ShellBagger – Analyze ShellBag Artifacts

ShellBagger is a tool that you can use to analyze shellbag artifacts. Microsoft Windows tracks user window viewing preferences specific to Windows Explorer. Tracked items include the size, view, icon, and position of a folder from Windows Explorer. This information is referred to as “ShellBags”, and are stored in several locations within the Registry.

These keys can be extremely useful to a forensic investigator since the ShellBags are persistent and remain behind even if the directory is removed. They can also be used to reveal information about past mounted volumes such as USB drives, mapped drives, network folders, deleted files, and user actions.

ShellBagger - Analyze ShellBag Artifacts
ShellBagger – Analyze ShellBag Artifacts

Some of the features with ShellBagger are”

  • Parses file paths, registry dates from bag entries, modified, access, creation times from shell link items, type, file size (if available) and location
  • Performs lookups on known GUIDs
  • Saves to CSV for additional analysis/reporting
  • Requirements: Microsoft .NET Framework v4.0
  • Free for both personal and commercial use

You can read more and download this tool over here: