ShellBagger

We’ve been quietly developing digital forensics tools and forensic software to assist in our analysis for almost 10 years, and until recently, all of that source code has been sitting around and collecting dust.  As time permits, we will be dusting it off, adding some updates, and releasing some of it to the public.

Think of it as our way of saying thank you to everyone who has written articles, published research, or contributed software/code to the forensic community.

These utilities are provided “as-is” and are free for both personal and commercial use. As with any software, including ours, you should always independently validate your findings.  Oh, and if you find any of our utilities useful, feel free to drop by @chadgough or @4Discovery on Twitter and say thanks. Bug reports and feature requests are always welcome!

Analyze ShellBag Artifacts

Description:

Microsoft Windows tracks user window viewing preferences specific to Windows Explorer. Tracked items include the size, view, icon, and position of a folder from Windows Explorer. This information is referred to as “ShellBags”, and are stored in several locations within the Registry. These keys can be extremely useful to a forensic investigator since the ShellBags are persistent and remain behind even if the directory is removed. They can also be used to reveal information about past mounted volumes such as USB drives, mapped drives, network folders, deleted files, and user actions.

ShellBags Locations

ShellBags may be found in a few locations, depending on operating system version.

Windows XP – NTUSER.DAT Hives “Software\Microsoft\Windows\Shell” “Software\Microsoft\Windows\ShellNoRoam”

Windows 7 – NTUSER.DAT and UsrClass.dat Hives “Local Settings\Software\Microsoft\Windows\ShellNoRoam” “Local Settings\Software\Microsoft\Windows\Shell”

Features

• Parses file paths, registry dates from bag entries, modified, access, creation times from shell link items, type, file size (if available) and location
• Performs lookups on known GUIDs
• Saves to CSV for additional analysis/reporting
• Requirements: Microsoft .NET Framework v4.0
• Free for both personal and commercial use

 Screenshots

v1.5 (05-24-2013)

• Added seconds to display

v1.4 (05-24-2013)

• Application now digitally signed
• Application will automatically check for updates

References:

• Using shellbag information to reconstruct user activities
• Computer Forensic Artifacts: Windows 7 Shellbags
• Windows Shellbag Forensics