First Update

I have started doing my research into ShellBags. It appears that depending on the location of the folder ShellBag entries are created at different times.

On the Desktop If the folder is visited by the user the ShellBag entry is created immediately. If the ShellBags entry is not created before shutdown, it will be created on shutdown. So far I have not been able to create a folder on the Desktop that does not have a ShellBag entry after shutdown.

If you create a folder in the root of the C drive a ShellBags entry is immediately created even if you do not visit it. This behavior appears to continue down into a user profile. Once you get into the documents folder things change.  I have not quite figured out the behavior in the documents folder yet because the windows path to the documents folder C:\Users\Chad\Documents and the path you get when you click the documents under the library tab it has the path Libraries\Documents. So you get entries that look like the one below.

This is what the shell bag entry looks like if someone goes to the folder Champlain through Library\Documents 

The normal path should look like this.

Another thing that I have noticed is that there is a pattern of what the two Windows Registry files that contain ShellBags information USRCLASS.DAT and NTUSER.DAT contain. The NTUSER.DAT file has the ShellBag keys of things located on the Desktop and USRCLASS.DAT shows all the other places. So if you know a folder was on the desktop you can look straight at the NTUSER.DAT file instead of having to go through both.

I’m working on answering the questions I posted in my first blog and I am getting close to answering the rest of them.

ShellBag Forensics

https://blogs.sans.org/computer-forensics/files/2011/06/Shellbags.png

     ShellBags keys are Windows Registry artifacts that keep track of folders that a user has visited. These keys are stored in the NTUSER.DAT and the USRCLASS.DAT hives.  Using a tool like Windows ShellBag Parser (sbag) from Tzworks, a forensic examiner can parse the relevant keys to see metadata about folders the user has visited. ShellBags can be useful because it can show that the user visited folders on a removable drive that is missing or folders they visited that are now deleted.

     Not much is known however, about what actions cause the ShellBags keys to update the time stamps and how long it takes the keys to update in the Registry. Together with David Cowen, I have come up with some questions that I will try to answer throughout the year.

When browsing in explorer what activity triggers the creation of a ShellBag entry if there is no previous entry?

What activity does not trigger the creation of a ShellBag entry if there is no previous entry?

What activity updates an existing ShellBag entry when viewing a directory that has a previous entry?

What activity does not update an existing ShellBag entry when viewing a directory that has a previous entry?

Does creating a new directory cause a ShellBag entry to be created?

Does browsing to a directory with sub directories cause ShellBags to be created for the sub directories if they were never visited?

When the MAC times of a directory change, when does the ShellBag MAC times change?

What devices create ShellBag entries when accessed through explorer (iPods, iPads, iPhones, Android phones) and how do they differ?

How accurate are the last update timestamps for the ShellBag registry keys, when does it get updated in relation to when the actual visit occurs?

I will try to answer all of the above questions over the course over the next few months. If you have any additional questions feel free to put them in the comments below and I will try to answer them. I am planning on updating this blog regularly. Thanks for reading.