Shellbags

Purpose and Function

Shellbags are a set of registry keys that serve as a forensic artifact to track a user's folder navigation history. Their primary function for the Windows operating system is to remember a user's viewing preferences for specific folders (e.g., icon size, view mode like "Details" or "List", column widths, and window position). When a user reopens a folder, Windows uses the Shellbag information to restore the window to its previous state, creating a consistent user experience.

From a DFIR perspective, this functionality creates a meticulous and persistent record of every directory a user has accessed through Windows Explorer. Shellbags can prove that a user navigated to a specific folder, even if the folder and its contents have since been deleted.

Location and Structure

Shellbag information is stored in the Windows Registry, primarily within two user-specific hive files:

  • NTUSER.DAT: Contains Shellbags for desktop, network, and local folder access.

    • Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU

    • Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags

  • UsrClass.dat: Contains Shellbags for folders accessed through zip archives, Control Panel, and other shell namespaces.

    • Path: HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

    • Path: HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

The structure is hierarchical and complex:

  • The BagMRU keys act as an index, storing the directory structure in a "Most Recently Used" order. Each numbered value corresponds to a sub-folder.

  • The Bags keys store the actual viewing preference data (window size, sort order, etc.) for the folders listed in the BagMRU structure. The NodeSlot value within a BagMRU key links it to a specific entry in the Bags key.

Stored Metadata

While the primary stored data relates to folder preferences, the forensic value comes from the structural information and associated timestamps:

  • Full Directory Path: The complete path to the folder that was accessed can be reconstructed by traversing the BagMRU tree structure.

  • Folder Type: Information about the type of folder (e.g., local disk, network share, removable device, zip file).

  • First Interaction Timestamp: Some Shellbag entries, particularly on newer versions of Windows, can provide a timestamp indicating when the user first interacted with the folder.

  • Last Interaction Timestamp: The "LastWrite" time of the parent registry key often corresponds to the last time a folder within that structure was accessed, providing a temporal anchor.

Forensic Value

Shellbags are a powerful artifact for proving a user's knowledge of and interaction with specific locations on a system.

  • Proving "Knowledge of a Path": This is their most critical forensic value. Shellbags can prove that a user navigated to a folder, even if that folder is now deleted or was on a removable drive that has since been disconnected. This is crucial for refuting claims of ignorance (e.g., "I never knew that 'My Cheats' folder existed").

  • Reconstructing User Activity: By analyzing the Shellbag structure, an analyst can reconstruct a user's folder navigation patterns, showing how they moved through the file system.

  • Identifying Access to Removable Media: Shellbags create entries for folders on USB drives and other removable media, providing a history of access even after the device is unplugged.

  • Persistence: Shellbag entries are remarkably persistent. They are not typically cleared by standard cleanup utilities and can survive for a long time, providing a deep historical record of user navigation.

Parsing Shellbags manually is extremely difficult. Specialized tools like Eric Zimmerman's ShellBagsExplorer or forensic suites are essential for automatically decoding the binary data and reconstructing the folder paths and associated metadata.

Reflection points (SS Contest)

For a ScreenSharer, Shellbags are the ultimate tool for proving intent and knowledge, turning a simple file discovery into a narrative of deliberate action.

  • Countering Plausible Deniability: The most powerful use of Shellbags is to counter the "I don't know how that got there" defense. If you find a cheat in C:\Users\Player\AppData\Local\HiddenFolder\, and the player denies ever going there, parsing their Shellbags can produce an entry for that exact path. This proves they actively navigated to that hidden location, demonstrating clear intent.

  • Tracking Cheats on USB Drives: If you suspect a player used cheats from a USB drive that is no longer connected, their Shellbags might still contain entries for folders on that drive (e.g., E:\Vape\). This proves they accessed the cheat folder from the removable device.

  • Building a Stronger Case: Finding a suspicious file is good evidence. Proving the player also manually created and navigated to the folder containing it (e.g., a folder named "Minecraft Ghost Clients") makes the case undeniable. Shellbags provide this crucial contextual link.

  • Uncovering Hidden Locations: A player might use hidden attributes to conceal a folder. While you can find it by changing view settings, their Shellbags will prove they accessed it even while it was hidden, showing they knew exactly where to look.

PreviousUser Activity and KnowledgeNextPowerShell Command History

Last updated