Since Windows XP, Windows Shellbags have been available to computer forensic examiners, however, it is only more recently that their potential has been realised for investigation purposes.
Windows Shellbags allow for a computer forensic examiner to track the Windows folder view, sizes and positions of the view of folders on a Windows system.
The properties of a folder contained within Windows Shellbags can be significant to a computer forensic investigation can be significant, it allows for an assessment at to whether the content of the folder could have been viewed simply from the user accessing it, and also allows to determine whether the user had changed the default settings of the folder which can be compelling in a case where the folder contains documents or unlawful images for example.
Windows Shellbags can also provide evidence of access of external or removable devices that are no longer connected to the computer.
Windows XP holds the Shellbags within the NTuser.dat file at HKCU \Software\Microsoft\Windows\Shell and HKCU\Software\Microsoft\Windows\Shell\NoRoam
Windows 7 and onward hold the Shellbags within the UsrClass.dat hive at HKCR\Local Settings\Software\Microsoft\Windows\ShellBags and HKCR\Local Settings\Software\Microsoft\Windows\ShellBag\MRU
The Windows Shellbags are held in the BagMRU key similarly to the way that they are structured within Windows Explorer and each numbered folder relates to the one previous and within each of the folders are the MRUListEx, NodeSlot, and NodeSlots keys:
- MRUListEx contains information to indicate the order in which each child folder under BagMRU was last accessed.
- The NodeSlot value relates to the Bags key and the particular view setting stored there for that folder
- NodeSlots is updated whenever a new shellbag is created
The Windows Shellbags also provide a computer forensic investigator with the last accessed time/dates of the folders accessed, which may allow to prove intent or awareness as well as forming a timeline of events where the user opened or viewed different folders within a system and was aware of them or files within them.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on email@example.com, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.