Understanding how to extract and analyze shell bag data is essential for investigators seeking to uncover evidence and reconstruct user activities.
To capture shell bag data, we can utilize specialized tools like SBECmd.exe, which allows us to process the live registry and export the data in CSV format for further analysis. Here's how to use SBECmd.exe:
Command Format: C:\Users\User\Downloads\SBECmd> SBECmd.exe -l --csv .\
-l: Process live registry data.
--csv: Export the data in CSV format.
.\: Store the output in the current working directory (in our example, C:\Users\User\Downloads\SBECmd).
Tool Location: Example Usage: -d : Directory where extracted shell bag hives are stored
SBECmd.exe is the executable file of the tool.
Ensure that you specify the correct path to the tool location when executing the command as well as you can manual capture the hive of shell bag in particular location and later use SBECmd tool to parse the shell bags
Location: Manual extraction of particular hives from live system
For : USRCLASS.DAT
Example: Saving into folder:
reg save "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell" "C:\Users\User\Downloads\Shell\shell.hiv"
For : NTUSER.DAT
complete Capture of NTUSER.DAT from root folder or user or Create image.
Win7-10 : NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
Win7-10 : NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
ShellBag Explorer GUI Version
Once you collected raw artifact using manual extraction like above example or using kape.
Use ShellBag Explorer GUI to understand in easer way.
In summary, SBECmd.exe or GUI Version provides a convenient and effective means of capturing and analyzing shell bag data, enabling forensic investigators to gather evidence and reconstruct user actions with precision and accuracy.
Akash Patel
Comments