Windows ShellBags are one of the well-known and valuable sources of information regarding computer system’s user behavior. Although their primary purpose is to improve user experience and “remember” preferences while browsing folders, information stored in ShellBags can be critical during forensic investigation.
Windows ShellBags were introduced into Microsoft’s operating system Windows 7, and are still present on all Windows 10 system releases. Generally, speaking ShellBags are designed to hold information about user’s preferences while browsing folders. That means that if the user changes folder view from “Large Icons” to, for example, “Details”, the settings get stored in ShellBag.
When you open, close or change viewing option of any folder on your computer, either from Windows Explorer, or from the Desktop (even by right-clicking or renaming the folder), a ShellBag record is created or updated. This implies the following:
- If any directory is mentioned in Windows ShellBags, it must have been present on the system at some time – even if it is not present anymore. This is valid for local filesystem including compressed archives, as well as for network locations (e.g. remote mapped shares) and removable devices (e.g. USB flash drive).
- As these actions and viewing preferences are tied to the user’s registry hives, we can connect specific user account and specific folder. Moreover, we can get information about when the folder has been last accessed, from MAC timestamps contained in ShellBags.