ShellBag Forensics
HTML-код
- Опубликовано: 4 фев 2025
- As a continuation of the "Introduction to Windows Forensics" series, this video introduces ShellBags. Have you ever customized the folder view settings within any folder in Windows Explorer? This could be anything from changing the sort order, to changing the view type from icons, to list view, to detail view, changing what columns are visible, or even changing the size of the window. If so, when you’ve returned to that folder at a later date, you’ve probably seen that the customizations remained. That information is stored within “ShellBags”.
Why do we care about folder view settings, and how could this possibly be of forensic interest? Watch this video and find out!
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
Introduction to Windows Forensics:
• Introduction to Window...
ShellBags Forensics: Addressing a Misconception:
www.4n6k.com/20...
Forensic Analysis of Windows ShellBags:
www.magnetfore...
Windows ShellBag Parser:
www.tzworks.ne...
shellbags.py:
github.com/wil...
ShellBags Explorer:
ericzimmerman....
Internet Evidence Finder (IEF):
www.magnetfore...
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
I really enjoyed this video. Thanks for sharing. I wish I had more time in the day to watch all of your videos and develop my forensic skills.
14:07 minutes full of learnings - thanks, great.
@13Cubed the command line freak! Another great video sir! Thank you! Theae are helping me prepare for my interviews!
Great video! Good explanations and examples given. Keep it up. This is great content!
great video introducing shell bags
Well done! I sense some Rob Lee knowledge influence :)
I've been slowly working through the 13cubed archive and this is excellent!! I've read a couple of times (including on Magnet Forensics blog) that Shellbags are located within HKCR when clearly you are showing them within HKCU here... I'm confused!! 🤔
This article will help: www.lifewire.com/hkey-classes-root-2625899
Quoting from it: "However, because the HKEY_CLASSES_ROOT hive is actually combined data found in both the HKEY_LOCAL_MACHINE hive (HKEY_LOCAL_MACHINE\Software\Classes) and the HKEY_CURRENT_USER hive (HKEY_CURRENT_USER\Software\Classes), it also contains user-specific information as well. Even though that's the case, the HKEY_CLASSES_ROOT is still able to be browsed by any and all users."
So, UsrClass.dat (one of the locations containing Shellbags [in addition to NTUSER.DAT]) plugs in to HKCU\Software\Classes, and HKCU\Software\Classes is part of HKCR.
Thanks again, that's really helpful. One other thing I wanted to know was whether it was possible to use Shellbag Explorer to examine a disk image? I tried to load offline hives from artefacts extracted from FTK imager but with no success.
Your channel is amazing.
This vid was so helpful!
@13cubed Regarding the shellbag explorer demo, how long will the USB data be stored in that shellbag? Will it not be overwritten over time?
They can be removed by privacy cleaners, or manually, but otherwise those bag entries are persistent and do not expire or become overwritten.
What if I create new windows or upgrade current window version are shellbags will be exist for old windows
They should still persist after the upgrade/feature update, but the timestamps may be affected. See this: df-stream.com/2019/10/shellbags-windows-10-feature-updates/
Hello. I liked the content a lot however I'm not a native english speaker and I'm still looking for an exact definition of a shell bag. Is a shell bag:
1 - a subkey.
2 - The values stored in a subkey.
3 - A subkey and its values.
4 - A subkey, its values and its children keys?
That would help me a lot.
how to disable shellbags recording logs?
Excellent video. Thanks a lot.
please consider about font size of presentation.
All later videos have much easier to read fonts. This was recorded quite a while ago.
could you please share the software you use to prepare and edit your videos ! thanks a lot for the awesome tutorial as usual!
Thanks - ScreenFlow and Final Cut Pro X
13Cubed i really appreciate your efforts you do and making this knowledge easily accessible to others!
Lmao that introduction 😂
I know a few shellbags