Skip to content
Hermes Codex

Shellbags Forensic Analysis

Executive Summary

Section titled “Executive Summary”

Shellbags are a collection of Windows Registry keys designed to store user preferences for folder views (window size, icon settings, view type). For digital forensics and incident response (DFIR) analysts, they function as a “photographic memory” of user navigation within Windows Explorer. Shellbags persist long after the folders or files they reference have been deleted, making them crucial for reconstructing an attacker’s reconnaissance activities.

Objective and Mechanism

Section titled “Objective and Mechanism”

The purpose of Shellbags is to provide a consistent user experience. When a user configures a folder, Windows stores these settings so they persist across sessions.

How it Works:

Section titled “How it Works:”
  • Every time a user interacts with or even views a folder in the Explorer tree, Windows updates specific Registry keys.
  • These keys are hierarchically structured, effectively mapping the path navigated by the user.

Location and Structure

Section titled “Location and Structure”

Shellbags are stored in Registry hives, depending on the user context:

  1. Current User Context:
    • Hive: NTUSER.DAT
    • Registry Keys: Software\Microsoft\Windows\Shell\BagMRU and Software\Microsoft\Windows\Shell\Bags
  2. System/Other User Contexts:
    • Hive: UsrClass.dat
    • Path: C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat
    • Registry Keys: Local Settings\Software\Microsoft\Windows\Shell\BagMRU and Local Settings\Software\Microsoft\Windows\Shell\Bags

Forensic Utility

Section titled “Forensic Utility”

Shellbags are essential for identifying the “intent” of a user or attacker on a system.

  • Proving Access to Deleted Folders: Because the Registry keys persist, Shellbags can prove a folder existed and was accessed even if the folder and its contents were subsequently deleted.
  • Tracing Attacker Reconnaissance: Analysts can use Shellbags to reconstruct an attacker’s movement, such as browsing:
    • Network shares (\\server\share)
    • Other users’ directories (C:\Users\)
    • Sensitive system paths (C:\Windows\System32\)
  • Identifying External Media Usage: Shellbags record access to directories on removable media (USB drives, external hard drives), providing evidence of potential data exfiltration or malware introduction vectors.

Analysis Tools

Section titled “Analysis Tools”

Given the extreme complexity of their binary structure within the Registry, manual analysis is inefficient.

  • ShellBagsExplorer.exe (Eric Zimmerman): The industry-standard tool for parsing and visualizing Shellbags data in a readable directory-tree format.
  • RegRipper: An alternative tool that includes dedicated plugins to extract Shellbags information.

Detection and Hunting

Section titled “Detection and Hunting”

Shellbags findings should be correlated with other forensic artefacts for a comprehensive timeline:

  • LNK Files (for specific file access)
  • Jumplists (for application-specific activities)
  • Windows Event Logs (specifically Event ID 4663 or 5140)