Windows Shellbags Forensics

There are many weird and wonderful registry entries that I have yet to know about that could contain useful forensics information. One of the most recent that I’ve learnt about are the shellbag entries. These keys are stored in the users ntuser.dat file, and store the viewing settings for users folders – e.g. the size, position and icon of a folder. Whilst folder sizes might not be useful, it does mean that every folder the user has visited at least once is stored in the registry; thereby giving a full account of all folders accessed, including network drives and removal storage drives. William Ballenthin gives a good account of how the shellbags are stored in the registry, and it’s pretty complicated…no simple way of getting the folder structures out.

Conveniently, he has also written a lovely Python script which can you download on his GitHub account that parses out the shellbag entries for you. I noticed that some of the stuff the Python script spits out is superfluous, and it also just prints out to screen. I therefore forked his script and removed some of the output and then made the script output to a CSV file with timestamps Excel would understand. You can download my version of the script on my GitHub account.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s