The Windows ShellBag Parser, also known as sbag, is a powerful tool used in computer forensics to parse the ShellBag subkeys in the Windows registry. These subkeys store metadata about user window viewing preferences, including dimensions, settings, and other information related to Windows Explorer. By analyzing this data, investigators can gain valuable insights into user activity, such as accessed files, deleted files, and storage devices used.
ShellBag is a set of subkeys in the user registry hive (ntuser.dat and usrclass.dat files) that stores information about Windows Explorer settings. This allows Windows to reopen folders with the same settings as before, providing a more personalized user experience. Each user has separate preferences for folders, which are stored in their respective user hive.
sbag is a console application that can be used to parse user hives and extract ShellBag artifacts. To use sbag, simply open the command prompt with administrator privileges and type in the executable name with the desired parameters. The available options include:
To parse a user hive, use the following command:
sbag c:\dump\ntuser.dat > results.txt
This will generate a text file containing the parsed ShellBag artifacts.
The output of sbag includes various fields, such as:
The output of sbag can be displayed in a spreadsheet, as shown in the example below:
| Field | Value |
|---|---|
| Shell\Bags<bag#>\Desktop\ ItemPos | Metadata associated with files on the Desktop |
| Shell\BagMRU subkeys | Folder metadata, including MACB timestamps and size information |
| Last column | Origin of the data (e.g., ntuser.dat, usrclass.dat) |
sbag can also parse cell slack space in the registry cell value data, which can contain additional artifacts. To use this option, invoke the --inc_slack switch.
Occasionally, sbag may encounter deleted ShellBag entries, which can indicate anti-forensics activity. In such cases, sbag can reconstruct the deleted subkeys or values, providing valuable information for investigators.
The Windows ShellBag Parser (sbag) is a powerful tool for parsing ShellBag subkeys in the Windows registry. By analyzing this data, investigators can gain insights into user activity, accessed files, and storage devices used. With its various options and output formats, sbag is an essential tool for computer forensics professionals.
For more information, please refer to the user's guide or contact us via email. Downloads are available for Intel 32-bit, Intel 64-bit, and ARM 64-bit versions.
Note: This article is for informational purposes only and is not intended to be used as a substitute for professional advice. Always consult with a qualified expert before using any software or tool for computer forensics purposes.
