ShellBags
Overview
Section titled “Overview”Evidence: ShellBags
Description: Enumerate ShellBags
Category: System
Platform: windows
Short Name: sbgs
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”ShellBags are Windows Registry artifacts that track folder access and view preferences in Windows Explorer. When a user opens a folder in Explorer, Windows creates a ShellBag entry to remember the folder’s view settings (icon size, column sort order, etc.).
ShellBags persist even after folders are deleted, providing evidence of folder access including folders on external drives, network shares, and deleted directories.
Data Collected
Section titled “Data Collected”This collector gathers structured data about shellbags.
ShellBags Data
Section titled “ShellBags Data”| Field | Description | Example |
|---|---|---|
Username | User account name | user |
DomainName | Domain name | WORKSTATION01 |
KeyPath | Registry key path | Software\Microsoft\Windows\Shell\BagMRU\0\1 |
Value | Registry value name | 2 |
Type | Shell item type | 49 |
View | View type | 0 |
CachedFileModified | Cached modification time | 2023-10-15T14:30:00 |
CachedFileAccessed | Cached access time | 2023-10-15T15:45:00 |
CachedFileCreated | Cached creation time | 2023-10-01T10:00:00 |
Path | Full folder path | C:\Users\user\Documents\Project |
SlotModifiedTime | Slot modification time | 2023-10-15T16:00:00 |
MFTEntry | MFT entry number | 12345 |
MFTSequence | MFT sequence number | 1 |
FileExists | Whether folder currently exists | TRUE |
FileModified | Current modification time | 2023-10-15T14:30:00 |
FileAccessed | Current access time | 2023-10-15T15:45:00 |
FileCreated | Current creation time | 2023-10-01T10:00:00 |
RegPath | Path to source registry hive | Registry/ntuser.dat |
Collection Method
Section titled “Collection Method”This collector:
- Collects user registry hives (ntuser.dat, UsrClass.dat)
- Searches for ShellBag registry keys in various locations:
Software\Microsoft\Windows\Shell\BagMRUSoftware\Microsoft\Windows\ShellNoRoam\BagMRUSoftware\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRULocal Settings\Software\Microsoft\Windows\Shell\BagMRU
- Parses binary shell item data using libfwsi
- Recursively processes nested ShellBag entries
- Compares cached timestamps with current file system state
Forensic Value
Section titled “Forensic Value”ShellBags provide evidence of folder access that persists even after deletion. Investigators use this data to prove folder access on external drives, establish user interaction with specific directories, detect access to deleted folders, identify network share usage, track folder access on removable media, reconstruct user navigation patterns, and correlate folder access with other user activity.