuming you have extracted a user hive to c:\dump\ntuser.dat, you can parse it using:

sbag c:\dump\ntuser.dat > results.txt

To generate CSV output:

sbag c:\dump\ntuser.dat -csv > results.csv

Live System Parsing:

Use the -livehives option to enumerate available hives for processing on a live system:

sbag -livehives

sbag will then take a snapshot of the requested hive and extract the necessary artifacts.

Interpreting sbag Output

sbag's output provides a wealth of information. Notable fields and observations include:

• Shell\Bags\<bag#>\Desktop\ItemPos<screen resolution>: Provides metadata associated with files on the desktop.
• Cell Slack Space: ItemPosXxx registry values may contain additional artifacts in the cell slack space.
• Shell\BagMRU: Contains folder metadata and, potentially, file metadata with MACB (Modified, Accessed, Created, Born) timestamps and file size information.
• Data Origin Column: Indicates the source of the data, helping verify the results. Important also to differentiate the Shell[BagMRU | Bags] dataset and ShellNoRoam[BagMRU | Bags] dataset.
• Inode/MFT Entry: ShellBag data may contain an inode (MFT entry) and MFT sequence number, enabling cross-referencing to other artifacts.

Uncovering Deleted ShellBag Entries

Sometimes, sbag may encounter missing entries in the ShellBag hierarchy, indicating potential anti-forensic attempts. Two scenarios exist:

1. Deleted Subkeys: When a subkey is deleted, all associated entries are removed. Recovery requires reconstructing the deleted subkeys from registry unallocated hive space (using tools like yaru).
2. Deleted Values: In this case, sbag can reconstruct most of the path, marking the deleted value accordingly.

Cell Slack Artifacts: Digging Deeper

The -inc_slack switch enables the parsing of cell slack space, potentially revealing additional data. This option is experimental but can uncover valuable artifacts.

Conclusion

The Windows ShellBag Parser (sbag) is an essential tool for digital forensics investigators. By extracting and analyzing ShellBag data from the Windows registry, investigators can gain valuable insights into user activity, recover deleted information, and build a more comprehensive understanding of the events that occurred on a system. Its ability to parse live hives and analyze cell slack further enhances its utility in uncovering crucial forensic evidence.