ShellFolders

Overview

Evidence: ShellFolders
Description: Enumerate ShellFolders
Category: System
Platform: windows
Short Name: shelldirs
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Windows Shell Folders are special directories that have specific purposes in the operating system (e.g., Desktop, Documents, Start Menu, AppData). Windows stores the configured paths for these folders in the registry, and users or applications can customize these locations.

Tracking these paths is important for forensic analysis because evidence artifacts may be in non-default locations if users have redirected their shell folders.

Data Collected

This collector gathers structured data about shellfolders.

ShellFolders Data

Field	Description	Example
Folder	Shell folder name	Personal
Path	Configured folder path	C:\Users\user\Documents
Username	User account name	user
KeyPath	Registry key path	Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
LastWriteTime	Registry key last write time	2023-10-15T14:30:00
RegPath	Path to registry hive	Registry/ntuser.dat

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)
• Searches for shell folder keys:
  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
• Enumerates all folder name-path pairs
• Records configured paths for each shell folder

Common shell folders include: Desktop, Personal (Documents), AppData, Start Menu, Favorites, SendTo, Recent, Startup, and many others.

Forensic Value

Shell folder paths are essential for locating user artifacts in correct locations. Investigators use this data to identify custom artifact locations (non-default), track folder redirection policies, locate user data on network shares, find redirected AppData or Desktop locations, and understand user profile configuration.