Forensic Investigation - Shellbags
Forensic Investigation - Shellbags
Hacking Articles
Raj Chandel's Blog
SHARE
Table of Contents
Introduction
Location of shellbags
Forensic analysis using Shellbags Explorer
Active Registry Analysis
Offline Registry Analysis
Introduction
Windows Shell Bags were introduced into Microsoft’s Windows 7
operating system and are yet present on all later Windows
platform. Shellbags are registry keys that are used to improve user
experience and recall user’s preferences whenever needed. The
creation of shellbags relies upon the exercises performed by the
user.
For the most part, Shell Bags are intended to hold data about the
user’s activities while exploring Windows. This implies that if the
user changes icon sizes from large icons to the grid, the settings get
updated in Shell Bag instantly. At the point when you open, close,
or change the review choice of any folder on your system, either
from Windows Explorer or from the Desktop, even by right-clicking
or renaming the organizer, a Shellbag record is made or refreshed.
Location of shellbags
Windows XP
https://www.hackingarticles.in/forensic-investigation-shellbags/ 1/15
27/10/2020 Forensic Investigation: Shellbags
Network folders
references:\Software\Microsoft\Windows\Shell
Local folder references:
\Software\Microsoft\Windows\ShellNoRoam
Removable device folders:
\Software\Microsoft\Windows\StreamMRU
Windows 7 to Windows 10
NTUSER.DAT: HKCU\Software\Microsoft\Windows\Shell
USRCLASS.DAT: HKCU\Software\Classes\Local
Settings\Software\Microsoft\Windows\Shell
The Shellbag data contains two main registry keys, BagMRU and
Bags
1. ShellBags explorer(SBECmd)
2. Shellbags explorer (GUI version)
https://www.hackingarticles.in/forensic-investigation-shellbags/ 2/15
27/10/2020 Forensic Investigation: Shellbags
To get a clear idea about how shell bags work and store data and
how you can analyze it I have created a new folder named “raaj”
which consists of a text document. Further, we will be renaming it to
geet and then to jeenali. Let’s analyze the shellbags entries for this.
Run the executable file and browse to the directory where the
executable is present. To extract the shellbags data into a .csv file
use the following command:
1 SBECmd.exe –l --csv ./
https://www.hackingarticles.in/forensic-investigation-shellbags/ 3/15
27/10/2020 Forensic Investigation: Shellbags
https://www.hackingarticles.in/forensic-investigation-shellbags/ 4/15
27/10/2020 Forensic Investigation: Shellbags
https://www.hackingarticles.in/forensic-investigation-shellbags/ 5/15
27/10/2020 Forensic Investigation: Shellbags
https://www.hackingarticles.in/forensic-investigation-shellbags/ 6/15
27/10/2020 Forensic Investigation: Shellbags
Now, once again rename the folder to jeenali. The MFT entry will be
similar to the previous one.
https://www.hackingarticles.in/forensic-investigation-shellbags/ 7/15
27/10/2020 Forensic Investigation: Shellbags
Select the source for adding evidence as here I have selected the
logical drive as usrclass.dat is present in the C drive.
https://www.hackingarticles.in/forensic-investigation-shellbags/ 8/15
27/10/2020 Forensic Investigation: Shellbags
https://www.hackingarticles.in/forensic-investigation-shellbags/ 9/15
27/10/2020 Forensic Investigation: Shellbags
Now here, I have deleted the folder named “jeenali”. Now lets’ check
the shellbags data whether the deleted folder still exists or not.
https://www.hackingarticles.in/forensic-investigation-shellbags/ 10/15
27/10/2020 Forensic Investigation: Shellbags
Yes, the shellbags store the entry even though the folder was
deleted later.
https://www.hackingarticles.in/forensic-investigation-shellbags/ 11/15
27/10/2020 Forensic Investigation: Shellbags
Share this:
Like this:
Loading...
RAJ CHANDEL
Raj Chandel is Founder and CEO of Hacking Articles. He is a renowned security
evangelist. His works include researching new ways for both offensive and
defensive security and has done illustrious research on computer Security,
exploiting Linux and windows, wireless security, computer forensic, securing and
exploiting web applications, penetration testing of networks. Being an infosec
enthusiast himself, he nourishes and mentors anyone who seeks it.
PREVIOUS POST
← HA: FORENSICS: VULNHUB WALKTHROUGH
Leave a Reply
Your email address will not be published. Required elds are marked *
Comment
https://www.hackingarticles.in/forensic-investigation-shellbags/ 12/15
27/10/2020 Forensic Investigation: Shellbags
Name *
Email *
Website
POST COMMENT
Search
ENTER KEYWORD
Subscribe to Blog
via Email
Email Address
SUBSCRIBE
Follow me on
Twitter
https://www.hackingarticles.in/forensic-investigation-shellbags/ 13/15
27/10/2020 Forensic Investigation: Shellbags
Hacking Articles
@hackinarticles
Forensic Investigation:
Shellbagshackingarticles.in/foren
inves…
Categories
BackTrack 5 Tutorials
Cryptography &
Stegnography
CTF Challenges
Cyber Forensics
Database Hacking
Footprinting
Hacking Tools
Kali Linux
Nmap
Others
Password Cracking
Penetration Testing
Pentest Lab Setup
Privilege Escalation
Red Teaming
Social Engineering
Toolkit
Trojans & Backdoors
Uncategorized
https://www.hackingarticles.in/forensic-investigation-shellbags/ 14/15
27/10/2020 Forensic Investigation: Shellbags
Website Hacking
Window Password
Hacking
Wireless Hacking
Articles
Select Month
https://www.hackingarticles.in/forensic-investigation-shellbags/ 15/15