Windows ShellBag Forensics in Depth
By Vincent Lo
The problem of identifying when and which folders a user accessed arises often in digital forensics. Forensicators attempt to search for them in the ShellBag information because it may contain registry keys that indicate which folders the user accessed in the past. Their timestamps may demonstrate when the user accessed them. Nevertheless, a lot of activities can update the timestamps. Moreover, the ShellBag structure differs slightly between different Windows operating systems. How to interpret ShellBags correctly has become a challenge. This paper summarizes the details of ShellBag information and discusses various activities across Windows operating systems.