Viewing Shellbag Data in BlackLight
Shellbags are a set of registry keys that provide retention functionality with regards to Windows Explorer and a system user’s activity. Shellbags essentially record when a user account accesses directories via Windows Explorer. In the practice of digital forensic analysis, shellbags can be a successful method to reconstruct certain user activity, including:
- Showing which user account accessed relevant folders
- Determining when relevant folders were first visited/last updated
- Possibly showing file listings within certain folders
- Seeing removable device connections
- Seeing previously mounted encrypted volumes and content listings
- Determining the historical presence of deleted folders
Now BlackLight conveniently parses out the data within a shellbag. To view shellbag data for a Windows partition, go to the ‘System’ view. Choose the Registry button, then select the ShellBags radio button.
The architecture of shellbag keys changed substantially from Windows XP to Windows 7 and 8, but BlackLight will parse data from both structures. This screenshot example represents Windows XP ShellNoRoam registry key data.
The data held within shellbag registry key sets can be extremely valuable to digital forensic examiners. BlackLight now delivers the means to analyze shellbag data, affording the ability to reconstruct valuable user activity and providing historical proof of missing, non-accessible, or deleted data from Windows operating systems.
If you’re not already using BlackLight in your investigations, click here to visit our BlackLight web page and request a trial. You can also email our team of Forensic Analysts and Instructors (firstname.lastname@example.org) for further questions about shellbags or BlackLight’s various features.
The BlackBag Team