SANS Digital Forensics and Incident Response Blog: Tag - shellbags

Computer Forensic Artifacts: Windows 7 Shellbags

As Windows Registry artifacts go, the "Shellbag" keys tend to be some of the more complicated artifacts we have to decipher. But they are worth the effort, giving an excellent means to prove the existence of files and folders along with user knowledge. Shellbags can be used to answer the difficult questions of data enumeration … Continue reading Computer Forensic Artifacts: Windows 7 Shellbags

ShellBags Registry Forensics

I just found the coolest tool, and had to tell everyone about it.

Apparently the Windows registry keeps track of the display size of a folder window across different sessions. This information is stored in the registry, and is not cleaned up when the associated folders are deleted.

Is anybody drooling yet?

Even better, it keeps these values for folders that reside on external storage! Ever want to know what the folder structure on a suspect's USB stick that you didn't get looked like? Read on!

The data is stored as binary blobs under the following registry keys:

  • HKCU\\Software\\Microsoft\\Windows\\Shell\\BagMRU
  • HKCU\\Software\\Microsoft\\Windows\\Shell\\Bags
  • HKCU\\Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU
  • HKCU\\Software\\Microsoft\\Windows\\ShellNoRoam\\Bags