Talk With an Expert

Windows ShellBag Forensics in Depth

Windows ShellBag Forensics in Depth (PDF, 3.86MB)Published: 14 Apr, 2014
Created by
Vincent Lo

The problem of identifying when and which folders a user accessed arises often in digital forensics. Forensicators attempt to search for them in the ShellBags information because it may contain registry keys that indicate which folders the user accessed in the past. Their timestamps may demonstrate when the user accessed them. Nevertheless, a lot of activities can update the timestamps. Moreover, the ShellBags structure differs slightly between different Windows operating systems. How to interpret ShellBags correctly has become a challenge. This paper summarizes the details of ShellBags information and discusses various activities across Windows operating systems.