What are Shell Bags?
Shell Bags are data structures within the Windows registry that track user window viewing preferences in Windows Explorer. These structures store information about which folders were most recently browsed by the user, including details such as folder view settings and the last time a folder was visited or updated.
Location of Shell Bag Artifacts
Shell Bag artifacts are typically found in the following registry locations:
For Windows 7-10:
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags For XP NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU
Location of Both .Dat Files:
1. NTUSER.DAT File Location:
The NTUSER.DAT file is typically located within each user's profile folder on the system.
For example, if the username is "User," the NTUSER.DAT file for that user will be found in: C:\Users\User
It's important to note that the NTUSER.DAT file is hidden by default, so you may need to enable "Show hidden files and folders" in Windows Explorer to view it.
2. USRCLASS.DAT File Location:
The USRCLASS.DAT file is also a part of the user's registry hive and contains information related to user-specific COM (Component Object Model) classes.
Unlike the NTUSER.DAT file, the USRCLASS.DAT file is typically not found directly in the user's profile folder.
Instead, it is located within the "AppData" directory under the user's profile folder: C:\Users\User\AppData\Local\Microsoft\Windows
Within this directory, you may find the USRCLASS.DAT file alongside other system and application data specific to the user.
Importance of NTUSER.DAT and USRCLASS.DAT:
NTUSER.DAT contains the user's registry settings, preferences, and configurations, making it a vital component for forensic analysis to understand user behavior and system usage.
USRCLASS.DAT complements NTUSER.DAT by providing information about user-specific COM classes, which may be relevant for understanding the user's interactions with various software components and applications.
Understanding Shell Bags artifact and why to collect?
The Windows registry stores valuable information about folder view settings and user interactions with folders, including the last time a folder was visited or updated.
This data is stored in shell bags, which are created by Windows Explorer when a folder is viewed or when view settings are adjusted.
Shell bags also track visits to zip files, providing insights into user activities and prior knowledge of specific data. Understanding shell bags is crucial for forensic analysis because Even after data is deleted or securely removed, shell bag information persists, allowing investigators to reconstruct directory listings and access patterns. This persistence extends to removable devices like external hard drives and USB flash drives.
For example, if a folder named "secret" containing a subfolder "pictures" was securely removed, shell bag information would still indicate its existence. This evidence undermines claims of user ignorance about the existence of certain data, especially when combined with other artifacts from the system, such as linked files.
Understanding of Shell/BagMRU and Shell/Bag:
Within the "BagMRU" subkey, there are three values: "MRUList", "NodeSlot", and "NodeSlots".
"MRUList" is a four-byte value indicating the order in which each folder within the structure was last accessed. For example, if folder 3 was most recently accessed, it would be listed first, followed by the remaining folders in order of access.
"NodeSlot" points to the "Bags" key, which stores the actual data related to folder customization.
"NodeSlots" are present in the root "BagMRU" key and are updated upon the creation of new shell bags.
Shell\Bag : - Stores actual folder customization data(WINDOW SIZE, WINDOW LAYOUT)
Parsing Shell Bag Artifacts
Manual parsing of Shell Bag artifacts can be complex and time-consuming. However, specialized tools like Eric Zimmerman's ShellBag Explorer GUI version or SBECmd.exe cmd version simplify the extraction and analysis process. These tools generate structured output, making it easier for forensic analysts to interpret the data and identify relevant information.
Conclusion
Understanding Shell Bags and their significance in Windows forensics is essential for extracting valuable insights from digital evidence. By analyzing Shell Bag artifacts, forensic investigators can reconstruct user activities, track folder access, and uncover critical evidence relevant to their investigations.
Akash Patel
Comments