Table of Contents
This guide explains what shellbags are, their importance in Windows forensics investigations, and the shellbag analysis process with tools and case studies.
What are Shellbags?
Shellbags are a forensic artifact found in the Microsoft Windows operating system. They are essentially Windows Registry keys that store information about the appearance and behavior of Windows Explorer when browsing through directories and folders.
Shellbags are stored in the Windows registry under the following keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags
The BagMRU key contains information about the most recently used folders, while the Bags key stores settings for specific folders based on their unique identifier (usually based on the folder’s path and other attributes).
Each shellbag entry contains various properties, including but not limited to:
- Folder path
- View mode (e.g., details, icons)
- Sort order
- Window size and position
- Last modified timestamp
Significance in Digital Forensics
It was introduced in Windows 7 and is present in all subsequent versions, providing valuable insights for digital forensics investigations.
1. User Activity Timeline
Provides a history of folders accessed by a user, even if deleted folders are no longer present.
2. Identifying User Access
Can help determine if a specific user accessed a particular folder.
3. Removable Media
Records access to removable drives, even if the device is no longer connected.
4. Deleted Files
Shellbag entries might persist even after folders are deleted, offering clues about their previous existence.
5. Contextual Information
Timestamps and user preferences can provide context for folder access.
Shellbags Analysis Process
The process generally involves the following steps:
1. Acquiring Shellbags
Before analysis, it’s essential to acquire the shellbags data. This can be done by:
- Extracting the
NTUSER.DAT
hive from the user’s profile directory. - Using forensic tools like Encase, FTK, or open-source tools like Registry Explorer or RegRipper to extract and parse shellbags data.
2. Parsing Shellbags Data
Once acquired, the data needs to be parsed to extract meaningful information. This involves:
- Decoding binary data into human-readable format.
- Organizing shellbags data into a structured format for analysis.
3. Analyzing Shellbags
During analysis, investigators can:
- Identify accessed folders and files.
- Reconstruct folder navigation paths.
- Determine the frequency and timestamps of folder access.
- Correlate shellbags data with other artifacts for a comprehensive view of user activity.
4. Correlating with Other Forensic Artifacts
Shellbag analysis can be complemented by examining other forensic artifacts, such as:
- Prefetch files
- Link files (LNK)
- Jump lists
- Recent files and folders lists
- Windows event logs
5. Reporting and Documentation
The findings of the analysis should be fully documented, including:
- Summary of accessed folders and files.
- Timeline of user activity.
- Any anomalies or suspicious behavior observed.
- Recommendations for further investigation, if necessary.
Shellbag Analysis Tools
Several forensic tools can parse and analyze Shellbag data. Some popular options include:
- Windows Registry Explorer (Built-in Windows tool with limited parsing capabilities)
- FTK Imager
- EnCase Forensic
- RegRipper
- Scalpel (Open-source data carving tool)
Using these tools often requires familiarity with registry structures and forensic analysis procedures.
Case Studies
Some case studies demonstrating practical applications in forensic investigation include:
- Employee Misconduct Investigation: It can be used to track the activities of an employee suspected of unauthorized file access and data intrusion.
- Malware Analysis: It helps uncover the behavior of malware samples by revealing files and folders accessed or modified by the malware.
- Digital Espionage: Investigators use the analyzed data to reconstruct a suspected digital spy’s file system activities, identifying the locations of sensitive documents accessed or copied.
Case Study: Data Breach Investigation
Scenario
A company suspects a data breach involving sensitive information from a specific folder on a company laptop. A forensic investigation is initiated to identify the culprit and understand the scope of the breach.
Analysis
- Acquisition and Extraction: A forensic image of the laptop’s storage device is acquired. The registry hive (
NTUSER.DAT
) is extracted for further analysis. - Parsing Shellbags Data: A forensic toolkit is used to parse the extracted registry hive and identify relevant shellbag entries.
- Extracting Information: The analysis focuses on shellbag entries related to the folder containing sensitive data. Dates and times of folder access are noted.
- Identifying Users: Shellbag entries might not definitively identify the user, but they can indicate which user profiles accessed the folder. System login records and user activity logs are further examined to correlate with shellbag access times.
- Timeline & Context: By analyzing timestamps and correlating them with user login records, a timeline of folder access is established. This helps identify suspicious activity patterns.
Outcome
Analysis shows that the folder containing sensitive data was accessed from a user account that is not typically used by authorized personnel.
This information, along with other evidence, strengthens the suspicion of unauthorized access. Further investigation into the specific user account and system logs helps identify the culprit and determine the extent of the data breach.
Summary
Shellbags analysis is a valuable technique in Windows forensics, providing insights into a user’s file system activities and navigation patterns. By understanding how it works and employing appropriate analysis techniques and tools, forensic analysts can uncover important evidence for investigative purposes.
However, it’s essential to consider legal and ethical considerations when handling shellbags data and presenting it in a court of law. With careful analysis and interpretation, it can contribute significantly to the success of forensic investigations on Windows systems.