top of page

Shell Bags Analysis: Tool-->SBECmd.exe or ShellBagsExplorer- GUI Version (Very Important artifact)

 Understanding how to extract and analyze shell bag data is essential for investigators seeking to uncover evidence and reconstruct user activities.


To capture shell bag data, we can utilize specialized tools like SBECmd.exe, which allows us to process the live registry and export the data in CSV format for further analysis. Here's how to use SBECmd.exe:


  1. Command Format: C:\Users\User\Downloads\SBECmd> SBECmd.exe -l --csv .\

  • -l: Process live registry data.

  • --csv: Export the data in CSV format.

  • .\: Store the output in the current working directory (in our example, C:\Users\User\Downloads\SBECmd).


  1. Tool Location: Example Usage: -d : Directory where extracted shell bag hives are stored

  • SBECmd.exe is the executable file of the tool.

  • Ensure that you specify the correct path to the tool location when executing the command as well as you can manual capture the hive of shell bag in particular location and later use SBECmd tool to parse the shell bags


Location: Manual extraction of particular hives from live system


For : USRCLASS.DAT

Example: Saving into folder:

reg save "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell" "C:\Users\User\Downloads\Shell\shell.hiv"


For : NTUSER.DAT

complete Capture of NTUSER.DAT from root folder or user or Create image.

Win7-10 : NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU

Win7-10 : NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags


ShellBag Explorer GUI Version


Once you collected raw artifact using manual extraction like above example or using kape.

Use ShellBag Explorer GUI to understand in easer way.



In summary, SBECmd.exe or GUI Version provides a convenient and effective means of capturing and analyzing shell bag data, enabling forensic investigators to gather evidence and reconstruct user actions with precision and accuracy.


Akash Patel

38 views0 comments

Comments


bottom of page