Shell Bags
Shell bags are forensic artifacts found within the Windows Registry that provide a wealth of information regarding a user's interaction with the file system. They record details about accessed folders, including those on local drives, network shares, and removable devices. Shell bags not only capture the paths of accessed folders but also retain information about folders that have been deleted or overwritten, making them invaluable for forensic investigations to reconstruct user activities.
Key Insights:
Primary Data Locations:
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagsUSRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Residual Desktop Items and Network Shares:
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRUNTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
Shell bags provide a detailed account of folder access by each user, encompassing a wide array of data, including timestamps for the file system as well as first and last interaction times with folders. Additionally, shell bags can contain information on "exotic" items, such as mobile device connections, control panel access, and interactions with Zip archives.
Deeper Dive
Shell Bags: Shell bags persist user preferences for folder views, such as icon size, window position, and view mode (e.g., list, details), across sessions. This data is stored in the Registry and helps to reconstruct the user's interaction with the file system.
BagMRU (Most Recently Used): The BagMRU key tracks the hierarchy of accessed folders, serving as a navigational breadcrumb trail that forensic analysts can follow to determine the sequence of folder accesses.
Bags: The Bags key stores detailed settings for individual folders accessed by the user, including display preferences and window sizes.
Evidence of Folder Activities: Analysis of shell bags can reveal evidence of folders that have been accessed even after those folders have been deleted. This can be critical in cases where proving the existence or prior presence of specific data or directories is necessary.
Analyzing The Artifact
To analyze shell bags:
Extract the
USRCLASS.DATandNTUSER.DATfiles from a user's profile.Use forensic tools capable of parsing the Windows Registry to access the paths listed under the Key Insights section.
Investigate the BagMRU keys to understand the navigational paths taken by the user.
Examine the Bags keys for specific folder view settings, which can provide context about how the user interacted with the filesystem.
Pay special attention to entries related to removable devices, network shares, and previously existing folders to piece together a comprehensive picture of user activity.
Tools for Analysis
Registry Explorer/RECmd: Tools designed for advanced Registry analysis, capable of parsing and interpreting the complex structure of shell bags.
Forensic Explorer: A forensic tool that includes capabilities for shell bag analysis, offering a graphical interface to visualize user activities.
Autopsy: An open-source digital forensics platform that can analyze shell bags as part of its broader examination of Windows systems.
ShellBags Explorer: A specialized tool focused on the extraction and interpretation of shell bag data, providing an intuitive interface for investigators.
Practical Example:
An investigator analyzing a system for a suspected data leak might use shell bags to discover that a user frequently accessed a now-deleted folder on an external USB drive. The shell bags could reveal the folder's name, the times it was accessed, and the settings the user had configured for viewing it, offering leads on what the folder contained and when it was used.
Last updated
Was this helpful?