Analyzing Windows Shellbag Artifacts

What Is This Skill?

The "Analyzing Windows Shellbag Artifacts" skill equips cybersecurity and digital forensics professionals with the techniques and tools necessary to extract, interpret, and analyze Windows Shellbag data. Shellbags are specialized Windows registry entries that record detailed information about a user's interaction with directories in Windows Explorer. This includes local folders, removable media (such as USB drives), network shares, and even directories that no longer exist. Shellbags are stored primarily in the NTUSER.DAT and USRCLASS.DAT registry hive files within a user's profile.

Shellbag artifacts reveal not only the fact that a folder was accessed, but also the precise times of access, the types of storage involved, and how the folder was viewed (icon settings, window size, etc.). Forensically, Shellbags are unique because they often persist after folder deletion, drive removal, or user profile resets, making them powerful evidence for reconstructing user activity on a Windows system.

Why Use It?

Shellbag analysis provides several critical advantages in both incident response and digital forensics investigations:

• Proving Folder Access: Shellbags can demonstrate that a user browsed to a specific folder, even if that folder has been deleted or the storage medium (like a USB drive) is no longer attached.
• Removable Media and Network Shares: Shellbag entries can reveal access to external devices or network resources, which may signal data exfiltration, malware movement, or policy violations.
• Timeline Reconstruction: By examining the timestamps within Shellbag entries, investigators can build a detailed chronology of user activity, complementing data from other sources like event logs.
• Persistence Beyond Deletion: Unlike filesystem artifacts that disappear when a folder is deleted, Shellbags persist until explicitly overwritten by the operating system. This makes them invaluable for uncovering attempts to hide evidence.

This skill is indispensable for analysts investigating unauthorized access, data leakage, or insider threats, as well as for those tasked with responding to security incidents on Windows systems.

How to Use It

The analysis of Shellbag artifacts typically involves two primary tools: SBECmd and ShellBags Explorer. Both tools are maintained by Eric Zimmerman and are widely used in the DFIR (Digital Forensics and Incident Response) community.

1. Identifying the Relevant Registry

Hives

Shellbag data resides in:

• NTUSER.DAT (main user registry hive)
• USRCLASS.DAT (per-user class registry hive)

These files are located in each user’s profile directory (e.g., C:\Users\<username>\).

2. Extracting and Parsing Shellbags with

SBECmd

SBECmd is a command-line tool designed for efficient batch extraction and reporting of Shellbag data.

Example Usage:

SBECmd.exe -d "E:\Evidence\Users" -o "E:\Analysis\Shellbags"

• -d specifies the directory containing NTUSER.DAT and USRCLASS.DAT.
• -o specifies the output directory for parsed results.

SBECmd produces CSV and HTML reports detailing every discovered folder, its path, timestamps, and whether it was on a local disk, USB, or network share.

3. Visualizing Shellbag Data with ShellBags

Explorer

ShellBags Explorer provides a graphical interface for in-depth exploration of Shellbag entries.

Typical Steps:

• Launch ShellBags Explorer.
• Open the target NTUSER.DAT or USRCLASS.DAT hive.
• Browse the tree to view folder paths, access times, device information, and folder view settings.

This allows investigators to correlate evidence and spot suspicious or outlier folder activity.

4. Interpreting Key

Fields

Important fields to focus on include:

• Path: Full path of the accessed folder (including device ID for removable media).
• Source: Local drive, removable media, or network share.
• Timestamps: Creation, modification, and last accessed times.
• BagMRU and ShellBag Keys: Internal identifiers for folder hierarchy and order of access.

5. Automating

Analysis

For large-scale or repeatable investigations, SBECmd can be scripted as part of a forensic pipeline. Its CSV outputs can be imported into SIEM platforms or custom analytics tools for further correlation.

When to Use It

Shellbag analysis should be considered in scenarios such as:

• Unauthorized Data Access: Determining if sensitive folders or external drives were accessed.
• Data Exfiltration Investigations: Tracking the use of removable media or network shares.
• Insider Threat Cases: Establishing a timeline of user folder navigation to support or refute activity claims.
• Incident Response: Complementing event log and filesystem analysis to provide a holistic picture of user actions.
• Post-mortem Analysis: Uncovering deleted folder access after malware or user attempts to cover tracks.

Important Notes

• Volatility of Data: While Shellbags persist longer than files themselves, they are eventually overwritten. Prompt acquisition is critical in active investigations.
• Multiple User Profiles: Shellbags are stored per user. Analysis must be repeated for each user profile present on the system.
• Time Zone Considerations: Timestamps in Shellbags are stored in UTC. Adjust for local time zones during timeline reconstruction.
• Legal and Privacy Implications: Accessing user registry hives may have legal or privacy ramifications. Always follow organizational policy and legal requirements.
• Tool Updates: SBECmd and ShellBags Explorer are actively maintained. Use the latest versions for improved parsing and artifact support.

By mastering this skill, analysts can leverage overlooked forensic artifacts to reconstruct user activity, track removable media usage, and strengthen investigative findings in Windows environments.