When investigating user activity on a Windows system, ShellBags are one of the most powerful yet misunderstood forensic artifacts. They provide proof that a folder or virtual object was accessed, even if it has been deleted, moved, or no longer exists. However, ShellBags can be complex to analyze, which often makes them intimidating for investigators.
------------------------------------------------------------------------------------------------------
📌 What Are ShellBags?
ShellBags are Windows registry entries that store user preferences for how folders are displayed in File Explorer. However, beyond user preferences, these keys provide valuable forensic insights.
Investigators can use ShellBags to answer critical questions such as:
✔ Did a user browse a folder before deleting it?
✔ Were external USB drives or cloud storage folders accessed?
✔ Did the user open password-protected or encrypted drives?
✔ What files and folders existed before deletion?
But here’s the key forensic takeaway:
📌 If a ShellBag exists for a folder, it proves a user interacted with it via the Windows GUI (File Explorer).
This means even if the folder is deleted or stored on a removable drive, ShellBags may still contain evidence of its existence.
------------------------------------------------------------------------------------------------------
How Do ShellBags Work?
ShellBags track more than just regular folders. Windows also treats ZIP archives, mobile device filesystems, control panel applets, and more as folders.
Notably, starting with Windows 11 22H2, support was expanded to include 7-Zip, RAR, TAR, and Gzip archives.
This is particularly relevant because attackers frequently use archived files to evade detection. With these updates, forensic analysts now have a new source of evidence in investigations.
ShellBags store data in two main registry subkeys:
BagMRU – Maintains the hierarchy and names of folders interacted with.
Bags – Stores configuration details for each folder.
By examining timestamps stored in ShellBags, investigators can determine when a folder was first and last accessed, correlating this with other forensic artifacts.
------------------------------------------------------------------------------------------------------
🗂 Where Are ShellBags Stored?
ShellBags are registry entries found in different locations depending on the Windows version:
📌 Windows 7 and later
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
📌 Windows XP (Older storage format)
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
💡 Tip: The NTUSER.DAT and USRCLASS.DAT registry hives store this information per user. So, ShellBag entries are unique for each Windows account
------------------------------------------------------------------------------------------------------
⏳ Timestamp Analysis in ShellBags
One of the most important forensic aspects of ShellBags is their timestamps.
✔When a user first accessed a folder (First Interacted time).
✔ When the folder settings were last modified (Last Interacted time).
.
📌 Key Takeaway:
This is especially useful for tracking user activity across removable storage devices, encrypted volumes, or cloud-based folders.
------------------------------------------------------------------------------------------------------
Making ShellBags Analysis Easier
ShellBags analysis can be complex, but tools automate the parsing process, making it easier to focus on results rather than raw registry data. In my next article, I'll walk you through using automated tools to parse ShellBags, allowing you to focus solely on analysis rather than manual extraction.
To better understand ShellBags in action, I highly recommend watching 13Cubed’s YouTube episode on the topic: Watch here
------------------------------------------------------------------------------------------------------
💡 Real-World Forensic Use Cases of ShellBags
1️⃣ Case Study: Investigating a Deleted Folder
A suspect claims they never accessed a sensitive folder that has since been deleted.
📌 Solution: Investigate ShellBags!
✔ The folder still exists in the registry.
✔ The timestamps show when it was last accessed.
✔ The folder was stored on a USB drive, proving removable storage was used.
2️⃣ Case Study: Proving Data Theft
A company suspects an employee copied files to an external drive before resigning.
📌 Solution:
✔ ShellBags reveal the USB drive name & letter
.✔ The timestamps show when folders on the USB were accessed.
✔ Jump Lists confirm that files from these folders were opened.
📢 Conclusion: Even if files were deleted, ShellBags provide concrete evidence of their existence!
------------------------------------------------------------------------------------------------------
🔍 Final Thought:
ShellBags might seem complex, but once you understand how they work, they become a powerful weapon in digital forensic investigations. Whether tracking deleted evidence, removable storage access, or user activity, they provide an invaluable historical record of what happened on a system.
----------------------------------------------Dean---------------------------------------------
Comments