Shellbag forensics

Shellbags

• Data structures in Windows that store and remember the display settings and view customization for individual folders in Windows Explorer, such as the folder view mode, the sorting order, the window position etc.

• Keeps track of folders opened/closed/repositioned/resized/interacted with - per user

• Shell Bags persist even when data is deleted or securely removed. This makes them valuable in recovering information about previously visited folders, including those on external devices.

• Windows create shellbags information for folders and also zip files.

Registry locations

• Windows XP:

  • Network folders : NTUSER.DAT\Software\Microsoft\Windows\Shell

  • Local folders : NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam

  • Removable device folders : NTUSER.DAT\Software\Microsoft\Windows\StreamMRU

• Win7+

  • NTUSER.DAT\Software\Microsoft\Windows\Shell

  • UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell

NTUSER.DAT = HKEY_CURRENT_USER

UsrClass.dat = HKEY_CURRENT_USER\Software\Classes

• majority info is stored in UsrClass.dat, but to get a complete picture, need to collect data from both locations

• Usrclass.dat location : C:\Users\[username]\Appdata\Local\Microsoft\Windows

Subkeys

• Bags subkey : stores actual folder customization data (window size, layout type, etc

• BagMRU subkey : stores actual directory structures of folders accessed

BagMRU Subkey

• MRUListEx: 4-Byte value indicating the order in which folders were accessed, with the most recent access listed first

• NodeSlot: Points to the Bags key, which stores the customization data

• NodeSlots: Found in the root BagMRU subkey, updated upon new Shellbag creation

Analysis

• Windows registry stores the Last Write Time of keys and subkeys but not the Last Write Time of individual values therin.

• With this we will be able to tell when a folder was first visited or last modified.

• The existence of a shellbag means that a specific folder/folders has been visited by that specific user account from which the associated from which the NTUSER.dat or UsrClass.dat hive was extracted.

• This indicates the prior knowledge of the user about the existence of that data because Windows Explorer will only create the shellbags info when the folder was initially viewed or when the view settings have been subsequently adjusted.

• Additionly, when data is deleted or even securely deleted from a system shellbags information persists and can even be used to show directory listings that have been long since deleted even for removable devices like external hard drives and USB flash drives.

Tools

• Windows ShellBag Parser (TZWorks)

• Shellbags.py (Willi Ballenthin)

• ShellBags Explorer (Eric Zimmerman)

• Internet Evidence Finder (IEF) (Magnet Forensics)

References

Shellbags Forensics: Addressing a Misconception (interpretation, step-by-step testing, new findings, and more)