When a user changes the view mode or position of folders in the Windows graphic interface, the new view remains available because Windows remembers that information in the Windows Registry keys known as “Shellbags”. Perhaps more important, Shellbags store timestamps for some of the changes, making possible to determine access chronology. Like other Windows’ artifacts, Shellbags are not intended to register user activity per se, it is only a Windows feature designed to streamline the user interface. Shellbags are one of the most useful artifacts in identifying user activity related to IP theft, spoliation and violation of corporate polices related to access of information assets
Shellbags Basics
ShellBag artifacts reside in two databases that are part of the Windows Registry: NTUser.dat and UsrClass.dat, which are specifically associated with users, meaning that for each Windows user in the computer, there is one set of those databases. Thus, Shellbags analysis can be traced to individual users.
Use of Windows Explorer is usually recorded in those databases, that include not only folders in the local machine, but also in the network or in removable devices, like USB disks or thumb drives. .
Shellbags Analysis
Shellbags forensic analysis may also be used to uncover previous existence of folders subsequently deleted or overwritten. For example, if the user interacted with the folder and thereafter deleted it, the Shellbags artifact that reflect the interaction may be used to prove the previous existence of the deleted folder. Shellbags can be used to determine whether folders were copied/moved to a new volume. The aforementioned examples, illustrate the importance of Shellbags when dealing with cases of IP misappropriation or violation of corporate policies limiting information accesses.