Forensic Investigation: Shellbags
Windows Shell Bags were introduced in Microsoft's Windows 7 operating system and are still present on all subsequent Windows platforms. Shellbags are registry keys used to improve user experience and retrieve user preferences whenever needed. The creation of shellbags depends on the exercises performed by the user.
Using shellbags you can prove whether a specific folder has been accessed by a given user or not. You can even check if the specific folder was created or if it was available or not. You can also find out whether external directories have been accessed on external devices or not.
Most of the time, Shell Bags are intended to store data about user activities while exploring Windows. This implies that if the user changes the sizes of the large icons for the grid, the settings will be updated in the Shell Bag instantly. The moment you open, close or change the review option of any folder on your system, whether in Windows Explorer or the desktop, even right-clicking or renaming the organizer, a Shellbag record is created or updated.
Shellbags are a set of subkeys in the UsrClass.dat registry hive of Windows 10 systems. The shell bags are stored in both NTUSER.DAT and USRCLASS.DAT.
USRCLASS.DAT: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell
The Shellbag data contains two main registry keys, BagMRU and Bags
BagMRU: This stores folder names and folder paths similar to the tree structure. The root directory is represented by the first bagMRU key i.e. 0. BagMRU contains numbered values that compare to say sub key’s nested subkeys. All of these subkeys contain numbered values aside from the last child in each branch.
Bag: These stores view preferences such as the size of the window, location, and view mode.
To get a clear idea about how shell bags work and store data and how you can analyze it I have created a new folder named “DRM”
C:\Users\diniz> mkdir DRM
Analysis using SBECmd.exe:
Run the executable file and browse to the directory where the executable is present. To extract the shellbags data into a .csv file using the following command:
C:\>SBECmd.exe -l --csv ./
As a result of the above command, a .csv file will be created in the directory (C:\)
Regedit path: BagMRU\1\6\0\0:
And yes, the shellbags store the entry even though the folder was deleted later!