Forensic Investigation: Shellbags
In this article, we will be focusing on shellbags and its forensic analysis using shellbag explorer. Shellbags are created to enhance the users’ experience by remembering user preferences while exploring folders, the information stored in shellbags is useful for forensic investigation.
Table of Contents
- Location of shellbags
- Forensic analysis using Shellbags Explorer
- Active Registry Analysis
- Offline Registry Analysis
Windows Shell Bags were introduced into Microsoft’s Windows 7 operating system and are yet present on all later Windows platform. Shellbags are registry keys that are used to improve user experience and recall user’s preferences whenever needed. The creation of shellbags relies upon the exercises performed by the user.
As a digital forensic investigator, with the help of shellbags, you can prove whether a specific folder was accessed by a particular user or not. You can even check whether the specific folder was created or was available or not. You can also find out whether external directories have been accessed on external devices or not.
For the most part, Shell Bags are intended to hold data about the user’s activities while exploring Windows. This implies that if the user changes icon sizes from large icons to the grid, the settings get updated in Shell Bag instantly. At the point when you open, close, or change the review choice of any folder on your system, either from Windows Explorer or from the Desktop, even by right-clicking or renaming the organizer, a Shellbag record is made or refreshed.
Location of shellbags
The shellbags for Windows XP are stored in NTUSER.DAT
- Network folders references:\Software\Microsoft\Windows\Shell
- Local folder references: \Software\Microsoft\Windows\ShellNoRoam
- Removable device folders: \Software\Microsoft\Windows\StreamMRU
Windows 7 to Windows 10
Shellbags are a set of subkeys in the UsrClass.dat registry hive of Windows 10 systems. The shell bags are stored in both NTUSER.DAT and USRCLASS.DAT.
- NTUSER.DAT: HKCU\Software\Microsoft\Windows\Shell
- USRCLASS.DAT: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell
The majority of the data is found in the USRCLASS.DAT hive-like local, removable, and network folders’ data. You can manually check shellbags entry in the registry editor like so. In the following screenshot, a shellbag entry for a folder named jeenali is shown.
The Shellbag data contains two main registry keys, BagMRU and Bags
- BagMRU: This stores folder names and folder path similar to the tree structure. The root directory is represented by the first bagMRU key i.e. 0. BagMRU contains numbered values that compare to say sub key’s nested subkeys. All of these subkeys contain numbered values aside from the last child in each branch.
- Bag: These stores view preference such as the size of the window, location, and view mode.
We will be analyzing the shellbags using the shellbag explorer.
- ShellBags explorer(SBECmd)
- Shellbags explorer (GUI version)
Shellbags explorer is a tool by Eric Zimmerman to analyze shellbags. The shellbags explorer is available in both versions cmd and GUI. You can download the tool from here.
Forensic Analysis of Shellbag
Analysis using SBECmd
Here we are using the SBECmd.exe (Cmd version of the shellbag explorer tool) by Eric Zimmerman. This cmd tool is great for command prompt lovers who prefer using commands over GUI.
To get a clear idea about how shell bags work and store data and how you can analyze it I have created a new folder named “raaj” which consists of a text document. Further, we will be renaming it to geet and then to jeenali. Let’s analyze the shellbags entries for this.
Run the executable file and browse to the directory where the executable is present. To extract the shellbags data into a .csv file use the following command:
SBECmd.exe –l --csv ./
As a result of the above command, a .csv file will be created in the directory.
Lets’ open the .csv file and analyze it.
As I mentioned earlier, we have renamed the folder named “raaj” to “geet” and further to “jeenali” as highlighted in the screenshot the MFT entry number is the same for all three folders which depict that the folder was renamed.
- Shellbags explorer (GUI version)
Active Registry Analysis
Using the shellbags explorer we can also analyze the active registry. Select load an active registry which will load the registry in use by the active user.
The shellbags are successfully parsed from the active registry.
The shellbags parse contains the shellbags entries created based on users’ activities. As depicted earlier the folder renamed will have a similar MFT entry number. Here, I have created a folder named “raaj” and we will be further renaming it to “geet”.
Whenever a folder is renamed an entry is stored in shellbag, the MFT entry number of both the folder will be the same.
Now, once again rename the folder to jeenali. The MFT entry will be similar to the previous one.
Offline registry analysis
For offline analysis, we first have to extract the shellbags file which is USRCLASS.DAT. Let’s extract the shellbag file using FTK imager. Download FTK imager from here.
Lets’ add in the evidence, go to the add evidence item.
Select the source for adding evidence as here I have selected the logical drive as usrclass.dat is present in the C drive.
Next, select the desired user drive. Click Finish.
Expand the window to the location of the usrclass.dat. Select the user you want to investigate go to the following path to extract the UsrClass.dat.
root > users > administrator >Appdata>Local>Microsoft>windows
We will be analyzing the usrclass.dat extracted from the above step using shell bag explorer by Eric Zimmerman.
As we have exported the registry hives we will choose “load offline hive”
After successful parsing of the extracted shellbags file, you will be able to see the entries for folders browsed, created, deleted, etc. Here is the entry of the folders renamed earlier, the MFT entry number is the same for the three folders.
Now here, I have deleted the folder named “jeenali”. Now lets’ check the shellbags data whether the deleted folder still exists or not.
Yes, the shellbags store the entry even though the folder was deleted later.
Shellbags stores the entries of the directories accessed by the user, user preferences such as window size, icon size. Shellbags explorer parses the shellbags entries shows the absolute path of the directory accessed, creation time, file system, child bags. The tool classifies the folders accessed according to the location of the folder. Shellbags are created for compressed files (ZIP files), command prompt, search window, renaming, moving, and deleting a folder.
Author: Vishva Vaghela is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here