What is the “Shell Bags” Windows forensic artifact?

ShellBags are a set of registry keys that store details about a user’s folder viewing preferences, such as window size, icon layout, and sort order. More importantly from a forensic standpoint, they effectively record every directory that a user has browsed to in Windows Explorer. These artifacts are stored in a user’s personal registry hive, primarily within the NTUSER.DAT file (under the Software\Microsoft\Windows\Shell\Bags key) and the UsrClass.dat file (under the Local Settings\Software\Microsoft\Windows\Shell\Bags key).

For a DFIR investigator, ShellBags provide a detailed history of folder enumeration and access by a user. The hierarchical structure of the keys mirrors the directory structure on the file system, and analyzing them can prove that a user navigated to a specific folder, even if the folder itself has been deleted or was on removable media. This can be crucial for showing that a user or attacker was aware of and had accessed sensitive directories, locations containing malware, or staging folders for data exfiltration. Because ShellBags persist after the files and folders they point to are gone, they offer a historical view of a user’s interaction with the file system that other artifacts might miss.

Collecting, Decoding, and Viewing “Shell Bags” with TensorGuard

1. Create a TensorGuard account and sign in to the TensorGuard console at https://app.tensorguard.com.
2. Select “Case Manager”, then the plus button to create a case. This will contain your enrolled devices, their reports, and any manually submitted collections.
3. Linked inside the case menu, download the TensorGuard Forensic Collector and run it on your target system.
4. In the console, click the plus button for “New Enrollment”, copy the enrollment key, and paste it into the TensorGuard Forensic Collector on your target device.
5. Now that you have a device enrolled, select the device(s), and click “Send Signal”. Answer the questions regarding what you want to look for in the analysis, any alerting on positive findings, and if the collection and analysis should be recurring.
6. Once the report is generated, you’ll have Shell Bags delivered in the browser, alongside an executive summary and timeline of findings.