Shellbag analysis is a crucial method in digital forensics for determining the actions taken on a host by a specific user. It involves examining the shellbags, which are registry keys containing details about a user's viewed folders, including size, position, and icon. This analysis can aid in creating a broader picture of an investigation, providing indications of activity and acting as a history of directory items that may have been removed from a system.
Shellbags are a set of registry keys that track and maintain directory traversal, providing timestamps, contextual information, and access to directories and resources. A shellbag entry is created for every newly explored folder, making them a valuable source of information for digital forensic investigations.
Shellbags are located within the NTuser.dat (Windows XP) or UserClass.dat (Windows 7 and later) hives, under HKCU (HKEY_CURRENT_USER). They can be found in the BagMRU, which follows a similar structure and hierarchy as the Explorer, with numbered folders representing parent/child folders.
Shellbag analysis can expose various information, including:
Several tools can be used for shellbag analysis, including:
Shellbag analysis can provide significant value in digital forensic investigations, including:
Shellbag analysis is a powerful tool in digital forensics, providing valuable insights into user activity and system interactions. By understanding what shellbags are, where they are located, and how to analyze them, investigators can gain a deeper understanding of the events surrounding a digital incident. For more information on digital forensics and incident response, visit our digital forensics page.
To learn more about the tools and techniques used in shellbag analysis, check out RegEdit and Shellbags Explorer.
