πŸ“˜
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • Investigating Shellbags
  • Digital Forensics Value of Shellbags Artifacts
  • Location of Shellbags Artifacts
  • Structure of Shellbags Artifacts
  • BagMRU key:
  • Shellbags Artifact
  1. Windows
  2. Forensics
  3. File System

Shellbags

UsrClass.dat

PreviousNTFSNextRecycle Bin

Last updated 1 year ago

Investigating Shellbags

Microsoft Windows tracks and records user’s view settings and preferences while exploring folders. These view settings (size, view mode, position) of a folder window are stored in Shellbags registry keys. Shellbags keep track of the view settings of a folder window once the folder has been viewed through Windows Explorer. Shellbags does not only track the view settings of a folder on the local machine, but also on removable devices and network folders.

Digital Forensics Value of Shellbags Artifacts

While the size, position and other view settings of a given folder window is not necessarily of a forensic value, Shellbags artifacts can provide valuable insights such as folders previously accessed/viewed on the local machine, network folders, and removable devices. As the existence of Shellbags information indicates that a specific folder(s) has been visited by the user; Windows Explorer will only create Shellbags information if the folder was initially viewed by the user. Shellbags keeps track of the view settings of a folder even if it was deleted or no longer exist on the system (folders located on a removable device such as external hard drives or USB flash drives), which means that we can retrieve information about previously existing folders. Windows Shellbags also provides information about when a particular folder was created, last accessed, and last modified. This type of information is of forensic value as it can help investigators in understanding and reconstructing previous events on a particular device.

Location of Shellbags Artifacts

The location for Shellbags artifacts differs slightly between Windows operating systems. For Windows XP, Shellbags artifacts are stored in NTUSER.DAT registry hive in the following registry keys:

Windows XP

  • NTUSER.DAT\Software\Microsoft\Windows\Shell

  • NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam

  • NTUSER.DAT\Software\Microsoft\Windows\StreamMRU

Windows 7,8, 8.1 and 10 Similarly, the later versions of Windows store Shellbags information in NTUSER.DAT registry hive. Unlike Windows XP, however, Shellbags artifacts are only stored under the Shell Key.

  • NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU

  • NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

Shellbags artifacts are also found in UsrClass.dat hive at the following locations:

  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

  • USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags

Structure of Shellbags Artifacts

Shellbags structure is slightly different between Windows operating systems. However, Shellbags artifacts are contained in two main registry keys, BagMRU and Bags.

BagMRU key:

BagMRU key consists of multiple numbered subkeys. These subkeys represent the actual directory structures of folders that have been accessed through Windows Explorer. The BagMRU key itself represents the Desktop; however, the rest of the subkeys are not assigned to a specific folder but rather structured to the hierarchy in which folders were accessed. Each of these numbered subkeys, including the BagMRU key, contains the following values:

  • MRUListEx: this value indicates the order in which each child folder within the current key was last accessed.

  • NodeSlot: this value corresponds to the Bags key which contains the view settings for that specific folder.

  • NodeSlots: this value is only located in BagMRU key and it is updated upon new Shellbag creation.

Bags key: The Bags key also consists of multiple numbered subkeys; however, each of the subkeys within Bags key stores the view settings (view mode, size, location) of the child subkeys under BagMRU key.

Shellbags Artifact

This artifact contains information extracted from Shellbags registry keys. The details you can view include:

  • Value – Indicates the folder name.

  • Absolute Path – The absolute path to the folder.

  • Bag Path – The bag path.

  • MFT Entry Number – The MFT entry number of the folder.

  • MFT Sequence number – The MFT sequence number of the folder.

In addition, it contains multiple important timestamps including:

  • Creation Date – The date/time when the folder was created.

  • Last Access – The date/time when the folder was last accessed.

  • Last Modification Date – The date/time when the folder was last modified.

Shellbags Blog
Logo