Question

In: Computer Science

Explain what a Windows Registry Shellbag is and how it can be used during a forensic...

Explain what a Windows Registry Shellbag is and how it can be used during a forensic investigation.

Solutions

Expert Solution

PART A) what a Windows Registry Shellbag :

In layman language we can say that windows registry shellbag is a kind of database which stores our all operating system's setting.We can perform various task and even can make our computer to run smoothly if we master the Windows registry settings.The task which we can perform from shellbag are :We can customize taskbar,system window, we can customize controlpanel and start menu we can handle windowupdate also we can troubleshoot various problems caused in our OS.

Generally, speaking ShellBags are designed to hold information about user’s preferences while browsing folders. That means that if the user changes folder view from “Large Icons” to, for example, “Details”, the settings get stored in ShellBag.
When you open, close or change viewing option of any folder on your computer, either from Windows Explorer, or from the Desktop (even by right-clicking or renaming the folder), a ShellBag record is created or updated. This implies the following:

  • If any directory is mentioned in Windows ShellBags, it must have been present on the system at some time – even if it is not present anymore. This is valid for local filesystem including compressed archives, as well as for network locations (e.g. remote mapped shares) and removable devices (e.g. USB flash drive).
  • As these actions and viewing preferences are tied to the user’s registry hives, we can connect specific user account and specific folder. Moreover, we can get information about when the folder has been last accessed, from MAC timestamps contained in ShellBags.

PART B) : How it can be used during a forensic investigation:

Forensic Value (or Why It's Important)

We now know the basics of what Shellbags artifacts are...so how can we use them to our advantage? Through them, we can determine the following:

  • Which folders were interacted with (via Explorer) on the local machine, the network, and/or removable devices.
  • Evidence of previously existing folders after deletion/overwrite.
    • e.g. if a folder is deleted, but it was interacted with via Explorer before being deleted, the shellbag artifact (and thus, the full path + initial MACE times) for that folder will remain.
  • Historical MACE times of folders corresponding to the time that the folders were first interacted with via Explorer.
    • Useful for determining whether or not folders were copied/moved to a new volume.
  • Which user(s) interacted with certain folders.
  • The means by which a folder was interacted with (Did the user open the folder via Start > My Computer, via Start > %username%, or via Start > My Computer and then clicking a sidebar link to the folder? They all show up differently.)  
  • When certain folders were interacted with

Why are Shellbags Important to Digital Forensics Investigations?

One might ask why the position, view, or size of a given folder window is important to forensic investigators. While these properties might not be overly valuable to an investigation, Windows creates a number of additional artifacts when storing these properties in the registry, giving the investigator great insight into the folder, browsing history of a suspect, as well as details for any folder that might no longer exist on a system (due to deletion, or being located on a removable device).

The Key Artifacts That Need to be Found When Investigating Shellbags

For Windows XP, shellbag artifacts are located in the NTUSER.dat registry hive at the following locations:

  • HKCU SoftwareMicrosoftWindowsShell
  • HKCUSoftwareMicrosoftWindowsShellNoRoam

For Windows 7 and later, shellbags are also found in the UsrClass.dat hive:

  • HKCRLocal SettingsSoftwareMicrosoftWindowsShellBags
  • HKCRLocal SettingsSoftwareMicrosoftWindowsShellBagMRU

The shellbags are structured in the BagMRU key in a similar format to the hierarchy to which they are accessed through Windows Explorer with each numbered folder representing a parent or child folder of the one previous. Within each of those folders are the MRUListEx, NodeSlot, and NodeSlots keys:

  • MRUListEx contains a 4-byte value indicating the order in which each child folder under the BagMRU hierarchy was last accessed. For example if a given folder has three child folders labelled 0, 1, and 2 and folder 2 was the most recently accessed, the MRUListEx will list folder 2 first followed by the correct order of access for folders 0 and 1
  • NodeSlot value corresponds to the Bags key and the particular view setting that is stored there for that folder. Combining the data from both locations, investigators are able to piece together a number of details around a given folder and how it was viewed by the user
  • NodeSlots is only found in the root BagMRU subkey and gets updated whenever a new shellbag is created

Related Solutions

How can DNA extraction, PCR, and gel electrophoresis be used in forensic science? Explain
How can DNA extraction, PCR, and gel electrophoresis be used in forensic science? Explain
What government entities have or maintain a registry? How do they get information into their registry...
What government entities have or maintain a registry? How do they get information into their registry and, if we are a hospital, clinic, etc. are we required to provide that information?
What command(s) do you use to view or edit the Windows registry? What precautions do you...
What command(s) do you use to view or edit the Windows registry? What precautions do you need to take when using it?
How Forensic Accountants Are Used in Court and The Benefits or Drawbacks? Forensic accountants play a...
How Forensic Accountants Are Used in Court and The Benefits or Drawbacks? Forensic accountants play a vital role in court proceedings by providing expert evidence and shedding light on legal matters pertaining to finance. Furthermore, forensic accountants are professionals whose opinion is taken in high regard in the court of law. In effect, the evidence obtained from forensic accountants is regarded as credible. Therefore, these professionals help the court in upholding fair trials. The benefits derived from forensic accountants are...
what is forensic linguistics and how has it been used in casework such as the investigation...
what is forensic linguistics and how has it been used in casework such as the investigation of the Unabomber?
Explain how Windows and Linux can work together in diverse environments.
Explain how Windows and Linux can work together in diverse environments.
What are the elements of a forensic fraud investigation report, and explain how they could be...
What are the elements of a forensic fraud investigation report, and explain how they could be used to support case preparation in a case like Enron?
explain what a forensic anthropologist does, how are they able to establish the biological profile, what...
explain what a forensic anthropologist does, how are they able to establish the biological profile, what else are they able to tell about an individual from the skeleton?
1.      Explain how cash larceny can be caught. 2.      Explain a positive pay system. 3.      How does a forensic...
1.      Explain how cash larceny can be caught. 2.      Explain a positive pay system. 3.      How does a forensic accountant determine living expenses when using the net worth method? 4.      Describe the net worth method.
1.      Explain how cash larceny can be caught. 2.      Explain a positive pay system. 3.      How does a forensic...
1.      Explain how cash larceny can be caught. 2.      Explain a positive pay system. 3.      How does a forensic accountant determine living expenses when using the net worth method? 4.      Describe the net worth method.
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT