SHELLBAG FORENSICS

Extract and analyze persistent Windows Registry artifacts to reconstruct user activity, folder navigation, and lateral movement timelines.

Registry AnalysisDigital ForensicsIncident Response

Shellbag Artifacts

Windows Shellbags are highly persistent registry keys that track your folder interactions. They act as a breadcrumbs trail allowing forensic analysts to reconstruct user activity, even after folders are deleted or devices are removed.

Persist after deletion

Reveal folder hierarchy

The Evidence Chain

User opens 'Confidential_Docs'

Windows updates 'BagMRU' (Structure)

Windows writes 'Bags' (View Settings)

Timestamp & Access Count Updated

Registry Hive Architecture

REGISTRY CONFIG

HKEY_CURRENT_USER

Software

Microsoft

Windows

Shell

BagMRU

Stores the structure and order of accessed folders.

Key Function

Tracks the "Navigation Path". It tells you WHERE a user went and in WHAT ORDER.

Forensic Value

Mapping folder hierarchy
Proving knowledge of files

The Evidence Package

Artifact 1

Folder Path

C:\Users\...\Secret

Absolute location on disk

Artifact 2

Timestamps

2024-03-12 09:41 UTC

First accessed / Last written

Artifact 3

Access Count

42 Visits

Frequency of interaction

Artifact 4

Device Type

Removable (USB)

Physical origin of data

Detection & Hunting

Advanced threat actors often clear Event Logs but forget Shellbags. Look for:

!Access to 'D:\' or 'E:\' (USB) on restricted servers

!Rapid traversal of many folders in seconds (Automated collection)

!Access to folders named 'Exfil', 'Staging', or 'Encrypt'

!Execution from Temp or AppData folders

Forensic Toolkit

ShellBags Explorer

Eric Zimmerman

GUI

SBECmd

Eric Zimmerman

CLI

RegRipper

H. Carvey

Plugin

ShellBags Analyzer Pro

v2.4.1 | Lic: Enterprise Forensic

CASE: 24-0099

Select Forensic Case

Choose a disk image to begin Shellbag extraction and analysis.

Loading Forensic Environment...

Shellbag Artifacts

Persist after deletion

Reveal folder hierarchy

The Evidence Chain

User opens 'Confidential_Docs'

Windows updates 'BagMRU' (Structure)

Windows writes 'Bags' (View Settings)

Timestamp & Access Count Updated

Registry Hive Architecture

REGISTRY CONFIG

HKEY_CURRENT_USER

Software

Microsoft

Windows

Shell

BagMRU

Stores the structure and order of accessed folders.

Key Function

Tracks the "Navigation Path". It tells you WHERE a user went and in WHAT ORDER.

Forensic Value

Mapping folder hierarchy
Proving knowledge of files

The Evidence Package

Artifact 1

Folder Path

C:\Users\...\Secret

Absolute location on disk

Artifact 2

Timestamps

2024-03-12 09:41 UTC

First accessed / Last written

Artifact 3

Access Count

42 Visits

Frequency of interaction

Artifact 4

Device Type

Removable (USB)

Physical origin of data

Detection & Hunting

Advanced threat actors often clear Event Logs but forget Shellbags. Look for:

!Access to 'D:\' or 'E:\' (USB) on restricted servers

!Rapid traversal of many folders in seconds (Automated collection)

!Access to folders named 'Exfil', 'Staging', or 'Encrypt'

!Execution from Temp or AppData folders

Forensic Toolkit

ShellBags Explorer

Eric Zimmerman

GUI

SBECmd

Eric Zimmerman

CLI

RegRipper

H. Carvey

Plugin