Question

Explain what a Windows Registry Shellbag is and how it can be used during a forensic investigation.

Answer 1

PART A) what a Windows Registry Shellbag :

In layman language we can say that windows registry shellbag is a kind of database which stores our all operating system's setting.We can perform various task and even can make our computer to run smoothly if we master the Windows registry settings.The task which we can perform from shellbag are :We can customize taskbar,system window, we can customize controlpanel and start menu we can handle windowupdate also we can troubleshoot various problems caused in our OS.

Generally, speaking ShellBags are designed to hold information about user’s preferences while browsing folders. That means that if the user changes folder view from “Large Icons” to, for example, “Details”, the settings get stored in ShellBag.
When you open, close or change viewing option of any folder on your computer, either from Windows Explorer, or from the Desktop (even by right-clicking or renaming the folder), a ShellBag record is created or updated. This implies the following:

• If any directory is mentioned in Windows ShellBags, it must have been present on the system at some time – even if it is not present anymore. This is valid for local filesystem including compressed archives, as well as for network locations (e.g. remote mapped shares) and removable devices (e.g. USB flash drive).
• As these actions and viewing preferences are tied to the user’s registry hives, we can connect specific user account and specific folder. Moreover, we can get information about when the folder has been last accessed, from MAC timestamps contained in ShellBags.

PART B) : How it can be used during a forensic investigation:

Forensic Value (or Why It's Important)

We now know the basics of what Shellbags artifacts are...so how can we use them to our advantage? Through them, we can determine the following:

• Which folders were interacted with (via Explorer) on the local machine, the network, and/or removable devices.
• Evidence of previously existing folders after deletion/overwrite.
  • e.g. if a folder is deleted, but it was interacted with via Explorer before being deleted, the shellbag artifact (and thus, the full path + initial MACE times) for that folder will remain.
• Historical MACE times of folders corresponding to the time that the folders were first interacted with via Explorer.
  • Useful for determining whether or not folders were copied/moved to a new volume.
• Which user(s) interacted with certain folders.
• The means by which a folder was interacted with (Did the user open the folder via Start > My Computer, via Start > %username%, or via Start > My Computer and then clicking a sidebar link to the folder? They all show up differently.)  
• When certain folders were interacted with

Why are Shellbags Important to Digital Forensics Investigations?

One might ask why the position, view, or size of a given folder window is important to forensic investigators. While these properties might not be overly valuable to an investigation, Windows creates a number of additional artifacts when storing these properties in the registry, giving the investigator great insight into the folder, browsing history of a suspect, as well as details for any folder that might no longer exist on a system (due to deletion, or being located on a removable device).

The Key Artifacts That Need to be Found When Investigating Shellbags

For Windows XP, shellbag artifacts are located in the NTUSER.dat registry hive at the following locations:

• HKCU SoftwareMicrosoftWindowsShell
• HKCUSoftwareMicrosoftWindowsShellNoRoam

For Windows 7 and later, shellbags are also found in the UsrClass.dat hive:

• HKCRLocal SettingsSoftwareMicrosoftWindowsShellBags
• HKCRLocal SettingsSoftwareMicrosoftWindowsShellBagMRU

The shellbags are structured in the BagMRU key in a similar format to the hierarchy to which they are accessed through Windows Explorer with each numbered folder representing a parent or child folder of the one previous. Within each of those folders are the MRUListEx, NodeSlot, and NodeSlots keys:

• MRUListEx contains a 4-byte value indicating the order in which each child folder under the BagMRU hierarchy was last accessed. For example if a given folder has three child folders labelled 0, 1, and 2 and folder 2 was the most recently accessed, the MRUListEx will list folder 2 first followed by the correct order of access for folders 0 and 1
• NodeSlot value corresponds to the Bags key and the particular view setting that is stored there for that folder. Combining the data from both locations, investigators are able to piece together a number of details around a given folder and how it was viewed by the user
• NodeSlots is only found in the root BagMRU subkey and gets updated whenever a new shellbag is created