Windows ShellBag Forensics in Depth

By Vincent Lo

The problem of identifying when and which folders a user accessed arises often in
digital forensics. Forensicators attempt to search for them in the ShellBag
information because it may contain registry keys that indicate which folders the
user accessed in the past. Their timestamps may demonstrate when the user
accessed them. Nevertheless, a lot of activities can update the timestamps.
Moreover, the ShellBag structure differs slightly between different Windows
operating systems. How to interpret ShellBags correctly has become a challenge.
This paper summarizes the details of ShellBag information and discusses various
activities across Windows operating systems.

» Read more