ShellBags can provide invaluable insights into a user’s activity—helping forensic analysts reconstruct deleted folders, track accessed directories, and correlate timestamps with other evidence. While parsing ShellBags manually is complex and tedious, ShellBags Explorer (SBE) by Eric Zimmerman simplifies this process, offering a comprehensive, automated, and user-friendly way to extract and analyze these artifacts.
-----------------------------------------------------------------------------------------------------------
What is ShellBags Explorer (SBE)?
ShellBags Explorer is a free, all-in-one forensic tool designed to parse ShellBags artifacts effortlessly. It eliminates the need for laborious manual steps, automates the decoding of registry data, and helps investigators visually reconstruct a user’s directory structure. Whether dealing with deleted folders or hidden user activity, SBE makes ShellBags analysis more efficient and insightful.
SBE is available in both GUI and command-line versions, making it adaptable for different forensic workflows. The command-line version is particularly useful when scripting or integrating analysis into a broader forensic pipeline.
-----------------------------------------------------------------------------------------------------------
Understanding the SBE Interface
SBE is designed to be intuitive, especially for those familiar with forensic GUI tools. The interface consists of three main sections:
🔹 Tree View (Left Panel): Displays a hierarchical representation of identified folders, directly sourced from the BagMRU registry key.
🔹 Table View (Right Panel): Shows metadata for child folders, including timestamps (First Interacted, Last Interacted) and additional Shell Item details. Sorting and filtering make it easier to pinpoint critical evidence.
🔹 Details & Summary View (Bottom Panel): Provides in-depth insights into selected folders, including the full file path, registry key locations, NodeSlot references, and timestamps.
-----------------------------------------------------------------------------------------------------------
How ShellBags Store Information
The BagMRU key is responsible for maintaining a list of child folders and an MRU (Most Recently Used) list, which records the order in which folders were interacted with.
One crucial aspect of ShellBags analysis is that the most recently accessed folder (MRU Position #0) is often referred to as the "Last Interacted" time, tells us the last time the user interacted with that folder. However, this creates a significant limitation:
If a parent folder contains multiple child folders, only the most recently accessed one can be assigned a timestamp.
The other child folders remain without a definitive timestamp, making it impossible to determine when they were last interacted with.
Example Breakdown
Let's take a practical example to better understand how this works. Suppose we have three folders under a parent folder, as seen in forensic tools like ShellBags Explorer.
Only one folder (e.g., "Windows") has a "Last Interacted" timestamp.
That folder is also positioned as MRU Position #0 in the MRU list.
we can see the following MRU sequence:
Position 0 (most recently accessed) → Folder: "Windows"
Position 1 → Folder: "Users"
Position 2 → Folder: "Program data"
The registry key timestamp of the parent folder (e.g., 2023-03-24 18:14:00.598 UTC) is assigned only to MRU Position #0, confirming that "Windows" was the last folder interacted with.
Why This Matters in Forensics
Understanding this timestamp limitation is crucial when reconstructing user activity. Investigators must be aware that:
Not all accessed folders will have timestamps. Only the most recently interacted folder within a parent directory will.
Correlating with other forensic artifacts is necessary. Combining ShellBags analysis with other sources like Windows Event Logs, USN Journal, or Prefetch data can provide a more complete timeline of user activity.
-----------------------------------------------------------------------------------------------------------
First Interacted Timestamps in ShellBags
First Interacted timestamps are identified differently than Last Interacted times.
Here's how it works:
When a folder is added to BagMRU for the first time, a registry key is created.
The last write time of that key becomes the First Interacted timestamp.
If no subfolders under that key are later accessed, this timestamp remains unchanged.
Why This Matters in Forensics
Understanding both First and Last Interacted timestamps is crucial when reconstructing user activity. Investigators should remember:
Only folders without subfolders have First Interacted timestamps.
Last Interacted timestamps are reassigned when new folders are accessed within a parent directory.
Correlating with other forensic artifacts like Windows Event Logs or USN Journal enhances timeline accuracy.
-----------------------------------------------------------------------------------------------------------
Target Timestamps in ShellBags
Created: Records when the folder was first created.
Modified: Reflects when a file was last added or deleted within the folder.
Accessed: (If enabled in Windows) Indicates the last time a file was opened from the folder.
These timestamps are recorded during the first interaction with the folder and typically do not get updated later. This makes them crucial in forensic investigations, especially if the folder was deleted, located on a removable device, or stored on a remote system.
Example Use Cases:
Detecting suspicious folder creation on a USB drive on the day an employee was terminated.
Identifying folders modified during a known external intrusion.
-----------------------------------------------------------------------------------------------------------
MFT Entry and File System Identification in ShellBags
ShellBags store the MFT Entry Number / File System for a folder, which can be viewed in ShellBags Explorer.
This can help forensic analysts match folder metadata with specific storage devices (e.g., network shares, USB drives).
Why is this important?
*****Helps distinguish between removable media and system drives (system drives are not formatted as FAT or exFAT)***.
Allows precise correlation between ShellBags data and specific devices.
-----------------------------------------------------------------------------------------------------------
Indicators of User Interaction with folder in ShellBags
Vincent Lo's research revealed that actions such as deleting, copying, and renaming a folder can create ShellBags entries. This is why the term "interacted" is preferred over "accessed" when analyzing ShellBags data.
User Interaction
David Cowen and Eric Zimmerman found that the presence of settings values within a folder’s Bags key is a strong indicator that a user has explored that folder.
The ShellBags Explorer tool automatically detects this and marks such folders in the "Has Explored" column.
A checkmark in this column suggests that at least two settings values exist, increasing the likelihood that the user accessed the folder.
However, modern operating systems are complex, and rare cases may exist where a folder has Bags settings data without direct user interaction.
For critical forensic conclusions, it’s best to corroborate ShellBags findings with other artifacts, such as LNK files showing file access from that folder.
-----------------------------------------------------------------------------------------------------------
SBECmd Command Line
This tool offers the same capabilities and data extraction functionalities but in a command-line format, making it particularly useful for automation and large-scale forensic investigations.
Running SBECmd Against Mounted Triage Images
When working with a mounted forensic image, you can run SBECmd against the entire Users folder or a specific user's folder
Since Eric Zimmerman's tools support recursive searching, SBECmd will automatically scan subdirectories to locate and parse:
NTUSER.DAT
UsrClass.dat
Each parsed hive will generate a separate CSV file containing the extracted ShellBags data.
Example Command Usage
The following SBECmd command extracts ShellBags data and saves the output in CSV format:
SBECmd.exe -d G:\G --csv "E:\Output for testing\Website investigation" --csvf shellbags.csvOutput:
-----------------------------------------------------------------------------------------------------------
Reference:
-----------------------------------------------------------------------------------------------------------
Conclusion:
ShellBags are a powerful forensic artifact that provide critical insights into user activity on a Windows system. Because ShellBags store historical user activity, they are incredibly useful in intrusion investigations, insider threat cases, and digital forensic analysis. However, understanding and parsing them manually can be complex. Use Tool like SBECmd.exe and Shellbag explorer
Thanks for staying with me on this journey see u in next article—so stay tuned! 🚀
Comments