Shellbag forensics
Shellbags
Data structures in Windows that store and remember the display settings and view customization for individual folders in Windows Explorer, such as the folder view mode, the sorting order, the window position etc.
Keeps track of folders opened/closed/repositioned/resized/interacted with - per user
Shell Bags persist even when data is deleted or securely removed. This makes them valuable in recovering information about previously visited folders, including those on external devices.
Windows create shellbags information for folders and also zip files.
Registry locations
Windows XP:
Network folders : NTUSER.DAT\Software\Microsoft\Windows\Shell
Local folders : NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam
Removable device folders : NTUSER.DAT\Software\Microsoft\Windows\StreamMRU
Win7+
NTUSER.DAT\Software\Microsoft\Windows\Shell
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell
NTUSER.DAT = HKEY_CURRENT_USER
UsrClass.dat = HKEY_CURRENT_USER\Software\Classes
majority info is stored in UsrClass.dat, but to get a complete picture, need to collect data from both locations
Usrclass.dat location : C:\Users\[username]\Appdata\Local\Microsoft\Windows
Subkeys
Bags subkey : stores actual folder customization data (window size, layout type, etc
BagMRU subkey : stores actual directory structures of folders accessed
BagMRU Subkey
MRUListEx: 4-Byte value indicating the order in which folders were accessed, with the most recent access listed first
NodeSlot: Points to the Bags key, which stores the customization data
NodeSlots: Found in the root BagMRU subkey, updated upon new Shellbag creation
Analysis
Windows registry stores the Last Write Time of keys and subkeys but not the Last Write Time of individual values therin.
With this we will be able to tell when a folder was first visited or last modified.
The existence of a shellbag means that a specific folder/folders has been visited by that specific user account from which the associated from which the NTUSER.dat or UsrClass.dat hive was extracted.
This indicates the prior knowledge of the user about the existence of that data because Windows Explorer will only create the shellbags info when the folder was initially viewed or when the view settings have been subsequently adjusted.
Additionly, when data is deleted or even securely deleted from a system shellbags information persists and can even be used to show directory listings that have been long since deleted even for removable devices like external hard drives and USB flash drives.
Tools
Windows ShellBag Parser (TZWorks)
Shellbags.py (Willi Ballenthin)
ShellBags Explorer (Eric Zimmerman)
Internet Evidence Finder (IEF) (Magnet Forensics)
References
Last updated