27/10/2020 Forensic Investigation: Shellbags

Hacking Articles
Raj Chandel's Blog

Forensic Investigation: Shellbags

posted in CYBER FORENSICS on OCTOBER 26, 2020 by RAJ CHANDEL

 SHARE

In this article, we will be focusing on shellbags and its forensic

analysis using shellbag explorer. Shellbags are created to enhance
the users’ experience by remembering user preferences while
exploring folders, the information stored in shellbags is useful for
forensic investigation.

Table of Contents
Introduction
Location of shellbags
Forensic analysis using Shellbags Explorer
Active Registry Analysis
Offline Registry Analysis

Introduction
Windows Shell Bags were introduced into Microsoft’s Windows 7
operating system and are yet present on all later Windows
platform. Shellbags are registry keys that are used to improve user
experience and recall user’s preferences whenever needed. The
creation of shellbags relies upon the exercises performed by the
user.

As a digital forensic investigator, with the help of shellbags, you can

prove whether a specific folder was accessed by a particular user or
not. You can even check whether the specific folder was created or
was available or not. You can also find out whether external
directories have been accessed on external devices or not.

For the most part, Shell Bags are intended to hold data about the
user’s activities while exploring Windows. This implies that if the
user changes icon sizes from large icons to the grid, the settings get
updated in Shell Bag instantly. At the point when you open, close,
or change the review choice of any folder on your system, either
from Windows Explorer or from the Desktop, even by right-clicking
or renaming the organizer, a Shellbag record is made or refreshed.

Location of shellbags
Windows XP

The shellbags for Windows XP are stored in NTUSER.DAT

https://www.hackingarticles.in/forensic-investigation-shellbags/ 1/15
27/10/2020 Forensic Investigation: Shellbags

Network folders
references:\Software\Microsoft\Windows\Shell
Local folder references:
\Software\Microsoft\Windows\ShellNoRoam
Removable device folders:
\Software\Microsoft\Windows\StreamMRU

Windows 7 to Windows 10

Shellbags are a set of subkeys in the UsrClass.dat registry hive of

Windows 10 systems. The shell bags are stored in both NTUSER.DAT
and USRCLASS.DAT.

NTUSER.DAT: HKCU\Software\Microsoft\Windows\Shell
USRCLASS.DAT: HKCU\Software\Classes\Local
Settings\Software\Microsoft\Windows\Shell

The majority of the data is found in the USRCLASS.DAT hive-like

local, removable, and network folders’ data. You can manually
check shellbags entry in the registry editor like so. In the following
screenshot, a shellbag entry for a folder named jeenali is shown.

The Shellbag data contains two main registry keys, BagMRU and
Bags

BagMRU: This stores folder names and folder path similar to

the tree structure. The root directory is represented by the
first bagMRU key i.e. 0. BagMRU contains numbered values
that compare to say sub key’s nested subkeys. All of these
subkeys contain numbered values aside from the last child in
each branch.
Bag: These stores view preference such as the size of the
window, location, and view mode.

We will be analyzing the shellbags using the shellbag explorer.

1. ShellBags explorer(SBECmd)
2. Shellbags explorer (GUI version)

Shellbags explorer is a tool by Eric Zimmerman to analyze

shellbags. The shellbags explorer is available in both versions cmd

https://www.hackingarticles.in/forensic-investigation-shellbags/ 2/15
27/10/2020 Forensic Investigation: Shellbags

and GUI. You can download the tool from here.

Forensic Analysis of Shellbag

Analysis using SBECmd
Here we are using the SBECmd.exe (Cmd version of the shellbag
explorer tool) by Eric Zimmerman. This cmd tool is great for
command prompt lovers who prefer using commands over GUI.

To get a clear idea about how shell bags work and store data and
how you can analyze it I have created a new folder named “raaj”
which consists of a text document. Further, we will be renaming it to
geet and then to jeenali. Let’s analyze the shellbags entries for this.

Run the executable file and browse to the directory where the
executable is present. To extract the shellbags data into a .csv file
use the following command:

1 SBECmd.exe –l --csv ./

https://www.hackingarticles.in/forensic-investigation-shellbags/ 3/15
27/10/2020 Forensic Investigation: Shellbags

As a result of the above command, a .csv file will be created in the

directory.

Lets’ open the .csv file and analyze it.

https://www.hackingarticles.in/forensic-investigation-shellbags/ 4/15
27/10/2020 Forensic Investigation: Shellbags

As I mentioned earlier, we have renamed the folder named “raaj” to

“geet” and further to “jeenali” as highlighted in the screenshot the
MFT entry number is the same for all three folders which depict that
the folder was renamed.

Shellbags explorer (GUI version)

Active Registry Analysis

Using the shellbags explorer we can also analyze the active registry.
Select load an active registry which will load the registry in use by
the active user.

The shellbags are successfully parsed from the active registry.

https://www.hackingarticles.in/forensic-investigation-shellbags/ 5/15
27/10/2020 Forensic Investigation: Shellbags

The shellbags parse contains the shellbags entries created based on

users’ activities. As depicted earlier the folder renamed will have a
similar MFT entry number. Here, I have created a folder named
“raaj” and we will be further renaming it to “geet”.

Whenever a folder is renamed an entry is stored in shellbag, the

MFT entry number of both the folder will be the same.

https://www.hackingarticles.in/forensic-investigation-shellbags/ 6/15
27/10/2020 Forensic Investigation: Shellbags

Now, once again rename the folder to jeenali. The MFT entry will be
similar to the previous one.

Offline registry analysis

For offline analysis, we first have to extract the shellbags file which
is USRCLASS.DAT. Let’s extract the shellbag file using FTK imager.
Download FTK imager from here.

Lets’ add in the evidence, go to the add evidence item.

https://www.hackingarticles.in/forensic-investigation-shellbags/ 7/15
27/10/2020 Forensic Investigation: Shellbags

Select the source for adding evidence as here I have selected the
logical drive as usrclass.dat is present in the C drive.

Next, select the desired user drive. Click Finish.

https://www.hackingarticles.in/forensic-investigation-shellbags/ 8/15
27/10/2020 Forensic Investigation: Shellbags

Expand the window to the location of the usrclass.dat. Select the

user you want to investigate go to the following path to extract the
UsrClass.dat.

root > users > administrator >Appdata>Local>Microsoft>windows

We will be analyzing the usrclass.dat extracted from the above step

using shell bag explorer by Eric Zimmerman.

As we have exported the registry hives we will choose “load offline

hive”

https://www.hackingarticles.in/forensic-investigation-shellbags/ 9/15
27/10/2020 Forensic Investigation: Shellbags

After successful parsing of the extracted shellbags file, you will be

able to see the entries for folders browsed, created, deleted, etc.
Here is the entry of the folders renamed earlier, the MFT entry
number is the same for the three folders.

Now here, I have deleted the folder named “jeenali”. Now lets’ check
the shellbags data whether the deleted folder still exists or not.

https://www.hackingarticles.in/forensic-investigation-shellbags/ 10/15
27/10/2020 Forensic Investigation: Shellbags

Yes, the shellbags store the entry even though the folder was
deleted later.

Shellbags stores the entries of the directories accessed by the user,

user preferences such as window size, icon size. Shellbags explorer
parses the shellbags entries shows the absolute path of the
directory accessed, creation time, file system, child bags. The tool
classifies the folders accessed according to the location of the
folder. Shellbags are created for compressed files (ZIP files),
command prompt, search window, renaming, moving, and deleting
a folder.

Author: Vishva Vaghela is a Digital Forensics enthusiast and enjoys

technical content writing. You can reach her on Here

https://www.hackingarticles.in/forensic-investigation-shellbags/ 11/15
27/10/2020 Forensic Investigation: Shellbags

Share this:

 

Like this:

Loading...

ABOUT THE AUTHOR

RAJ CHANDEL
Raj Chandel is Founder and CEO of Hacking Articles. He is a renowned security
evangelist. His works include researching new ways for both offensive and
defensive security and has done illustrious research on computer Security,
exploiting Linux and windows, wireless security, computer forensic, securing and
exploiting web applications, penetration testing of networks. Being an infosec
enthusiast himself, he nourishes and mentors anyone who seeks it.

PREVIOUS POST
← HA: FORENSICS: VULNHUB WALKTHROUGH

Leave a Reply
Your email address will not be published. Required elds are marked *

Comment

https://www.hackingarticles.in/forensic-investigation-shellbags/ 12/15
27/10/2020 Forensic Investigation: Shellbags

Name *

Email *

Website

Notify me of follow-up comments by email.

Notify me of new posts by email.

POST COMMENT

Search
ENTER KEYWORD

Subscribe to Blog
via Email
Email Address

SUBSCRIBE

Follow me on
Twitter

https://www.hackingarticles.in/forensic-investigation-shellbags/ 13/15
27/10/2020 Forensic Investigation: Shellbags

Hacking Articles
@hackinarticles

Forensic Investigation:
Shellbagshackingarticles.in/foren
inves…

Categories
 BackTrack 5 Tutorials
 Cryptography &
Stegnography
 CTF Challenges
 Cyber Forensics
 Database Hacking
 Footprinting
 Hacking Tools
 Kali Linux
 Nmap
 Others
 Password Cracking
 Penetration Testing
 Pentest Lab Setup
 Privilege Escalation
 Red Teaming
 Social Engineering
Toolkit
 Trojans & Backdoors
 Uncategorized

https://www.hackingarticles.in/forensic-investigation-shellbags/ 14/15
27/10/2020 Forensic Investigation: Shellbags

 Website Hacking
 Window Password
Hacking
 Wireless Hacking

Articles
Select Month

https://www.hackingarticles.in/forensic-investigation-shellbags/ 15/15