Shellbags

Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: artefacts.help.

Overview

Location (starting from Windows 7):

  • Files:

    %SystemDrive%:\Users\<USERNAME>\NTUSER.dat

    %SystemDrive%:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat

  • Registry keys:

    • UsrClass.dat:

      HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

      => Information related to Windows Explorer activity.

    • NTUSER.DAT:

      HKCU\Software\Microsoft\Windows\Shell\BagMRU HKCU\Software\Microsoft\Windows\Shell\Bags

      => Information related to Desktop and Network Locations activity.

      HKCU\Software\Microsoft\Windows\ShellNoRoam\Bag HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU

      => Unclear usage and limited forensic research.

Yield information related to files and folders access.

The Shellbags are Windows Registry keys designed as an user experience enhancing feature to keep track of Windows explorer graphical display settings on a folder-by-folder basis. For instance, a Shellbag entry is used to store the View mode of a folder (details, list, small / medium / large icons) as well as the column displayed (entry names, dates, sizes, etc.) and their order.

Shellbags contain folders and network shares to which a given user has navigated (using the Windows Explorer), but not files or subdirectories if they were not accessed. An exception is for ZIP files opened directly as folders through the Windows Explorer, that are stored as if they were folders (with their content thus partially referenced depending on the related activity). Shellbags entries are also generated by access to the Control Panel settings, on an interface-by-interface basis. The Shellbags entries related to the Control Panel can notably be useful to detect possible Windows Firewall (Control Panel\All Control Panel Items\Windows Defender Firewall\Customize Settings) or Credential Manager (Control Panel\User Accounts\Credential Manager) operations.

Various kinds of user activity may generate or update Shellbag entries (with different level of data depending on the activity):

  • first access or renaming of folders, removable devices, or network shares through the Windows Explorer systematically generate a Shellbag entry

  • graphical opening of compressed archives or ISOs

  • access to the Control Panel interface

  • modification of the folder view preferences

  • etc.

Shellbag entries are stored in registry as a tree-like data structure, with the root target having the topmost BagMRU key. Each sub-target (sub directory for example) of the parent target are then represented with both:

  • A registry subkey, named with a numerical value (starting from 0).

  • A registry value (in the parent target's registry key), named with the same numerical value and associated with binary data that notably contains the target's name.

Each Shellbag BagMRU registry key also contains a MRUListEx value, that maintains the entries visited order, i.e the order in which the sub targets of a target were accessed (the last sub target accessed having a MRU position of 0).

For example, My Computer will be associated with the topmost BagMRU key, C: to BagMRU\0 if it was access first, C:\Users to BagMRU\0\2 if it was accessed third, and so on and so forth. A hierarchical view of the Shellbag entries can thus be established.

Information of interest

As the Shellbags entries are stored in user's specific registry hives, targets (folders, Control Panel interfaces, etc.) access can be tied to a given user through its Shellbags. Shellbags entries are populated only upon interaction (i.e are not prepopulated), the mere presence of a Shellbag entry for a target is thus evidence that the user interacted with the given target. Shellbags entries are not automatically deleted upon deletion of the related folders and can thus be a source of historical information.

The Shellbags entry for a given target yield the following information of forensic interest:

  • the target name and absolute path.

  • the target Modified, Access, and Created (MAC) timestamps (UTC), retrieved from the $MFT at the Shellbag entry creation (and not further updated).

  • each entry in ShellBags BagMRU maintain a MRUListEx list, which records the order in which the sub targets of a target were accessed (the last sub target accessed having a MRU position of 0).

The first and last interacted timestamps can be indirectly deducted for some targets:

  • The First Interacted timestamp can be inferred for some targets thanks to the tree like data structure of ShellBags entry. Indeed, for entries that do not have subkeys (i.e directory for which no subdirectory were accessed) the First Interacted timestamp is equal to the key's LastWriteTime timestamp. This is due to the fact that the key is created when a target is first accessed, and further activity for that target (such as display settings modifications) will only update the key's values. In such circumstances, the LastWriteTime timestamp reflect the timestamp of the key initial creation (as it is not updated upon updates to a key's values). When a subkey is created for the target (i.e when a subdirectory is accessed for that particular directory), the timestamp becomes unreliable as it reflect the creation of the subkey.

  • The Last Interacted timestamp can be deducted for the sub target that was last interacted with. Indeed, as each Shellbag entry corresponds to a registry key, the key's LastWriteTime timestamp indicates when the Shellbag entry was last updated. The child-bag / sub-target that was last interacted with being known (MRU position of 0), this timestamp correspond to the last interaction timestamp for the sub target that was last interacted with.

Note however that major updates of the Windows operating system may result in modification of ShellBags entries, resulting in updated last written timestamp.

Parsing

Eric Zimmerman's ShellBagsExplorer.exe and SBECmd.exe tools (KAPE's SBECmd module) can be used to parse ShellBags entries.

ShellBagsExplorer.exe displays the ShellBags entries in a graphical user interface that allow browsing of the referenced targets, in a similar manner to Windows Explorer.

# Recursively enumerates the users' registry hives in the specified directory and parses their ShellBags entries.
SBECmd.exe --csv <CSV_DIRECTORY_OUTPUT> -d <C:\Users\<USERNAME> | C:\Users\ | DIRECTORY>

# Parses the ShellBags entries in the live registry.
SBECmd.exe --csv <CSV_DIRECTORY_OUTPUT> -l

References

https://www.sans.org/reading-room/whitepapers/forensics/windows-shellbag-forensics-in-depth-34545

https://www.sans.org/blog/computer-forensic-artifacts-windows-7-shellbags/

https://lifars.com/wp-content/uploads/2020/04/LIFARS-WhitePaper-Windows-ShellBags-Forensics-Investigative-Value-of-Windows-ShellBags.pdf

PreviousRecycleBinNextShimcache

Last updated